-
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
In brief
Art. 12 FADP describes the obligation for federal bodies and private data controllers and order processors to keep a register of processing activities. Data should be recorded throughout its life cycle in the company. A directory contains at least:
the identity of the persons in charge
the categories of personal data processed
the purpose of the processing
if possible, the retention period or at least the criteria for determining this period
the recipients of the processed data
measures to be taken in accordance with data protection law
requirements for the disclosure of data abroad
The directory does not include categories of personal data that the company does not process at all and guarantees for the disclosure of data abroad if no data export is carried out. Also data that would have to be obtained first only with disproportionate effort.
Finally, companies with fewer than 250 employees (SMEs) are legally exempt from the obligation to create and maintain a processing directory due to administrative relief. Since a directory of processing activities serves the purpose of internal clarification of the data processed as well as compliance with liability and due diligence obligations, it is recommended for every company to keep a directory.
The directory of processing activities, which is not bound by any formal requirement, is recorded within the company and offers, among other things, a possibility for regulated self-regulation in addition to codes of conduct and certifications. On the one hand, the company gains clarity about the data it processes; on the other hand, the FDPIC will also be guided by data processing directories from the entry into force of the revised DPA in order to check data protection compliance.
I. General
A. Overview
1 According to the provisions of the Data Protection Act (DPA), a directory of processing activities is an important tool for ensuring compliance with data protection regulations. It provides a systematized overview of data processing activities and serves as an obligation for both federal bodies and private individuals. It provides information about the origin and purpose of the data, storage aspects, as well as applied security measures and data transfer, possibly abroad. The standard replaces Art. 11a aDSG i.V.m. Art. 11 VDSG and specifies and extends the obligation to keep a register of data collections. Responsible parties must independently determine and systematically document the data collected internally. In the register, there is thus an increased focus on the documentation obligation and the data processing activities. However, a register of processing activities must be distinguished from a register of data collections and has additional content requirements (cf. n. 6).
2 Thanks to the register of processing activities, organizations have important information of their digital data, they have a clear and up-to-date overview. This benefits both the FDPIC, whose review of a company's data protection compliance is simplified, and the company itself.
B. History of origins
3 Pursuant to Art. 11a aDSG, the "Commissioner", i.e. the FDPIC, kept a publicly accessible register of data collections ("Register"). While federal bodies had to register all data collections with the FDPIC (Art. 11a para. 1 aDSG), private individuals were only required to register if they either regularly passed on personal data to third parties (Art. 11a para. 3 lit. b aDSG) or if they processed personality profiles or data requiring special protection (Art. 11a para. 3 lit. aDSG). Art. 11a para. 5 aDSG exempted several holders of data collections from a notification obligation to the FDPIC, including holders of a data protection certification or companies with a data protection officer.
4 Art. 11a FADP did not itself specify the requirements for a register of data collections, but Art. 11 FADP did. According to this, the register had to contain descriptions of the internal organizational structures and the data processing and control procedures. Evidence about the planning, implementation and operation of the data collection as well as the IT resources used also had to be listed. These clarifications applied only to data processing operations subject to reporting requirements.
5 However, the term "list of processing activities" goes beyond a brief overview of collected data. It additionally includes information on what is done with the data, how it is collected, and where it is transferred. Registers overlap with a directory of processing activities in terms of content, but focus more in-depth on the (company's) internal structure, planning and management. The current FADP no longer includes the term register of data collections, as it has been replaced by directory of processing activities.
6 Art. 12 DPA is more comprehensive and requires additional information such as the identity of the controller, the purpose of processing, a categorization of both the personal data processed and the intended recipients, the retention period and concrete measures to ensure data security. Although much overlaps with Art. 11 VDSG, the requirements are much more detailed, which should also simplify the creation of a directory. The former general documentation obligation, i.e. an obligation to report data collections, is also replaced by the data processing directory.
7With the entry into force of the new FADP, according to Art. 12 FADP, private individuals and federal bodies must create a directory of processing activities. However, it is exclusively federal bodies that must submit their processing directory to the FDPIC (Art. 12 para. 4 FADP). The obligation to keep a register, however, also applies to private individuals. The directory of processing activities makes it possible to better control one's own data. The directory of processing activities is now classified under the general data protection provisions.
C. Purpose of the norm
8 Art. 12 FADP is an obligation standard for data controllers and processors. The purpose of the norm is to increase transparency in the processing of data. This is ensured by the stricter requirements for the directory (Art. 12 FADP) than for its former counterpart, the register of data collections (Art. 11a aDSG). With precise minimum information, data controllers have a clear orientation framework as to which data belong in a directory. In this way, data processing is recorded in a standardized manner. It becomes easier for the person responsible to keep track of the collected data within the company. On the one hand, he or she can adequately fulfill the duty to inform and, on the other hand, satisfactorily comply with the right to information.
9 A systematic collection of data and information is generally beneficial for companies, not only in the area of personal data. A materials directory or a record of information that is subject to a confidentiality obligation enables the company to always have an up-to-date, correct and simplified overview of the internal flow of information. Here, too, the principle applies that the systematic collection and gathering of data represent an important digital asset.
10 The standard also represents a simplification for the FDPIC. It benefits from the standardization of the directory, since all relevant categorizations or edits are now directly available to it. In the future, the FDPIC will ask for the directory first during an investigation. Nevertheless, failure to maintain a directory does not lead to an immediate sanction. However, providing false information or refusing to assist in an investigation by the FDPIC remains punishable, as it already is under current law.
II. Content
A. Content of a processing directory
11 Art. 12 provides for some minimum content requirements for this directory, as follows:
Who is responsible, Art. 12 para. 2 lit. a FADP.
The person responsible is the person who decides on the purpose and means of data processing. If there are several persons responsible, all of them must be listed.
What is the purpose of processing?, Art. 12 para. 2 lit. b FADP.
The purpose can vary; the decisive factor is the goal pursued with data processing. As a rule, the person who initiates the processing also decides on its purpose.
Which persons and what type of personal data are processed (categorizations), Art. 12 Para. 2 lit. c FADP.
Categories of data subjects are typified groupings such as "consumers" or "employees". Categories of "processed personal data" refer to the types of data processed, such as personal data requiring special protection.
Who is the recipient of the processed data?, Art. 12 Para. 2 lit. d FADP.
The recipients of the processed personal data are also categorized, such as supervisory authorities.
How long is personal data kept or how can this duration be determined?, Art. 12 para. 2 lit. e FADP.
In particular, it is about the archiving periods of collected data. If there is no legal basis or no longer a defined purpose for storing the collected personal data, it must be deleted or anonymized (Art. 6 para. 4 FADP).
What measures are taken to ensure data security according to Art. 8, Art. 12 para. 2 lit. f FADP?
Reference is made to the fundamental principles of data protection and data security. These include, in particular, the integrity of the data collected, appropriate technical and organizational measures and "privacy by default" and "privacy by design".
What measures must be taken to disclose data abroad?, Art. 12 para. 2 lit. g FADP.
In addition to the legal measures (cf. Art. 16 ff. FADP), this also includes contractually agreed standard clauses in contracts and internationally defined, sector-specific standards (cf. Art. 11 FADP in conjunction with Art. 12 DPA).
12Art. 12 is very precise and detailed, but still allows a certain degree of flexibility. For example, the directory should only include information about which there is sufficient certainty in terms of content. A description should only be given if the activities can be described in sufficiently concrete terms. Sometimes, for example, the exact retention period cannot be specified. Thus, only the criteria for the retention period need to be specified. Due to this broad definition, it would be desirable to develop sector-specific guidelines that could be applied uniformly in the respective industries. Both the work of the companies and that of the FDPIC would be facilitated. By developing sector-specific guidelines that could be applied uniformly in the respective industries, this broad design could be made more concrete. This would help both the responsible parties and the FDPIC to facilitate their work. The guides would provide clear instructions to the officers and help them better understand and implement the data protection requirements in their industry. At the same time, it would allow the FDPIC to conduct more consistent privacy review and enforcement across industries.
B. Form of a Directory
13Article 12 DPA does not specify in detail how exactly data processing activities are systematized in the directory of processing activities. There are also no formal requirements. A directory can be a simple Word or Excel document or a complex IT solution. The directory can be kept in a decentralized manner and its maintenance can even be delegated.
C. Obligations of private persons
1. Legal requirements
14In principle, all companies and other private persons in charge are obliged to keep a register of processing activities. This results from the fact that almost all private individuals collect and also process personal data in their economic or non-profit activities.
2. The processor
15The register of processing activities must be kept by the controller and the processor (Art. 12 para. 1 FADP). The order processor is a person who processes data on behalf of the controller (Art. 5 lit. k FADP). An example is the IT service provider who hosts a website or an employee who takes contact data from customers. A data controller, on the other hand, is the person who decides on the purpose and means of data processing (Art. 5 lit. j DPA).
16Each company is exclusively responsible for the data processed internally. An order processor (Processor), is not obliged to maintain a processing directory for the data controllers. Data of the person in charge, also called "controller", does not have to be listed. This is only the responsibility of the controller itself, which is responsible for its collected data - for example, customer data. Otherwise, this would lead to excessive collection of personal data. This requirement would be almost impossible for companies to enforce. One would have to collect the entirety of all personal data of the client for every service. A proliferation of directories and an associated loss of an overview of the data collected would be to be expected. The directory of the order processor therefore contains less information than that of a data controller. On the other hand, this directory creates transparency in the contractual relationship between the data controller and the data processor by stipulating that both parties must be clearly identifiable. The relevant framework conditions are set out in Art. 9 FADP, which clarifies data processing by a processor.
3. Legal exceptions: SME
17Art. 12 para. 5 provides an exception for companies that employ fewer than 250 people and do not process high-risk data. These are exempt from the obligation to keep a register of processing activities. High-risk data processing activities are those that are more likely to result in a violation of privacy (invasion of privacy, medical data, sexual orientation, religious denomination, etc.). This exception is also mentioned in Art. 24 of the Ordinance on Data Protection (DPA). However, Art. 24 does not contain any more detailed provisions regarding the legal exception. It is merely repeated that SMEs are exempt from a directory obligation unless they process personal data requiring special protection on a large scale (lit. a), or carry out high-risk profiling (lit. b). The concept of high risk is used analogously to that in Art. 22 para. 2 DPA.
18The aim of this exception is to reduce the administrative burden on smaller companies. Not only the size of a company is taken into account, but also the respective data that is processed and which risks are associated with it. SMEs are also affected by the sanctions provided for in the DPA, and compliance with data protection principles is required of SMEs. This results in an indirect documentation obligation for companies, even though they are not legally obligated to create a processing directory. This is because the FDPIC will deal with the data protection measures within an SME regardless of whether a processing activity directory exists or not. The SME must therefore present the processed data anyway. A directory provides better protection for the company in terms of liability and due diligence.
19If half of all data processed are high-risk, they fall under the requirements of the enhanced documentation obligations, but may still not be required by law to be listed in a directory of processing activities. Liability and risk for any data protection violations are always borne by the data controller. The creation of a processing directory is therefore recommended if high-risk data processing is carried out, regardless of the scope.
4. Contractual requirements
20It is also possible to provide for the maintenance of a directory by contract. Although such an obligation is dispositive, it could develop greater significance depending on the industry. Indeed, by keeping a processing directory, a company can protect itself not only from the FDPIC and the legal requirements, but also from other companies that may be partners as well as customers. If a data controller knows how the data processor processes and stores data and by what means, this promotes trust and cooperation between both parties. Furthermore, enforcing a practice where directories are contractually agreed upon allows for independent elaboration of directories that are adapted to the respective economic sectors and meet the specific data protection challenges in the affected work areas.
21In contracting directories, certain aspects need to be taken into account and various hurdles may arise. Implementing such a practice allows companies to independently create directories that meet the specific requirements and data privacy challenges of their respective economic sectors.
22One of the hurdles is drafting contracts to meet the precise requirements of data protection law. Clear agreements must be reached on the type of data collected, the purpose of the data processing, the retention period, security measures and other relevant data protection aspects. It is important to ensure that contractual arrangements comply with the law and that the rights of data subjects are adequately protected.
23In addition, figuring out sector-specific directories can be challenging. Different economic sectors have different data privacy requirements and specific areas of work that may present specific data privacy challenges. Companies must be able to identify and incorporate these specific requirements into their directories in order to comply with data protection regulations.
24Collaboration among the parties involved, such as the companies, privacy experts, and regulators, as appropriate, can be helpful in successfully implementing contractual agreements and carving out industry-specific directories.
D. Obligations of Federal Bodies (Art. 12 para. 4 FADP)
25According to Art. 5 lit. i FADP, federal bodies are not only authorities or central administrative bodies, but any authority or service of the federal government, as well as persons who fulfill public tasks of the federal government.
26According to Art. 12 para. 4 FADP, federal bodies have the obligation to report their directories of processing activities to the FDPIC. The FDPIC himself keeps a register of the processing activities of federal bodies pursuant to Art. 56 FADP, which is published.
27Even before the revision of the Data Protection Act, federal bodies were obliged to record organizational structures and data processing procedures in a register of data collections. This implicitly included the name and address of the responsible federal body, a designation of the data collection, the body responsible for the right of access, and the legal basis and purpose. Categories of personal data processed, the recipients, as well as the participants in the data collection were recorded (Art. 11a of the old FADP). Registers of data collections also had to be notified to the FDPIC for registration in accordance with Art. 11a aDSG. In general, federal bodies were subject to more stringent requirements. The Federal Council also had the power to determine special regulations for data protection (Art. 16 para. 2 aDSG).
28There is thus no significant change in the obligations for federal bodies. Rather, Art. 12 DPA acts as an extension to private persons of the obligations that previously applied only to federal bodies. A register of processing activities must therefore be kept for federal bodies without exception. A register that already exists and is kept accurate and up-to-date already meets many of the requirements for a directory, which is why there is often little or no need for changes to implement the current Data Protection Act. The most significant change is that instead of being divided by data collection, it is now divided by data processing.
E. Implementation of Data Protection Compliance
29In principle, a directory of processing activities is not intended for data subjects, but is mainly used for internal control of a company as well as for investigation by the FDPIC. By creating a directory of processing activities, data controllers gain clarity about their own data processing activities. Keeping a register simplifies the implementation of certain obligations and fulfillment of data subject rights, such as the right to information (Art. 25 FADP).
1. Information obligations
30Art. 19 FADP provides for an information obligation for the controller and the processor when obtaining personal data. At a minimum, the identity and contact details of the data controller, the purpose of processing and, if applicable, the recipients of the personal data procured must be disclosed. With the data protection revision, the duty to provide information was generally expanded. Prior to the revision, it applied only to the acquisition of particularly sensitive data or personality profiles, whereas it now applies to every acquisition of personal data.
31With a directory of processing activities, the data subject is informed efficiently and uniformly about the collection of his or her own data. Furthermore, the purpose, the means and, under certain circumstances, the retention period can also be communicated precisely, since this information is itself already contained in the directory. In this sense, the directory represents an administrative relief for companies, with which external information processes towards data subjects or also the FDPIC can be designed more simply and efficiently. This more efficient design results in several advantages. First, the data controller reduces the administrative burden, as it no longer has to create and send a separate notification for each individual data processing. Instead, it can refer to the directory, which already contains all the necessary information. Second, communication with data subjects is standardized. Since all information is contained in the directory, all data subjects receive the same information about purpose, means and retention period, resulting in more consistent and transparent communication. Third, the directory also facilitates cooperation with external parties, such as the Federal Data Protection and Information Commissioner (FDPIC). When the FDPIC requests information about data processing, the company can simply provide the directory instead of having to prepare separate reports for each individual data processing operation.
2. The Right of Access
32The right to information under Art. 25 DPA is a data subject right that an individual can assert under data protection law. With the right to information, the lawfulness of a data processing can be checked and the data subject has the right to demand an authorization or deletion of the data. According to Art. 25 FADP, the data subject shall receive all information about his or her own personal data so that he or she can assert his or her rights, namely the identity of the controller, the purpose of the processing and the processed personal data itself. The rights that may be asserted thereafter are, for example, the right to rectification of the incorrectly collected personal data or the elimination of the latter (Art. 32 FADP).
33A register of processing activities ensures and supports the right of access, as it fully encompasses the information that must be communicated to the data subject pursuant to Art. 25 FADP. With a properly maintained directory, the data subject receives complete, uniform and correct information about the data collected. Adequate information is guaranteed and security is increased for both parties, since the company has a better overview of the collected data and runs less risk of violating data protection regulations. If the directory is not correct, this can lead to the controller not recording information about the data processing correctly or taking inadequate security precautions. This creates a risk of data breaches and may result in legal consequences.
F. Data held abroad (Art. 12 para. 2 lit. g).
34According to Art. 12 para. 1 lit. g FADP, when data is disclosed abroad, the respective country must be indicated, as well as the guarantees according to Art. 16 para. 2 FADP. These provisions ensure that the data subject is informed about the transfer of his or her personal data abroad and that appropriate data protection measures are taken. The directory of processing activities can include these requirements by stating the exact purpose of the data transfer abroad and naming the destination country. In addition, the directory should also contain information about the safeguards taken in accordance with Article 16 (2) FADP, in order to reassure the data subject that adequate protective measures are in place. It is important that the data subject is informed in a clear and comprehensible manner that his or her data will be transferred abroad and what protective measures have been taken in the process. This ensures the data subject's right to information and protects his or her privacy. These tighten the data protection requirements in the case of cross-border data processing and disclosure. In principle, personal data may only be disclosed abroad if there is a decision by the Federal Council that this country itself guarantees adequate data protection. A list of the state of data protection worldwide has been published by the FDPIC. Inadequate protection is provided by, among others, Russia, a large part of African and South American countries, and all of Asia (with the exception of Israel).
35Article 16 para. 2 FADP requires either an international treaty, contractual data protection clauses, specific guarantees approved by the FDPIC, standard protection clauses, or binding internal company data protection specifications that are also approved by the FDPIC (Art. 16 lit. a-e FADP). These now apply in the case of data disclosure not only if the country itself does not ensure adequate protection, but for any foreign disclosure.
III. Comparison with EU Law
36Article 12 DPA, like several other articles after the total revision, has some parallels to the requirements of the GDPR. For example, Art. 12 was drafted in analogy to Art. 30 GDPR. Both in Art. 30 GDPR and in Art. 12 FADP, public bodies as well as private individuals must keep a register. In it, the identity of the controller and the commissioned processor must be stated. Both provisions require information on the purpose of processing, the categorization of personal data processed and recipients, the guarantees for transfer abroad, the retention period and technical and organizational measures regarding the implementation of data security. The exemption from the creation of a data processing directory is also preserved in both Art. 30 GDPR and Art. 12 DPA. The statement "if possible" (para. 1 lit. f and g) allows for some flexibility, as in the Swiss Data Protection Act. The content of a directory is not defined equally and strictly for every company, but is based on how precisely the processed data can be circumscribed in the first place. Thus, it is not always possible to say with certainty when data will be deleted, nor do all companies follow analogous and generally accepted technical and organizational measures. A data directory should also be able to adapt to the respective activity.
37 Differences between the provisions arise sporadically in the formulations and explanations. Analogous to the FDPIC in Switzerland, the data protection supervisory authority in the EU assumes similar functions such as monitoring compliance with the GDPR or the DPA. Article 30 of the GDPR additionally requires that the identity of the data protection officer be stated in the directory, if one exists in the company. The transfer abroad must be specifically stated according to DSGVO and the form of a directory must be in writing. Public bodies or private individuals also have an obligation under Union law to make the directory of processing activities available to the supervisory authority upon request. Cooperation in good faith with public authorities is generally required.
38 In addition to Art. 30 GDPR, Art. 24 of Directive 2016/680 elaborates on the content of a register of processing activities. It is only worth mentioning here that Art. 24 of the Directive also provides for the use of profiling (Art. 24 para. 1 lit. e) and the indication of the legal basis for the transfers of personal data (Art. 24 para. 1 lit. g) in a processing register. This is not provided for in the Swiss regulation, but can be covered by supplementary information in the purpose of processing or the categorizations of personal data processed.
Bibliography
Baeriswil Bruno, Kommentierung zu Art. 12 DSG in: Baeriswil Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Stämpfli Handkommentar zum DSG, 2. Aufl., Zürich/Basel, 2023.
Bucheli Bernadette, Datenschutz im Mietverhältnis: Ausgangslage und Revision des DSG, mp 2020, S. 383 ff.
Pärli Kurt/Eggmann Jonas, Das Auskunftsrecht im Privatrecht, digma 2020, S. 140 ff.
Rosenthal David, Controller oder Processor: Die datenschutzrechtliche Gretchenfrage, Jusletter 17.6.2019 (zit. Rosenthal, Controller oder Processor)
Rosenthal David, Das neue Datenschutzgesetz, Jusletter 16.11.2020 (zit. Rosenthal, Datenschutzgesetz)
Rosenthal David/Gubler Seraina, Die Strafbestimmungen des neuen DSG, SZW 2021, S. 52 ff. Rosenthal David/Jöhri Yvonne, Handkommentar zum Datenschutzgesetz sowie weiteren, ausgewählten Bestimmungen, Zürich 2008 (zit. Rosenthal/Jöhri), S. 304 ff.-
Steiner Thomas, Neues DSG: Umsetzung und Anwendung in Anwaltskanzleien, Anwaltsrevue 2022, S. 417 ff.
Sury Ursula, Neues Datenschutzgesetz und Dokumentation von Unternehmen, SJZ 2021, S. 458 ff.
Trüeb Hans Rudolf/Zobl Martin, Steuerdaten in der Cloud?, digma 2016, S. 102 ff.
Vasella David, Das neue Datenschutzgesetz und seine Umsetzung, TREX 2021, S. 272 ff.
Materials
Botschaft vom 15.9.2017 zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz, BBl 2017 6941 ff.