-
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
- In brief
- I. General
- II. Content
- III. Opinion of the FDPIC
- IV. Self-Regulation under Art. 40 GDPR
- Bibliography
- Materials
In brief
Codes of conduct are rules of behavior, from professional, industry and business associations. They have become established in the business world as part of "good corporate governance" as a code of conduct and are now to be extended to data privacy. The requirements and provisions of data protection law are specified in sector-specific terms by codes of conduct. Federal bodies and private associations are free to draw up their own codes of conduct.
The codes of conduct may be submitted to the FDPIC. The FDPIC checks the compatibility of the codes with the FADP. Submission is only mandatory if the code is to be used as justification for a data export under Art. 12 DPA. However, it is generally recommended for reasons of due diligence and liability.
Art. 11 can be compared to Art. 40 GDPR, where the requirements and legal consequences of codes of conduct or "rules of conduct" (Art. 40 GDPR) are similar. The codes established pursuant to Art. 40 GDPR thus provide a good point of reference for a possible implementation in Switzerland. If approval of the code for the European Union is desired, its requirements are authoritative.
Furthermore, the creation of codes of conduct promotes the internationalization of companies and the standardization of data protection within individual industries. Codes of conduct have been introduced on an international economic level for some time and support transnational, uniform and efficient corporate management. A code of conduct may therefore enable a company to meet international, legal and industry-specific requirements.
I. General
A. History of origins
1. Codes of Conduct in the Company
1One of the key objectives of the total revision of the FADP was to expand and promote aspects of self-regulation. While Art. 11 aDSG only provided for a certification procedure (n. 22 f.), this is supplemented in the nDSG by the instrument of codes of conduct. These are intended to enable associations to concretize the data protection legislation, autonomously according to their needs. The code of conduct introduces an economic and corporate concept ("code of conduct") into data protection law. As part of the compliance culture and "corporate governance", codes of conduct have been widespread in companies for some time. Now they are provided for and defined by law to support, concretize and guide data protection management systems.
2. Best practices
2For the implementation of data protection, the BBl 2017 mentions so-called "Best Practices" for the implementation of data protection within the company. "Best practices" have long been common in the corporate governance environment and describe various models or methods for systematically optimizing procedures, processes or practices within the company itself. A procedure is standardized in order to achieve the optimal business process. The concept of "good practice" is also explicitly mentioned in Art. 5 para. 1 lit. g FADP, according to which the FDPIC itself should develop working tools to ensure compliance.
3Best practices are also represented internationally; in Art. 4 para. 3 of the Ordinance on Data Protection Certifications (VDSZ), reference is made to existing international standards, which are statued as a benchmark for functioning data protection management systems. Indirectly, reference is also made here to good practice and codes of conduct. New Zealand and Argentina also refer to codes of conduct as best practices.
4 In Switzerland, too, there was a discussion in the consultation as to whether the FDPIC should itself issue data protection best practices, since the FDPIC has the task of advising federal bodies and private individuals and, in this context, also providing them with guidelines and working tools. These guidelines in the sense of best practices would thus also have influenced codes of conduct. Art. 58 para. 1 lit. g FADP can also be understood as a competence to develop guidelines that are similar to codes of conduct.
5In the consultation, the business community in particular criticized that the FDPIC would exceed its executive powers, since such guidelines indirectly have an effect similar to that of a law. Therefore, it was finally decided not to grant the FDPIC these additional competences. Instead, the self-regulatory, individualized measures of the codes of conduct, which met with broad approval in the consultation, will be relied upon. "Best practices" can then be recorded in the code of conduct itself.
B. Norm Purpose
6The purpose of the norm and the goal of the legislator is to create a framework of orientation and legal certainty for stakeholders and business associations. Through a self-regulatory measure, an association can concretize data protection requirements and flexibly adapt them to new data protection developments.
1. Promoting Data Protection Compliance
7Codes of conduct are intended to promote data privacy compliance on two levels: on the first level, they provide a framework that creates legal certainty for various groups and trade associations. Data protection measures can now be regulated in a uniform manner. Autonomous concretization also offers opportunities for profession-specific adjustments and flexibility in the face of data protection developments. The latter, in particular, is likely to prove especially important as technological progress takes hold at breakneck speed. Of course, with these freedoms, the requirements of the DPA itself must always be observed and complied with. In this way, the new Data Protection Act can be better implemented in the long term. The addressees are to be encouraged to behave in accordance with the law.
8On a second level, the law represents a relief for the FDPIC. It is becoming apparent that the adoption of codes by data controllers will lead to a standardization of data protection guidelines in the individual sectors. The FDPIC can base any audit of a controller on the code that has already been approved and only has to check whether it is being complied with. A potentially time-consuming search and compilation of data protection regulations scattered in regulations and statutes is now no longer necessary. The admissibility checks for data privacy compliance are no longer selective and case-by-case, but are based on a uniform set of rules defined by a code of conduct.
2. Regulated self-regulation
9In the context of digitalization and global networking, intermediary service providers and network operators are gaining ever greater influence over the collection and processing of personal data. In addition, legislators are generally only able to react to a particular technology after it has become socially and legally relevant.
10 "Regulated self-regulation" now builds a bridge between state legal norms (so-called "hard law") and private-law, sector-specific guidelines. Codes of conduct offer a prime example here. On the one hand, codes of conduct are provided for by law and their submission has certain legal consequences (n. 30 f.); on the other hand, the legislator gives associations considerable leeway as to how they wish to draw them up, tailored to their own environment. The example of the data protection code of the German Insurance Association, which is based on the analogous regulation of the GDPR, illustrates how this is specifically designed in practice. It sets out rules for handling personal data in typical insurance activities such as statistics, rate calculation and premium calculation. The rules for passing on data to various industry-specific categories of persons, such as reinsurers, intermediaries, competitors, etc., are also defined in more detail. In the case of the processing of creditworthiness data, on the other hand, reference is made to the law without issuing any further regulations.
11Within the framework provided by law, the associations and federal bodies are free to orient themselves and regulate on an industry-specific basis. Knowledge and awareness of data protection are growing within the company. Contextualized, precise codes of conduct lead to greater legal certainty. Specified standards should also meet with greater understanding and approval in the respective industry. Providing companies with such practice-oriented measures is essential for contemporary, dynamic and, above all, compliant data protection law.
II. Content
A. Code of Conduct
1. A Code of Conduct in General
12A code of conduct is a formal document containing a set of standards. Its purpose is to define in concrete terms the behavior that is desirable in a company. It is well respected in the corporate culture and is considered an important pillar of good corporate governance and has become an indispensable part of the corporate culture.
13 However, a code of conduct is not part of a mandatory legal system. Companies decide for themselves whether or not they wish to adhere to a code of conduct. It is a voluntary commitment. Once the company has made a commitment, the code is in principle binding. It is up to the association to decide how and whether to enforce compliance with its code. The purpose of such a code is to guide the behavior of employees and managers, both within the company and toward outside third parties. This is achieved by standardizing and systematizing everyday actions and norms of behavior within and outside the company.
14 In this way, a code of conduct protects the company both internally and externally. Externally, employees are protected in their decisions and the company can better protect itself from external attacks by being able to demonstrate legal conformity, compliance and diligence through the code of conduct. Internally, a code of conduct contributes to a healthy, supportive corporate culture by setting standards, for example in the area of communication, to which employees must adhere. This strengthens trust among employees.
15For the creation of a code of conduct in general, it is helpful to be guided by guiding questions. In particular, the following points should be clarified:
How must I behave?
What am I allowed to do and what is prohibited?
When must I intervene in the behavior of a third party?
Who is my contact person if I have questions, doubts or uncertainties?
What happens if I violate the Code of Conduct?
16The regulated points provide employees themselves with important information on desired behavior. It is therefore important to formulate a code of conduct clearly and comprehensibly and to adapt it to the company. The focus of the corresponding behavioral requirements is also the company- or industry-specific risks of the individual company. A valid code of conduct is regularly updated and confirmed by the management.
2. Codes of conduct in data protection
17Data privacy codes of conduct refer to the standards of the FADP, expand on them and adapt them specifically to the industry concerned. These include, for example, sample templates for data protection declarations, high-risk data processing in the company or guidance on the correct anonymization of data. The following is a list of guiding questions on possible areas of regulation. These questions are neither conclusive nor mandatory. However, they provide an overview of what should be included in a data protection-specific code of conduct.
Is the data I am processing accurate?
Who is affected in this data processing?
What personal data is being collected?
Which data is particularly risky?
Can data encryption be adequately ensured?
Do the data subjects have a right to information?
Does the company have technical and organizational data protection measures in place?
Requirements for the transfer of personal data abroad and the guarantee of Swiss data protection law safeguards
Procedural modalities in the event of a conflict between data subjects and data controllers.
18Such guiding questions can serve as a starting point for associations. However, in order to meet the individual requirements in a particular industry, more detailed explanations and careful documentation and reflection on the data collected on a day-to-day basis in that industry are needed. The needs of the companies belonging to the association, i.e. employees, shareholders, customers, etc., must be taken into consideration.
3. Concretization and self-regulation
19The code of conduct pursuant to Art. 11 FADP thus applies the norms of the Data Protection Act to a specific situation. General formulations are concretized, made more precise and also made comprehensible to employees.
20 It must be at least as strict as the FADP, with at most stricter, industry-specific requirements. The association itself shall make any clarifications. This is intended to promote self-regulation and personal responsibility. State intervention is to be minimized. Furthermore, self-regulatory autonomy promotes a sense of responsibility on the part of those responsible.
21The state should not actively intervene in the activities of individual industries or other associations, but leave it to them to flesh out the general clauses of the DPA according to their needs. This leads to clarity about the legal situation and precise formulations.
B. Distinction from certification
22Article 13 FADP introduces data protection certifications that demonstrate the data protection compliance of a company's systems, products and services. The certification bodies act independently here within the framework of the instructions of the FDPIC. Thus, in contrast to the codes of conduct, the FDPIC does not monitor itself, but only exerts an indirect influence by issuing regulations on the recognition of a certification (Art. 13 FADP). The VDSZ, which elaborates and specifies the requirements for certification bodies, serves as a guide.
23Data protection certifications serve to selectively evaluate the data protection conformity of a system or individual processing operations. Codes of conduct, on the other hand, describe all or most of the specifications of a company's processing activities, or how they should be handled on an industry-specific basis. In other words, codes of conduct provide a general framework of guidance, while data protection certifications confirm the compliance of an individual operation. Certifications are critical to implementing data privacy compliance in practice. While codes of conduct define the desired behavior analogous to the law in theory, certification serves as an instrument in the implementation of the rules in everyday life.
24Certifications and a code of conduct are therefore by no means mutually exclusive. It would therefore seem to be expedient for a company to obtain selective data protection certifications from qualified bodies in addition to a code of conduct. This is especially true if the specific data processing appears to be atypical, new or particularly risky for the company concerned.
III. Opinion of the FDPIC
25Professional, industry and business associations that are authorized by their statutes to protect the economic interests of their members are authorized to draw up a code that can be submitted to the FDPIC for review.
26Individual data controllers or order processors cannot submit their codes of conduct. This is justified by the fact that Art. 11 DPA aims at a certain standardization within individual industries.
27 By contrast, associations and organizations that have a certain national or at least regional significance are probably entitled to submit their codes of conduct, analogously to Art. 89 CCP. A cantonal association will regularly meet this requirement.
28 The legal form of the association is in principle not decisive. However, individual companies, especially stock corporations, are excluded because they lack members. For the same reason, foundations are not eligible to submit applications. Consumer organizations and associations of affected persons lack the prerequisite to represent the economic interests of their members.
29Federal bodies are always entitled to make submissions. This is justified by the numerous legal requirements and different tasks imposed on the various bodies.
A. Legal scope of a submission
30According to Art. 11 DPA, the submission of a code of conduct for associations and companies is in principle optional. This principle is relativized by Art. 12 DPA. There, the obligation is provided to submit the code to the FDPIC for approval if a data export is to be justified by the code (Art. 12 FADP). The principle of voluntariness, which applies both to the creation of the codes of conduct and to the submission of these to the FDPIC, is now breached by this constellation of foreign data transfers. This can be justified with a higher security standard, which results almost automatically from the far more risky international data exchange. This is to ensure that the code of conduct guarantees sufficient data protection. This is underlined by a "binding and enforceable" obligation on the controller or the processor in the third country to comply with the Code of Conduct (Art. 12 para. 3 DPA). It becomes binding through measures that comply with the applicable law in the respective third country such as anchoring the codes in the statutes of the controller.
31A template offers itself as advantageous from the point of view of due diligence and liability within the represented companies. This is because only an official statement can sufficiently prove that the code is compliant with data protection law. A confirmed code of conduct is direct evidence that the company is following clear regulations that comply with the DPA in terms of data protection law.
32Since codes of conduct are self-regulatory measures that have an effect on the respective industries and professions for which they were created, they represent a legal concretization for practice. They therefore also offer the possibility of generally accepted standards of conduct being formed in a particular area. This greatly simplifies compliance with data protection for companies; in this way, they would have a concrete guide and orientation standard for their own area of activity.
B. Consequences of the Opinion
33The FDPIC is obliged to issue an opinion. The opinion is not an order, but a real act and is therefore in principle not binding. Nevertheless, a confirmation by the FDPIC may have different consequences.
34A positive opinion can always be expected if the code provides for compliance with all provisions of the DPA. The yardstick for the opinion is therefore the law. The FDPIC may add suggestions for improvement and recommendations to the opinion, especially in the case of a lack of concretization or incorrect application of the law. According to Art. 59 FADP, a fee is charged to private individuals for an opinion. Pursuant to Art. 44 Para. 1 and 2 FADP, the fee is in principle calculated on the basis of the time spent, with the hourly rate being CHF 150 to CHF 250, depending on the function of the executive staff.
35After a positive opinion, it can be assumed that the conduct in compliance with the Code will not result in any sanctions or administrative measures, i.e. that the data processing activities in compliance with the Code are data protection compliant.
36Also, a data protection impact assessment (DPA) can be dispensed with if the FDPIC issues a positive opinion and the code of conduct is based on a DPA that is still up to date and protects the personal and fundamental rights of the data subject (Art. 22 para. 5 lit. a and lit. b FADP). An approved code of conduct is an alternative or an exception to the obligation to prepare an impact assessment. For risk analyses of a company, it makes sense to link DSFAs and codes of conduct in order to minimize any risk under data protection law as far as possible.
37The consequences of an incorrect statement are now questionable. In this case, the private individual believes that his or her own code of conduct complies with data protection law. Therefore, processing based on this will not result in any administrative measures or sanctions. If the private individual nevertheless violates data protection on the basis of false information, he or she may still risk sanctions. This is because the requirements for valid protection of legitimate expectations are strict. In particular, sufficient specific wording in the Code is required for its acceptance, and the facts that have occurred must be congruent with what has been provided for.
38Art. 11 does not provide a rule for the case that different associations establish different rules in their codes for the same or overlapping facts. Provided that the competing drafts meet the above requirements in themselves, the FDPIC will give the codes a favorable opinion.... However, it is free to point out contradictions in its opinion, since the unification of data protection rules is included in the purpose of the norm.
39 Thus, the situation may arise where a controller who is a member of different associations undertakes to comply with conflicting codes of conduct. Since the FDPIC will only issue a positive opinion if the legal requirements of the DPA are met, this will not bring it into conflict with the law. Nevertheless, it is advisable to adhere to only one code of conduct in order to keep the company's internal data protection principles stringent.
IV. Self-Regulation under Art. 40 GDPR
40The GDPR also has a standard for self-regulation and concretization of data protection. Art. 40 GDPR speaks of the "elaboration of rules of conduct" which are drawn up by associations or similar bodies. Here, too, the focus is on self-regulatory measures by companies. The rules are to be considered as a supplement to, and not a substitute for, legal regulations.
41The requirements for and legal consequences of codes of conduct and those of rules of conduct are similar. Thus, codes of conduct are also submitted to a supervisory authority for an opinion, which is also published. According to the general accountability obligations pursuant to Art. 5 para. 2 GDPR, the controller must comply with the principles of data protection law and must also be able to prove this. The drafting of rules of conduct facilitates this. Art. 40 GDPR specifies the requirements for codes of conduct in more detail (para. 2 lit. a-k) and provides for various procedures to ensure secure data protection within all Member States, also through implementing acts by the Commission.
42 The GDPR also promises companies advantages and simplification of proof if they voluntarily comply with approved codes of conduct.
43In contrast to Switzerland, a code of conduct that has been submitted to the European Data Protection Board by the national supervisory authority (Art. 63 GDPR) and confirmed by them can also have effect at the Union level. Rules of conduct can be declared valid throughout the Union by means of a declaration of general applicability (Art. 40 para. 9 GDPR). A code of conduct that is based only on the DPA and has been submitted only to the FDPIC has no guarantee of transnational data protection compliance. It seems advantageous that (Swiss) associations operating in the Union also submit their codes to the competent bodies in the EU or that controllers adopt already approved codes of conduct. This facilitates market access and at the same time leads to an increase in efficiency, as less time and resources have to be spent on bureaucratic and regulatory processes. In addition, a harmonization of standards is created, which particularly benefits companies that operate both in Switzerland and in the EU.
Bibliography
Amacher Michel/Hajdini Lorian, Straf- und Strafprozessrecht/Geheime Überwachungsmassnahmen im digitalen Zeitalter, in: Alexandra Dal Molin-Kränzlin/Anne Mirjam Schneuwly/Jasna Stojanovic (Hrsg.), Digitalisierung - Gesellschaft - Recht, Zürich/St. Gallen 2019, S. 386.
Baeriswyl Bruno, Geschichten aus dem Wilden Westen - Der Datenschutz im privatrechtlichen Bereich geht seine eigenen Wege: Der Grundrechtsschutz bleibt auf der Strecke., digma 2011, S. 140 ff.
Drittenbass Joel, Regulierung von autonomen Robotern, Zürich 2021, S. 309 ff.
Gasser Dominik/Rickli Brigitte, Schweizerische Zivilprozessordnung (ZPO), Kurzkommentar, Zürich et al. 2014.
Kasper Gabriel, People Analytics in privatrechtlichen Arbeitsverhältnissen, Zürich 2021, S. 315 ff.
Kühling Jürgen/Buchner Benedikt (Hrsg.), Datenschutzgrundverordnung BDSG, München 2020.
Kunz Laura, Kommentierung zu Art. 11 DSG in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Stämpflis Handkommentar zum DSG, 2. Aufl., Zürich/Basel, 2023.
Lepperhoff Niels, Kommentierung zu Art. 40 DS-GVO in: Gola/Heckmann (Hrsg.), Datenschutz-Grundverordnung – Bundesdatenschutzgesetz, 3. Aufl., Königswinter et al. 2022.
Paal Boris P./Pauly Daniel A., Datenschutzgrundverordnung, Beck’sche Kompakt-Kommentare, 3. Auf., München 2021.
Portmann Wolfgang/Meier Anne (Hrsg.), Jahrbuch des Schweizerischen Arbeitsrechts 2021, Bern 2021, S. 57 ff. (zit. JAR 2021).
Richter Julia, Soft Law als Brückenbauer zwischen Wirtschaft und dem Schutz der Gesundheit?, Archiv des Völkerrechts 2014/52, S. 545 ff.
Rosenthal David, Das neue Datenschutzgesetz, Jusletter 16.11.2020; Stirnimann Sonja, Der Verhaltenskodex aus praxistauglicher Perspektive, EF 10/22 2022, S. 460 ff.
Rothkegel Tobias, Verhaltensregeln und Zertifizierungen, in: Moos Flemming/Schefzig Jens/Arning Marian Alexander (Hrsg.), Praxishandbuch DSGVO, Frankfurt am Main 2021, S. 879 ff.
Wind Christian, Leitfaden Compliance, Zürich et al. 2018, S. 111 ff.
Materials
Botschaft vom 15.9.2017 zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz, BBl 2017 6941 ff.