The Federal Council has decided to restrict the logging obligation for federal bodies in accordance with Art. 4 DPO to December 1, 2025:
- Media release
- Amendment
- Explanations
This obligation currently applies to all automated processing (para. 2). However, according to the Federal Council’s press release, it has been shown in practice that the risks of processing do not outweigh the costs of logging. The Federal Council has therefore decided to follow the risk-based approach of data protection law for the logging obligation for federal bodies as well. Following the amendment to the DPA, the following regulation should apply (limited to automated processing in each case). :
- personal data requiring special protection; Profiling; Processing within the scope of the Schengen DirectiveLogging
- Other personal dataPerform a risk assessment, in writing (and preferably as part of the security procedure in accordance with Art. 16 ff. ISG). Upon request, the FDPIC must be informed of the “result and content” of the audit. The result of the audit then determines both the subject matter and the scope of the logging
Therefore, the Transitional provision on logging in Art. 46 DPA:
- For all automated processing of normal personal data that was planned or started before December 1, 2025, the risk assessment must be completed by End of 2026 to be carried out.
- If logging is required, this must be completed by December 31, 2029 be implemented.
- At No transitional provision applies to processing with special risks.
In addition, the Federal Council clarifies through two further amendments that the “Read” when logging the “Accessing the data” means. Other amendments concern cosmetics and the ordinance on military and other information systems in the DDPS.
A Deltaview of the changes in the DSV is available here.