-
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
- In a nutshell
- I. General
- II. Content
- III. Violation of the obligation to consult the FDPIC
- IV. Challenges and Practical Relevance
- V. Comparison with EU Law
- Bibliography
- Materials
In a nutshell
Art. 23 is the follow-up regulation to Art. 22. If the controller determines in the course of a DIA that there is a high risk to the personality or fundamental rights of the data subject despite risk-mitigating measures taken, consultation with the FDPIC is required. Its requirements, deadlines and consequences are listed and specified. The FDPIC reviews the planned data processing with regard to compliance with the FADP. If there are objections to the planned data processing, the FDPIC issues an opinion, which also contains recommendations regarding possible measures. This opinion is forwarded to the data controller. The FDPIC may also exercise his powers pursuant to Art. 49 and 51 ff. subsequently to the consultation pursuant to Art. 23. However, a violation of the obligation under Art. 23 is not punishable.
I. General
A. Overview
1Art. 23 describes the requirements for consulting the FDPIC. This is a procedure that is closely related to the data protection impact assessment (DPIA) from Art. 22. If the data controller determines during a data protection impact assessment that, despite the measures taken, there is still a high risk to the personality or fundamental rights of the data subject as a result of the planned data processing, then the FDPIC must be consulted in advance. In this case, the FDPIC checks the compatibility of the planned data processing with data protection law and the requirements for information security. The FDPIC then informs the data controller of his objections by means of an opinion within two to three months. In doing so, the FDPIC is obliged to propose suitable measures to counter the identified risks.
B. History
2The obligation to conduct a DIA and to consult the FDPIC if the planned data processing leads to a high risk for the data subjects despite the measures taken did not exist before the total revision of the FADP. The obligation also did not exist for federal authorities, which had to conduct a DPA pursuant to Art. 22 aDSG. The European Data Protection Convention (ETS 108+) also does not require the introduction of this obligation. However, the obligation was already provided for in some cantonal data protection laws, for example in the Canton of Zurich in Art. 10 IDG or in the Canton of Bern in Art. 17a KDSG.
3The possibility or necessity of consultation is, however, based on European legal requirements from 2008, in particular Art. 20 of Directive 95/46/EC, according to which processing operations involving certain risks for individuals, in particular relating to rights and freedoms, must be examined in advance by the data protection officer. This provision continues to have an impact today in Art. 28 of the current Directive 2016/680/EU, which also had to be implemented in Switzerland due to the Schengen acquis in the area of cross-border prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, as well as in Art. 36 of the DSGVO, which was implemented in a comparable manner.
4The VE-FADP provided in Art. 16 para. 3 VE-FADP for notification of the FDPIC about the results of the DSFA in any case. In line with today's regulation, the FDPIC had to notify the controller of his objections within a certain period of time. The obligation to inform the FDPIC in every case about the result of a DSFA was strongly criticized in the public consultation. The Federal Council then softened the obligation with Art. 21 para. 1 FADP. This weakened standardization was adopted in the current regulation of Art. 23 para. 1, in that the FDPIC only has to be consulted if, despite the measures taken, there are still high risks for the personality or for the fundamental rights of the data subject.
C. Norm Purpose
5 According to the Message, the consultation requirement was included as part of the total revision in 2020 "because it allows the officer to act in a preventive and advisory capacity." This, it is argued, is most efficient for the controller, as potential data protection problems can be identified and addressed at an early stage. Consultation allows the FDPIC to obtain and evaluate the information necessary to assess a planned high-risk data processing operation. This is also beneficial to the democratic process.
6 The purpose of Art. 23 is also to develop solutions already before the implementation of a project that provides for corresponding data processing. This serves to ensure a high standard of data protection from the outset and to guarantee information security. The legislator thus aims at proactive behavior in order to reduce possible legal violations to a minimum from the outset or, ideally, to exclude them altogether. In addition, it serves to protect the responsible party retrospectively - when data processing has already begun - from additional effort and additional costs. This also appears to make sense in light of the fact that subsequent damage and violations are often difficult to remedy. Overall, the article thus fits into the risk-based approach of the totally revised FADP.
II. Content
A. Addressees
7As in Art. 22, the addressees of Art. 23 are federal authorities and private data controllers. This does not include order processors. With regard to the role of these order processors, reference can be made to the corresponding commentary in Art. 22.
8 Federal authorities and private data controllers are thus obliged to consult the FDPIC if a planned data processing leads to a high risk for the personality and fundamental rights of the data subjects despite the implemented measures. The FDPIC, on the other hand, is obliged to carry out the consultation in accordance with the FADP and to adhere to the applicable deadlines (cf. n. 25).
B. "Planned" processing
9The normative text of Art. 23 provides in para. 1 that the consultation of the FDPIC must be carried out in the case of planned processing involving a high risk to the personality or fundamental rights of the data subject. This provision only applies if the data controller has already taken measures to mitigate the resulting risks and the data processing nevertheless poses a high risk.
10While the wording suggests that this can only concern new, planned data processing operations, it also covers changes to already existing data processing operations or procedures (cf. the commentary on Art. 69). This means that the FDPIC must be consulted whenever there are changes in the data processing process or changed factual or legal circumstances. However, these changed circumstances must suggest or make it clear that there is a high risk within the meaning of Art. 22. In addition, the measures taken in the context of a re-performed or repeated DIA may not be sufficient to reduce this high risk. With regard to the concept of high risk, reference can be made to the explanations on Art. 22 (Art. 22 n. 12 ff.). In favor of the assessment that the FDPIC must also be consulted in the event of changes to existing data processing activities is the fact that, in such a disruptive environment characterized by rapid changes, data controllers must always include the risks in their own considerations and planning of data processing activities so as not to endanger or specifically violate the rights of data subjects (cf. Art. 7).
C. Consultation
1. Introduction
11First, Art. 23 requires that the data controller has conducted a DIA with respect to a planned or modified data processing pursuant to Art. 22. If the controller concludes that, despite the measures provided for, the data processing poses a high risk to the personality or fundamental rights of the data subject, the controller must consult the FDPIC. Although the law does not contain any formal requirements, this request should be made in writing, if only for reasons of proof. If this high risk does not exist, the controller can still voluntarily submit the DIA to the FDPIC. Although this is conducive to legal and information security, private data controllers are likely to refrain from doing so on a regular basis (cf. n. 34 ff.).
12 The consultation must be carried out before the data processing in question begins. Only after the consultation has been completed, i.e. after the FDPIC has issued an opinion, may the federal authority or the private controller begin processing the data.
13Three points regarding the consultation must be considered in advance:
First, the consultation is subject to costs for private data controllers (see Art. 59 para. 1 lit. c FADP; Art. 44 FADP). The respective costs depend on the personnel expenses in the individual case. In contrast, no costs are incurred for federal bodies.
Secondly, the FDPIC may, for his part, contact the controller and request an evaluation of the risks and consultation if he becomes aware of planned processing operations.
Thirdly, the FDPIC may combine this request with the performance of investigative acts (cf. n. 23).
2. Information to be submitted
14The provision in Art. 23 specifies the cases in which the FDPIC must be consulted. However, it does not define what information must be submitted to the FDPIC for his evaluation. Due to this initial situation, it can be assumed, or has already been announced, that the FDPIC himself will make corresponding specifications shortly after the entry into force, which the responsible party can use as a guideline. However, the responsible party should at least ensure that the documents created in the course of the DSFA are available in a comprehensive manner so that it is possible for the FDPIC to issue a corresponding opinion at all on this basis. These documents should therefore contain, among other things, information about the planned processing - including the purpose of the processing, if applicable - about the possible risks to the personality or fundamental rights of the data subject, and about the planned technical and organizational measures. It must also be explained why the risk is still considered high despite the measures described. This is important, as otherwise no consultation would be required.
15 The DSGVO can serve as a guide here, as it contains a list of the information to be submitted (cf. n. 39). It can also be helpful to proceed according to the so-called ISDS concept. This provides for a description of the project that is as precise as possible, including an explanation of the legal situation and the organizational and technical measures. In the description of the project, information on the controller and data processor, the purpose and type of data processing, as well as the recipients and data subjects are provided. In contrast, the description of the organizational and technical aspects requires a description of the applications, networks, technologies as well as roles and authorization concepts. It should be noted that in individual cases, more detailed concepts or action plans may be requested.
16In addition, the submitted documents should be submitted in a structured manner and include the applicant's own name and a contact address. This serves as a means of communication with the FDPIC in the event that queries arise in individual cases or there is a need for other clarification.
3. Procedure of the FDPIC
17Once the relevant documents have been submitted in full (cf. n. 15 ff.), the FDPIC usually proceeds in three steps (i)-(iii): In a first step, the submitted information is reviewed and it is checked whether further information, documents or other details are required for clarification. If this is the case, this information is requested from the responsible party (i). The documents are then carefully examined and analyzed for their comprehensibility and validity (ii). In a third step, the procedure is concluded, with objections being communicated if necessary and measures to be taken being proposed (iii). In these three steps, the FDPIC assesses whether the proposed measures are sufficient to ensure the protection of the personality and fundamental rights of the data subject and to mitigate the high risk.
18In the first step, the FDPIC examines the information submitted by the data controller and ensures that it understands the data processing operation. In particular, the focus is on the factual as well as the technical description of the data processing in question. If the FDPIC requires further information, he will ask for it and, if necessary, request an oral discussion of the planned data processing with the data controller in order to clarify specific questions. It should be noted here that it is not clear from the wording of the law whether the period for the FDPIC to comment only begins to run after this step or directly upon submission of the request for consultation. However, according to the view taken here, the time limit to comment only starts to run after the complete submission of all information requested by the FDPIC. This means that the duration of the consultation may thus be longer than these two to three months, depending on what additional information and documents the FDPIC still requests.
19On this basis, the actual review of the data processing in question begins. In this second step, the FDPIC examines in particular the risk assessment and proposed measures of the data controller. This assessment includes a review of the legal requirements, which primarily includes compliance with data protection principles. In addition to proportionality (keyword: data economy and data avoidance), this includes, among other things, any legal or contractual basis or justification for data processing, outsourcing of data processing or disclosure of data abroad, data security, and the guarantee of data subject rights such as, in particular, the right to information and the right to correction and deletion of data. Both the sensitivity of the data and the parties involved as well as their responsibilities must be taken into account. Furthermore, the technical and organizational measures are examined. This is done in connection with the technologies used and, if applicable, the providers behind them. In the age of increasing cyberattacks and hacker attacks, this serves information security.
20After the FDPIC has dealt with these aspects in depth, in a third step it generally draws up an opinion for the attention of the responsible party. In this opinion, it lists its observations regarding the planned data processing and offers an assessment from both a legal and a technical/organizational perspective. If he comes to the conclusion that the data processing complies with data protection requirements, there are no further requirements for the data controller. In this case, the FDPIC does not make any recommendations. In such a case, the FDPIC may even refrain from issuing a statement to the data controller. If the FDPIC raises objections, he combines them with proposals for concrete measures (cf. on measures Art. 22 N. 26.). These measures aim to ensure compliance with both data protection and information security. As a rule, the FDPIC will set a deadline for the responsible party to implement these measures.
21 In this context, a special case should be noted: If, following the data processing carried out, the FDPIC concludes that the measures were not sufficient or that no measures exist at all to reduce the identified risks, he is authorized to conduct an investigation (Art. 49). For this purpose, the FDPIC has at his disposal all administrative measures under Art. 51. The investigation can thus result in, among other things, a suspension or even a ban on data processing. Although it can be assumed that the FDPIC will generally only issue formal orders in isolated cases, the law explicitly leaves this option open to him if data controllers do not handle the risks appropriately.
22 It should also be emphasized that the opinion of the FDPIC is a non-binding recommendation. It does not have the character of an order and can therefore in no way be understood as an approval or even authorization to carry out the planned data processing.
4. Time limit
23If the FDPIC is consulted, he must notify the data controller of his opinion within two months of the complete submission to the FDPIC, in accordance with Art. 23 para. 2. The FDPIC may extend the deadline by a maximum of one month if the data processing is complex. If the data controller does not receive any communication from the FDPIC within this period, it can be assumed that the FDPIC will not raise any objections to the planned data processing.
D. Exceptions
24Art. 23 provides for some exceptions to the basic obligation to consult. These exceptions are governed by para. 4 and apply only to private data controllers. Federal authorities are thus excluded from the exceptions.
25Paragraph 4 states that consultation is not required if the controller consults a data protection advisor regarding the planned data processing. In this regard, the message states that the data protection advisor must actually be actively involved in the DPA. He must therefore have been in a position to comment comprehensively on the measures and risks. In view of this circumstance, it appears reasonable to regulate the process of a DSFA as well as the competences and the involvement of the data protection advisor in internal guidelines or directives in a conclusive manner.
26 According to the dispatch, the exception is intended to reduce the administrative burden on private data controllers. From an economic perspective, this exception is to be welcomed. This is especially true since, from the perspective of the private responsible parties, delays, additional costs and potentially negative consequences due to the consultation of the FDPIC can thus be avoided. Although the FDPIC had spoken out against this exception during the consultation, it was nevertheless integrated into the text of the law in the end.
27 The exception should also be interpreted as an incentive for private responsible parties. Thus, the regulation offers them a very specific reason to appoint a data protection advisor. This incentive is important because, in contrast to Article 37 of the FADP, the appointment of a data protection advisor is always voluntary under the FADP.
28 However, the exception only applies if the requirements of Art. 10 para. 3 are met. Accordingly, the data protection advisor must be professionally independent and not bound by instructions, must be free of conflicts of interest and must have the necessary expertise (see the commentary on Art. 10 for a detailed discussion of these requirements). The controller, on the other hand, must publish the contact details of the data protection advisor and communicate them to the FDPIC. This exception is reminiscent of the exception applicable under Art. 11a para. 5 lit. e aDSG regarding the obligation to notify data collections, which was deleted from the FADP without replacement. Private data controllers are thus already very familiar with these requirements.
29Private controllers who develop or implement business models or technologies that potentially lead to high risks for data subjects will, based on experience, appoint a data protection advisor and make use of this exception. This will allow them to avoid consulting the FDPIC. This is all the more likely since internationally active private controllers in such industries are already required to appoint a data protection officer under the DSGVO anyway.
III. Violation of the obligation to consult the FDPIC
30 In the event that a controller fails to consult the FDPIC in advance despite the obligation under Art. 23, Art. 51 para. 3 lit. e provides that the FDPIC may order the controller to consult him in advance under penalty of a fine. In contrast, however, data subjects have no right to take legal action to enforce consultation of the FDPIC.
31 If the FDPIC determines in the course of an investigation that a data processing operation leads to a high risk, he may order that the data processing operation be adapted, suspended or completely terminated. This applies until a DIA has been carried out and the FDPIC has been consulted (Art. 51 para. 1 in conjunction with Art. 49 f). This step can lead to considerable delays and thus high costs and additional effort for the responsible party. Moreover, since the results of an investigation may be published by the FDPIC (Art. 57 para. 2), reputational risks are to be expected in such cases.
32 However, the violation of the obligation to consult the FDPIC is not independently subject to a fine. This seems logical, especially since it is a duty of due diligence and the FDPIC has corresponding competences (cf. the comments in Art. 22 n. 37). In the EU, a fine is provided for in these cases.
IV. Challenges and Practical Relevance
33 The practical relevance of Art. 23 remains to be seen. For example, at least private data controllers will try to avoid the obligation as far as possible by adapting the planned data processing until it no longer leads to a high risk for the data subjects within the framework of the measures taken. It can thus be assumed that the FDPIC will only be consulted in exceptional cases. There are further reasons for this: On the one hand, private data controllers will not want to wait up to three months until they receive an assessment of their data processing and can proceed with their project. Especially since it can be assumed that this time limit will not start until the FDPIC has received all the information it considers necessary from the data controller. In individual cases, this could lead to projects having to be interrupted for significantly longer. The projects may then also involve business-relevant processes and facts which, as soon as they are submitted to the FDPIC, could become public. The latter, for example, because the FDPIC must report on the DSFA in its activity report or is obliged to disclose certain information on the basis of a public request under FoIA. This cannot always be countered by the fact that the FDPIC undertakes to maintain confidentiality. Finally, the consultation of the FDPIC pursuant to Art. 59 para. 1 lit. c FADP is subject to a fee for private data controllers according to the time spent by the FDPIC and is based on an hourly rate of CHF 150-250 (Art. 44 para. 2 FADP), which should not be an underestimated cost in the context of complex data processing procedures. The fees can be increased up to double if the consultation of the FDPIC can be further used commercially (Art. 44 para. 3 and 4 FADP). These costs are in addition to a private data controller's own costs that a DSFA triggers anyway.
34In cases where a data processing operation is in the public eye and the FDPIC, due to this or the accompanying political pressure, e.g., makes an inquiry towards the controller or conducts an investigation, private controllers are likely to be obliged to conduct a DIA by means of an order, as has been the case in the past (cf. Art. 51 para. 2 lit. d and Art. 49). Such orders will presumably also provide for an obligation to consult the FDPIC for that particular data processing operation.
V. Comparison with EU Law
35The DSGVO provides in Art. 36 para. 1 for the obligation to consult the competent supervisory authority if a data processing operation could lead to high risks for the data subjects despite measures taken. In this respect, the provision is identical to Art. 23 para. 1 FADP.
36Similar to Art. 23 para. 2 FADP, according to Art. 36 para. 2 FADP, the competent supervisory authority must notify the controller and, if applicable, the processors involved of any objections to the planned data processing within eight weeks. Such objections may arise because the supervisory authority concludes that the controller "has not sufficiently identified or mitigated the risk." The deadline, on the other hand, may be extended by six weeks, not just one month, from the date of receipt of the request. Such an extension of time must be communicated to the responsible party within one month and must also be accompanied by a statement of reasons. The supervisory authority may suspend these deadlines until it has received the necessary information pursuant to Art. 36 para. 3 DSGVO. The regulations in the EU are correspondingly more detailed than in Switzerland and appear to make sense, especially since they regulate the process and also the obligations of the supervisory authorities with regard to the deadlines in more detail.
37If the supervisory authority has objections, it must send written recommendations to the controller and, if applicable, to the involved processors, which is very similar to the Swiss regulation, although in Switzerland the recipient of the opinion is generally the controller. The supervisory authority also has the explicit right to exercise its other powers under Art. 58 DSGVO. This is not explicitly mentioned in the FADP.
38While Art. 23 FADP does not contain any more detailed provisions on what information controllers must provide to the FDPIC in the context of the consultation, Art. 36 para. 3 DSGVO contains a list of the information to be provided: Information on the responsibilities of the controller, joint controllers and, where applicable, the commissioned processors, the purposes and means of the planned data processing, the measures and safeguards provided for the protection of the rights and freedoms of data subjects [as per the DSGVO], the contact details of the data protection officer, where applicable, the data protection impact assessment itself, and any other information requested by the supervisory authority.
39Articles 36 para. 4 and 5 DSGVO then regulate certain rights and obligations of Member States as well as additional requirements that Member States may provide for in their local law.
40 Violation of the obligation to consult the supervisory authority is punishable by the DSGVO, as is the obligation to conduct a DSFA. Thus, the DSGVO provides for fines of up to €10 million or up to 2% of the total annual worldwide turnover of the preceding fiscal year for breach of the duty to consult (Art. 83 para. 4 lit. a DSGVO). This is in contrast to the FADP, which does not provide for fines in these cases (see n. 33).
Bibliography
Blonski Dominika, Kommentierung zu Art. 23 DSG, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Stämpflis Handkommentar zum DSG, 2. Aufl., Zürich/Basel, 2023.
Kasper Gabriel, People Analytics in privatrechtlichen Arbeitsverhältnissen: Vorschläge zur wirksameren Durchsetzung des Datenschutzrechts, Zürich 2021.
Lobsiger Adrian, Hohes Risiko – kein Killerargument gegen Vorhaben der digitalen Transformation, SJZ 2023, S. 311–319.
Rosenthal David, Das neue Datenschutzgesetz, Jusletter 16. November 2020.
Kühling Jürgen/Buchner Benedikt, Datenschutz-Grundverordnung BDSG, Kommentar, 3. Aufl., München, 2020.
Materials
Botschaft vom 15. September 2017 zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz, BBl 2017, S. 6941 ff., abrufbar unter: https://fedlex.data.admin.ch/eli/fga/2017/2057, besucht am 5.6.2023.