draft FDPO

Text of the draft of the revi­sed VDSG from 23 June 2021. The texts have been con­ver­ted auto­ma­ti­cal­ly – we thank you for poin­ting out errors.

Cri­ti­cal com­ments on the E‑VDSG can be found here, the revi­sed DPA here and the cur­rent VDSG here.

fold out | fold

Chap­ter 1: Gene­ral provisions

Sec­tion 1: Data security

Art. 1 Principles

1 Whe­ther the tech­ni­cal or orga­niz­a­tio­nal mea­su­res to ensu­re data secu­ri­ty are appro­pria­te to the risk is asses­sed accord­ing to the fol­lo­wing criteria:

a. The pur­po­se, natu­re, scope and cir­cum­stan­ces of data processing;
b. the pro­ba­bi­li­ty of occur­rence of a data bre­ach and its poten­ti­al impact on data subjects;
c. the sta­te of the art;
d. Imple­men­ta­ti­on costs.

2 Mea­su­res shall be review­ed at appro­pria­te inter­vals throughout the pro­ces­sing period.

Art. 2 Pro­tec­tion goals 

To the extent appro­pria­te, data secu­ri­ty mea­su­res must achie­ve the fol­lo­wing pro­tec­tion goals:

a. Access con­trol: Access by aut­ho­ri­zed per­sons is limi­ted to the per­so­nal data they need to per­form their tasks.
b. Access con­trol: Access to faci­li­ties and equip­ment whe­re per­so­nal data is pro­ces­sed is denied to unaut­ho­ri­zed persons.
c. Disk con­trol: Pre­vents unaut­ho­ri­zed per­sons from rea­ding, copy­ing, modi­fy­ing, moving or remo­ving disks.
d. Memo­ry con­trol: Unaut­ho­ri­zed ent­ry into the data memo­ry and unaut­ho­ri­zed viewing, modi­fi­ca­ti­on or dele­ti­on of stored per­so­nal data is prevented.
e. User con­trol: The use of auto­ma­ted data pro­ces­sing systems by means of data trans­mis­si­on equip­ment by unaut­ho­ri­zed per­sons is prevented.
f. Trans­port con­trol: When per­so­nal data is dis­c­lo­sed and data car­ri­ers are trans­por­ted, it is pre­ven­ted that the data can be read, copied, modi­fied or dele­ted without authorization.
g. Input con­trol: In auto­ma­ted systems, it is pos­si­ble to check which per­so­nal data was ente­red or chan­ged at what time and by which person.
h. Dis­clo­sure con­trol: It is pos­si­ble to check to whom per­so­nal data has been dis­c­lo­sed using data trans­mis­si­on equipment.
i. Reco­very: The avai­la­bi­li­ty of and access to per­so­nal data can be quick­ly resto­red in the event of a phy­si­cal or tech­ni­cal incident.
j. It is gua­ran­te­ed that all func­tions of the system are avail­ab­le (avai­la­bi­li­ty), occur­ring mal­func­tions are repor­ted (relia­bi­li­ty) and stored per­so­nal data can­not be dama­ged by mal­func­tions of the system (data integrity).
k. Detec­tion: Data secu­ri­ty brea­ches can be quick­ly detec­ted and miti­ga­ti­on or reme­dia­ti­on actions initiated.

Art. 3 Logging

1 If the data pro­tec­tion impact assess­ment shows that the­re is still a high risk to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­jects in the auto­ma­ted pro­ces­sing of per­so­nal data despi­te the mea­su­res pro­vi­ded by the con­trol­ler, the pri­va­te con­trol­ler and its con­trac­ted pro­ces­sor shall log at least the fol­lo­wing ope­ra­ti­ons: sto­rage, modi­fi­ca­ti­on, rea­ding, dis­clo­sure, dele­ti­on or destruction.

2 Federal bodies and their com­mis­sio­ned pro­ces­sors shall log at least the fol­lo­wing pro­ces­ses during the auto­ma­ted pro­ces­sing of per­so­nal data: sto­rage, modi­fi­ca­ti­on, rea­ding, dis­clo­sure, dele­ti­on or destruction.

3 The log­ging pro­vi­des infor­ma­ti­on about the type of pro­ces­sing ope­ra­ti­on, the iden­ti­ty of the per­son who car­ri­ed out the pro­ces­sing, the iden­ti­ty of the reci­pi­ent and the time at which the pro­ces­sing took place.

4 The logs shall be kept for two years sepa­r­ate­ly from the system in which the per­so­nal data are pro­ces­sed. They shall be acces­si­ble only to the bodies or per­sons respon­si­ble for moni­to­ring data pro­tec­tion regu­la­ti­ons or for resto­ring the con­fi­dentia­li­ty, inte­gri­ty, avai­la­bi­li­ty and tracea­bi­li­ty of the data, and may be used only for this purpose.

Art. 4 Pro­ces­sing regu­la­ti­ons of pri­va­te persons

1 The respon­si­ble par­ty and its order pro­ces­sor must crea­te regu­la­ti­ons for auto­ma­ted pro­ces­sing if they:

a. exten­si­ve­ly pro­cess per­so­nal data requi­ring spe­cial pro­tec­tion; or
b. Per­form high-risk profiling.

2 The regu­la­ti­ons must con­tain at least information:

a. for the pur­po­se of processing;
b. on the cate­go­ries of data sub­jects and the cate­go­ries of per­so­nal data processed;
c. on the reten­ti­on peri­od of the per­so­nal data or the cri­te­ria for deter­mi­ning this period;
d. to the inter­nal organization;
e. on the ori­gin of the per­so­nal data and how it was obtained;
f. on the tech­ni­cal and orga­niz­a­tio­nal mea­su­res to ensu­re data security;
g. on access aut­ho­riz­a­ti­ons and on the type and scope of access;
h. on the mea­su­res taken to mini­mi­ze data;
i. on the data pro­ces­sing pro­ce­du­res, in par­ti­cu­lar the pro­ce­du­res for sto­rage, cor­rec­tion, dis­clo­sure, reten­ti­on, archi­ving, pseud­ony­miz­a­ti­on, anony­miz­a­ti­on and dele­ti­on or destruction;
j. on the pro­ce­du­re for exer­ci­s­ing the right of access and the right to issue or trans­fer data.

3 The pri­va­te per­son must regu­lar­ly update the regu­la­ti­ons and make them avail­ab­le to the data pro­tec­tion advi­sor in a form that the advi­sor can understand.

Art. 5 Pro­ces­sing regu­la­ti­ons of federal bodies

1 The respon­si­ble federal body and its com­mis­sio­ned pro­ces­sor shall draw up pro­ces­sing regu­la­ti­ons for auto­ma­ted pro­ces­sing ope­ra­ti­ons if they:

a. pro­cess per­so­nal data requi­ring spe­cial protection;
b. per­form profiling;
c. car­ry out data pro­ces­sing ope­ra­ti­ons wit­hin the mea­ning of Arti­cle 34(2)(c) FADP;
d. Can­tons, for­eign aut­ho­ri­ties, inter­na­tio­nal orga­niz­a­ti­ons or pri­va­te per­sons will make per­so­nal data accessible;
e. Link data sets with each other; or
f. ope­ra­te an infor­ma­ti­on system or mana­ge data resour­ces tog­e­ther with other federal bodies.

2 The regu­la­ti­ons must con­tain at least the infor­ma­ti­on spe­ci­fied in Arti­cle 4(2).

3 The federal body respon­si­ble must regu­lar­ly update the regu­la­ti­ons and make them avail­ab­le to the data pro­tec­tion advi­sor in a form that the lat­ter can under­stand, as well as to the Federal Data Pro­tec­tion and Infor­ma­ti­on Com­mis­sio­ner (FDPIC) upon request.

Sec­tion 2: Pro­ces­sing by Order Processors

Art. 6 Modalities

1 The con­trol­ler who trans­fers the pro­ces­sing of per­so­nal data to an order pro­ces­sor remains respon­si­ble for data pro­tec­tion. He must ensu­re that the data is pro­ces­sed in accordance with the con­tract or the law.

2 If the com­mis­sio­ned pro­ces­sor is not sub­ject to the DPA, the respon­si­ble par­ty must ensu­re that other legal pro­vi­si­ons gua­ran­tee equi­va­lent data pro­tec­tion. Other­wi­se, he must ensu­re this by con­trac­tu­al means.

3 If the respon­si­ble par­ty is a federal body, the com­mis­sio­ned pro­ces­sor may trans­fer the data pro­ces­sing to a third par­ty if the federal body has appro­ved this in writing.

Art. 7 Infor­ma­ti­on to the data pro­tec­tion advi­sor of the federal body

The federal body shall inform the data pro­tec­tion advi­sor without delay of the con­clu­si­on of a con­tract with a com­mis­sio­ned pro­ces­sor or of the aut­ho­riz­a­ti­on to trans­fer data pro­ces­sing to a third par­ty. Fur­ther­mo­re, it shall inform the data pro­tec­tion advi­sor if pro­blems ari­se in com­ply­ing with the sta­tu­to­ry or con­trac­tu­al data pro­tec­tion provisions.

Sec­tion 3: Dis­clo­sure of per­so­nal data abroad

Art. 8 Assess­ment of the ade­quacy of data pro­tec­tion of a for­eign sta­te or an inter­na­tio­nal body.

1 If per­so­nal data are dis­c­lo­sed abroad, the fol­lo­wing cri­te­ria in par­ti­cu­lar must be taken into account when asses­sing whe­ther a sta­te, a ter­ri­to­ry, one or more spe­ci­fic sec­tors in a sta­te, or an inter­na­tio­nal body ensu­res ade­qua­te data protection:

a. the inter­na­tio­nal obli­ga­ti­ons of the sta­te or inter­na­tio­nal body in the field of data protection;
b. respect for human rights;
c. the app­li­ca­ble legis­la­ti­on on data pro­tec­tion and its imple­men­ta­ti­on and the rele­vant case law;
d. the effec­ti­ve gua­ran­tee of the rights of data sub­jects and legal protection;
e. the effec­ti­ve func­tio­n­ing of one or more inde­pen­dent aut­ho­ri­ties in char­ge of data pro­tec­tion in the Sta­te con­cer­ned or to which an inter­na­tio­nal body is sub­or­di­na­te and which have suf­fi­ci­ent powers and competences.

2 The assess­ment may take into account the assess­ments of inter­na­tio­nal bodies or for­eign aut­ho­ri­ties respon­si­ble for data protection.

3 The ade­quacy of data pro­tec­tion of the sta­te, ter­ri­to­ry, spe­ci­fic sec­tors in a sta­te or inter­na­tio­nal body is reas­ses­sed periodically.

4 If it emer­ges from an assess­ment under para­graph 3 or from avail­ab­le infor­ma­ti­on that a sta­te, a ter­ri­to­ry, one or more spe­ci­fic sec­tors in a sta­te or an inter­na­tio­nal body no lon­ger ensu­res ade­qua­te data pro­tec­tion, the deci­si­on shall be amen­ded, sus­pen­ded or revo­ked in accordance with Arti­cle 16 para­graph 1 FADP. This new deci­si­on has no effect on data dis­clo­sures that have alrea­dy been made.

5 The sta­tes, ter­ri­to­ries, spe­ci­fic sec­tors in a sta­te, and inter­na­tio­nal bodies with ade­qua­te data pro­tec­tion are listed in Appen­dix 1.

6 The FDPIC is con­sul­ted pri­or to any deci­si­on on the ade­quacy of data protection.

Art. 9 Data pro­tec­tion clau­ses and spe­ci­fic safeguards

1 The data pro­tec­tion clau­ses in a con­tract under Arti­cle 16(2)(b) FADP and the spe­ci­fic safe­guards under Arti­cle 16(2)(c) FADP must regu­la­te at least the fol­lo­wing points:

a. the app­li­ca­ti­on of the princi­ples of lega­li­ty, good faith, pro­por­tio­na­li­ty, pur­po­se limi­ta­ti­on and accuracy;
b. the cate­go­ries of per­so­nal data dis­c­lo­sed and the per­sons concerned;
c. the natu­re and pur­po­se of the dis­clo­sure of per­so­nal data;
d. the names of the sta­tes to which per­so­nal data are disclosed;
e. the names of the inter­na­tio­nal bodies to which per­so­nal data are disclosed;
f. the requi­re­ments for the reten­ti­on, dele­ti­on and dest­ruc­tion of per­so­nal data;
g. the reci­pi­ents aut­ho­ri­zed to pro­cess the data;
h. the mea­su­res taken to ensu­re data security;
i. the requi­re­ments for dis­clo­sure of per­so­nal data to ano­t­her for­eign sta­te or to ano­t­her inter­na­tio­nal body;
j. the obli­ga­ti­on of the reci­pi­ent to inform the data sub­jects about the processing;

k. the rights of the data sub­ject, namely:

1 . the right to information,
2 . the right to object,
3 . the right to rec­ti­fi­ca­ti­on, dele­ti­on or dest­ruc­tion of their data,
4 . the right to seek redress from an inde­pen­dent authority.

2 The con­trol­ler must take rea­son­ab­le mea­su­res to ensu­re that the reci­pi­ent com­plies with the data pro­tec­tion clau­ses in a con­tract or the spe­ci­fic safeguards.

3 If the FDPIC has been infor­med about the data pro­tec­tion clau­ses in a con­tract or the spe­ci­fic safe­guards, the infor­ma­ti­on obli­ga­ti­on is deemed to be ful­fil­led for all fur­ther dis­clo­sures that:

a. take place under the same data pro­tec­tion clau­ses or safe­guards, pro­vi­ded that the cate­go­ries of reci­pi­ents, the pur­po­se of the pro­ces­sing and the cate­go­ries of data remain sub­stan­ti­al­ly unch­an­ged; or
b. take place wit­hin the same legal enti­ty or com­pa­ny or bet­ween com­pa­nies belon­ging to the same group, pro­vi­ded that the data pro­tec­tion clau­ses or safe­guards con­ti­nue to ensu­re appro­pria­te data protection.

Art. 10 Stan­dard data pro­tec­tion clauses

1 If the con­trol­ler dis­c­lo­ses per­so­nal data abroad using stan­dard data pro­tec­tion clau­ses pur­suant to Arti­cle 16 para­graph 2 let­ter d FADP, it shall take appro­pria­te mea­su­res to ensu­re that the reci­pi­ent com­plies with them.

2 The FDPIC publishes a list of stan­dard data pro­tec­tion clau­ses that it has appro­ved, issued or recognized.

Art. 11 Bin­ding cor­po­ra­te data pro­tec­tion regulations

1 Bin­ding cor­po­ra­te data pro­tec­tion regu­la­ti­ons pur­suant to Arti­cle 16 (2) let­ter e FADP app­ly to all com­pa­nies belon­ging to the same group.

2 They shall inclu­de at least the items refer­red to in Arti­cle 9(1) and the fol­lo­wing information:

a. the orga­niz­a­ti­on and con­ta­ct details of the Group and its companies;
b. the mea­su­res taken wit­hin the Group to ensu­re com­pli­an­ce with bin­ding inter­nal cor­po­ra­te data pro­tec­tion regulations.

Art. 12 Codes of con­duct and certifications

1 Per­so­nal data may be dis­c­lo­sed abroad if appro­pria­te data pro­tec­tion is gua­ran­te­ed by a code of con­duct or certification.

2 The code of con­duct shall con­tain at least the infor­ma­ti­on refer­red to in Arti­cle 9(1) and must be appro­ved in advan­ce by the FDPIC.

3 The code of con­duct or cer­ti­fi­ca­ti­on must be accom­pa­nied by a bin­ding and enfor­ce­ab­le obli­ga­ti­on on the part of the con­trol­ler or pro­ces­sor in the third coun­try to app­ly the mea­su­res con­tai­ned therein.

Chap­ter 2: Obli­ga­ti­ons of the con­trol­ler and the processor

Art. 13 Moda­li­ties of the infor­ma­ti­on obligations

1 The Con­trol­ler and the Order Pro­ces­sor shall com­mu­ni­ca­te the infor­ma­ti­on on obtai­ning per­so­nal data in a pre­cise, com­pre­hen­si­ble and easi­ly acces­si­ble form.

2 If he com­mu­ni­ca­tes the infor­ma­ti­on in com­bi­na­ti­on with pic­to­grams, which are dis­play­ed elec­tro­ni­cal­ly, they must be machine-readable.

Art. 14 Duty of the federal bodies to pro­vi­de infor­ma­ti­on in the case of syste­ma­tic acqui­si­ti­on of per­so­nal data

If the data sub­ject is not obli­ged to pro­vi­de infor­ma­ti­on, the federal body respon­si­ble shall inform him or her of the volun­ta­ry natu­re of the pro­vi­si­on of infor­ma­ti­on in the event of a syste­ma­tic acqui­si­ti­on of per­so­nal data, in par­ti­cu­lar by means of a questionnaire.

Art. 15 Infor­ma­ti­on on the dis­clo­sure of per­so­nal data

The data con­trol­ler and the order pro­ces­sor shall inform the reci­pi­ent about the up-to-dateness, relia­bi­li­ty and com­ple­teness of the per­so­nal data dis­c­lo­sed by them, inso­far as this infor­ma­ti­on is not appa­rent from the data its­elf or from the circumstances.

Art. 16 Infor­ma­ti­on on the cor­rec­tion, dele­ti­on or dest­ruc­tion as well as the restric­tion of the pro­ces­sing of per­so­nal data

The data con­trol­ler shall inform the reci­pi­ents to whom it has dis­c­lo­sed per­so­nal data without undue delay about the cor­rec­tion, dele­ti­on or dest­ruc­tion as well as the restric­tion of the pro­ces­sing of per­so­nal data, unless the noti­fi­ca­ti­on is impos­si­ble or invol­ves a dis­pro­por­tio­na­te effort.

Art. 17 Review of an auto­ma­ted indi­vi­du­al decision

If a per­son affec­ted by an auto­ma­ted indi­vi­du­al deci­si­on requests that he or she be able to sta­te his or her posi­ti­on or that a natu­ral per­son review the deci­si­on, he or she may not be dis­ad­van­ta­ged as a result.

Art. 18 Form and reten­ti­on of the data pro­tec­tion impact assessment

The data con­trol­ler must record the data pro­tec­tion impact assess­ment in wri­ting. It must be retai­ned for two years after the end of data processing.

Art. 19 Noti­fi­ca­ti­on of data secu­ri­ty breaches

1 The con­trol­ler shall noti­fy the FDPIC in the event of a data breach:

a. the natu­re of the injury;
b. as far as pos­si­ble, the time and duration;
c. as far as pos­si­ble, the cate­go­ries and appro­xi­ma­te num­ber of per­so­nal data concerned;
d. as far as pos­si­ble, the cate­go­ries and appro­xi­ma­te num­ber of data subjects;
e. the con­se­quen­ces, inclu­ding any risks, for the per­sons concerned;
f. what mea­su­res have been taken or are plan­ned to reme­dy the defi­ci­en­cy or miti­ga­te the consequences;
g. the name and con­ta­ct details of a con­ta­ct person.

2 If, upon dis­co­very of the data bre­ach, it is not pos­si­ble for the con­trol­ler to pro­vi­de the FDPIC with all of the infor­ma­ti­on under para­graph 1 at the same time, the con­trol­ler may pro­vi­de such infor­ma­ti­on in sta­ges without unre­a­son­ab­le fur­ther delay.

3 The data con­trol­ler shall com­mu­ni­ca­te to the data sub­jects, in simp­le and under­stand­a­ble lan­guage, at least the infor­ma­ti­on refer­red to in para­graph 1(a), (e), (f) and (g).

4 If the per­son respon­si­ble is a federal body, the noti­fi­ca­ti­on to the FDPIC is made via the data pro­tec­tion advisor.

5 The respon­si­ble per­son must docu­ment the vio­la­ti­ons. The docu­men­ta­ti­on must con­tain all facts rela­ted to the inci­dents, their effects and the mea­su­res taken. It must be kept for at least three years from the date of noti­fi­ca­ti­on in accordance with para­graph 1.

Chap­ter 3: Rights of the data subject

Sec­tion 1: Right to information

Art. 20 Modalities

1 The requ­est for infor­ma­ti­on shall be made in wri­ting. If the per­son respon­si­ble agrees, the requ­est may also be made orally.

2 As a rule, the infor­ma­ti­on shall be pro­vi­ded in wri­ting. In agree­ment with the data con­trol­ler or at the data controller’s sug­ge­sti­on, the data sub­ject may also inspect his or her data on site. The infor­ma­ti­on may also be pro­vi­ded oral­ly if the data sub­ject has consented.

3 The infor­ma­ti­on must be com­pre­hen­si­ble for the data subject.

4 The con­trol­ler must take the appro­pria­te mea­su­res to ensu­re the iden­ti­fi­ca­ti­on of the data sub­ject and to pro­tect the per­so­nal data of the data sub­ject from access by unaut­ho­ri­zed third par­ties when pro­vi­ding infor­ma­ti­on. The data sub­ject must coope­ra­te in their identification.

5 The respon­si­ble per­son must docu­ment the rea­sons for refu­sing, restric­ting or post­po­ning the infor­ma­ti­on. The docu­men­ta­ti­on shall be kept for at least three years.

Art. 21 Competence

1 If several per­sons are respon­si­ble for the pro­ces­sing of per­so­nal data, the data sub­ject may assert his or her right to infor­ma­ti­on with any of the per­sons responsible.

2 If a respon­si­ble per­son is not respon­si­ble for hand­ling the requ­est, he/she shall for­ward it to the respon­si­ble per­son in charge.

3 If the requ­est rela­tes to data pro­ces­sed by a pro­ces­sor, the con­trol­ler shall for­ward the requ­est to the pro­ces­sor if the con­trol­ler is not in a posi­ti­on to pro­vi­de infor­ma­ti­on itself.

Art. 22 Time limit

1 The infor­ma­ti­on shall be pro­vi­ded wit­hin 30 days of rece­i­pt of the requ­est. If the per­son respon­si­ble refu­ses, restricts or post­po­nes the infor­ma­ti­on, he must noti­fy this wit­hin the same period.

2 If the infor­ma­ti­on can­not be pro­vi­ded wit­hin 30 days, the data con­trol­ler must noti­fy the data sub­ject and inform him or her of the peri­od wit­hin which the infor­ma­ti­on will be provided.

Art. 23 Excep­ti­ons to the free of charge

1 A rea­son­ab­le con­tri­bu­ti­on to the costs may be deman­ded if the pro­vi­si­on of infor­ma­ti­on invol­ves a dis­pro­por­tio­na­te effort.

2 The par­ti­ci­pa­ti­on amounts to a maxi­mum of 300 francs.

3 The per­son con­cer­ned must be infor­med of the amount of the par­ti­ci­pa­ti­on befo­re the infor­ma­ti­on is pro­vi­ded and may with­draw his requ­est wit­hin ten days.

Sec­tion 2: Right to issue or trans­fer data

Art. 24

Arti­cles 20(1), (4) and (5), as well as 21, 22 and 23 shall app­ly muta­tis mutan­dis to the right to issue and trans­fer data, as well as their limitations.

Chap­ter 4: Spe­cial pro­vi­si­ons on data pro­ces­sing by pri­va­te persons

Art. 25 Data pro­tec­tion advisor

1 The data pro­tec­tion advi­sor of a pri­va­te con­trol­ler must per­form the fol­lo­wing tasks:

a. He or she reviews the pro­ces­sing of per­so­nal data and its requi­re­ments and recom­mends cor­rec­ti­ve mea­su­res if he or she finds that data pro­tec­tion regu­la­ti­ons have been violated.
b. He or she shall par­ti­ci­pa­te in the pre­pa­ra­ti­on of the data pro­tec­tion impact assess­ment and review it, in any case if the pri­va­te con­trol­ler wis­hes to refrain from con­sul­ting the FDPIC wit­hin the mea­ning of Art. 23(4) FADP.

2 The pri­va­te data con­trol­ler must noti­fy the data pro­tec­tion advisor:

a. pro­vi­de the necessa­ry resources;
b. grant access to all infor­ma­ti­on, docu­ments, records of pro­ces­sing acti­vi­ties and per­so­nal data that he or she needs to per­form his or her duties.

Art. 26 Exemp­ti­on from the obli­ga­ti­on to keep a regi­ster of pro­ces­sing activities

Com­pa­nies and other orga­niz­a­ti­ons under pri­va­te law that employ fewer than 250 employees at the begin­ning of a year, as well as natu­ral per­sons, are exempt from the obli­ga­ti­on to keep a regi­ster of pro­ces­sing acti­vi­ties, unless one of the fol­lo­wing con­di­ti­ons is met:
a. Exten­si­ve per­so­nal data requi­ring spe­cial pro­tec­tion is processed.
b. High risk pro­filing is performed.

Chap­ter 5: Spe­cial Pro­vi­si­ons on Data Pro­ces­sing by Federal Bodies

Sec­tion 1: Data pro­tec­tion advisor

Art. 27 Appointment

Each federal body shall appoint a data pro­tec­tion advi­sor. Several federal bodies may joint­ly appoint a data pro­tec­tion advisor.

Art. 28 Requi­re­ments and tasks

1 The pri­va­cy con­sul­tant must meet the fol­lo­wing requirements:

a. She or he has the necessa­ry expertise.
b. He or she shall exer­cise his or her func­tion vis-à-vis the federal body in a pro­fes­sio­nal­ly inde­pen­dent man­ner and without being bound by instructions.

2 She or he must per­form the fol­lo­wing duties:

a. He or she reviews the pro­ces­sing of per­so­nal data and its requi­re­ments and recom­mends cor­rec­ti­ve mea­su­res if he or she finds that data pro­tec­tion regu­la­ti­ons have been violated.
b. She or he par­ti­ci­pa­tes in the pre­pa­ra­ti­on of the data pro­tec­tion impact assess­ment and reviews it.
c. She or he reports data secu­ri­ty brea­ches to the FDPIC.
d. She or he ser­ves as a point of con­ta­ct for affec­ted individuals.
f. She or he trains and advi­ses the federal body and its employees on data pro­tec­tion issues.

Art. 29 Duties of the federal body

1 The federal body shall grant the data pro­tec­tion advi­sor access to all infor­ma­ti­on, docu­ments, lists of pro­ces­sing acti­vi­ties and per­so­nal data that he or she requi­res to per­form his or her duties.

2 It publishes the con­ta­ct details of the data pro­tec­tion advi­sor on the Inter­net and com­mu­ni­ca­tes them to the FDPIC.

Art. 30 Con­ta­ct point of the FDPIC

The data pro­tec­tion advi­sor ser­ves as a point of con­ta­ct for the FDPIC for que­sti­ons rela­ting to the pro­ces­sing of per­so­nal data by the federal body concerned.

Sec­tion 2: Pro­jects of Federal Bodies for the Auto­ma­ted Pro­ces­sing of Per­so­nal Data

Art. 31 Infor­ma­ti­on to the data pro­tec­tion advisor

The federal body respon­si­ble shall inform the data pro­tec­tion advi­sor in good time when plan­ning a pro­ject for the auto­ma­ted pro­ces­sing of per­so­nal data and in the event of adjust­ments after com­ple­ti­on of the pro­ject so that data pro­tec­tion requi­re­ments are taken into account immediately.

Art. 32 Noti­fi­ca­ti­on to the FDPIC

1 The respon­si­ble federal body noti­fies the FDPIC of the plan­ned auto­ma­ted pro­ces­sing acti­vi­ties at the time of the pro­ject release or the deci­si­on to deve­lop the pro­ject. The FDPIC inclu­des this noti­fi­ca­ti­on in the regi­ster of pro­ces­sing activities.

2 The noti­fi­ca­ti­on must con­tain the infor­ma­ti­on pur­suant to Arti­cle 12 para­graph 2 let­ters a‑d FADP and the expec­ted date of com­men­ce­ment of the pro­ces­sing activities.

3 The respon­si­ble federal body updates the noti­fi­ca­ti­on upon tran­si­ti­on to pro­duc­ti­ve ope­ra­ti­on or pro­ject termination.

Sec­tion 3: Pilot testing

Art. 33 Indis­pensa­bi­li­ty of the test phase

A test pha­se as a pilot test is indis­pensable if one of the fol­lo­wing con­di­ti­ons is met:
a. The ful­fill­ment of a task requi­res tech­ni­cal inno­va­tions, the effects of which must first be evaluated.
b. The ful­fill­ment of a task requi­res signi­fi­cant orga­niz­a­tio­nal or tech­ni­cal mea­su­res, the effec­ti­ve­ness of which must first be tested, espe­cial­ly in the case of coope­ra­ti­on bet­ween federal and can­to­nal bodies.
c. The ful­fill­ment of the tasks requi­res that the per­so­nal data be made acces­si­ble by means of a retrie­val procedure.

Art. 34 Authorization

1 Befo­re con­sul­ting the inte­re­sted admi­ni­stra­ti­ve units, the federal body respon­si­ble for the pilot test shall exp­lain to the FDPIC how com­pli­an­ce with the requi­re­ments under Arti­cle 35 FADP is to be ensu­red and invi­te the FDPIC to comment.

2 The FDPIC issu­es an opi­ni­on on whe­ther the licen­sing requi­re­ments under Arti­cle 35 FADP have been met. The com­pe­tent federal body shall pro­vi­de him with all the docu­ments necessa­ry for this pur­po­se, in particular:

a. A gene­ral descrip­ti­on of the pilot test;
b. a report pro­ving that the ful­fill­ment of the tasks pro­vi­ded for by law requi­res pro­ces­sing wit­hin the mea­ning of Arti­cle 34 para­graph 2 FADP and that a test pha­se pri­or to the ent­ry into for­ce of the law is indis­pensable in the for­mal sen­se (Arti­cle 35 para­graph 1 let­ter c FADP);
c. a descrip­ti­on of the inter­nal orga­niz­a­ti­on and data pro­ces­sing and con­trol procedures;
d. a descrip­ti­on of the secu­ri­ty and data pro­tec­tion measures;
e. the draft of an ordi­nan­ce regu­la­ting the details of pro­ces­sing, or the con­cept of an ordinance;
f. the infor­ma­ti­on con­cer­ning the plan­ning of the dif­fe­rent pha­ses of the pilot test.

3 The FDPIC may requ­est fur­ther docu­ments and car­ry out addi­tio­nal clarifications.

4 The com­pe­tent federal body shall inform the FDPIC of any important chan­ge affec­ting com­pli­an­ce with the requi­re­ments of Arti­cle 35 FADP. The FDPIC shall com­ment again if necessary.

5 The opi­ni­on of the FDPIC must be atta­ched to the app­li­ca­ti­on to the Federal Council.

6 The moda­li­ties of auto­ma­ted data pro­ces­sing are regu­la­ted in an ordinance.

Art. 35 Eva­lua­ti­on report

The com­pe­tent federal body shall sub­mit the draft eva­lua­ti­on report to the FDPIC for the Federal Council’s opi­ni­on. The opi­ni­on of the FDPIC shall be brought to the atten­ti­on of the Federal Council.

Sec­tion 4: Data pro­ces­sing for non-per­so­nal purposes

Art. 36

If per­so­nal data are pro­ces­sed for non-per­so­nal pur­po­ses, in par­ti­cu­lar rese­arch, plan­ning and sta­tis­tics, and at the same time for ano­t­her pur­po­se, the excep­ti­ons under Arti­cle 39 para­graph 2 FADP shall only app­ly to pro­ces­sing for the non-per­so­nal purposes.

Chap­ter 6: Federal Data Pro­tec­tion and Infor­ma­ti­on Commissioner

Art. 37 Head­quar­ters and per­ma­nent secretariat

1 The seat of the FDPIC is in Bern.

2 The employ­ment rela­ti­ons­hips of the employees of the per­ma­nent secre­ta­ri­at of the FDPIC are gover­ned by federal per­son­nel legis­la­ti­on. The employees of the per­ma­nent secre­ta­ri­at of the FDPIC are insu­red against the eco­no­mic con­se­quen­ces of old age, disa­bi­li­ty and death with the Federal Pen­si­on Fund PUBLICA.

Art. 38 Com­mu­ni­ca­ti­on channel

1 The FDPIC com­mu­ni­ca­tes with the Federal Coun­cil via the Federal Chan­cellor. The lat­ter for­wards the pro­po­sals, opi­ni­ons and reports unch­an­ged to the Federal Council.

2 It sub­mits reports for the atten­ti­on of the Federal Assem­bly via the Par­lia­men­ta­ry Services.

Art. 39 Noti­fi­ca­ti­on of gui­de­li­nes and decisions

1 The depart­ments and the Federal Chan­cel­le­ry noti­fy the FDPIC of their gui­de­li­nes in the area of data pro­tec­tion as well as their deci­si­ons in anony­mous form.

2 The federal bodies sub­mit to the FDPIC all draft legis­la­ti­on con­cer­ning the pro­ces­sing of per­so­nal data, data pro­tec­tion and access to offi­cial documents.

Art. 40 Pro­ces­sing of per­so­nal data

The FDPIC pro­ces­ses per­so­nal data, inclu­ding per­so­nal data requi­ring spe­cial pro­tec­tion, in par­ti­cu­lar for the fol­lo­wing purposes:
a. to car­ry out its super­vi­so­ry activities;
b. to inve­sti­ga­te brea­ches of data pro­tec­tion regulations;
c. for trai­ning and con­sul­ting of federal bodies and pri­va­te persons;
d. to coope­ra­te with federal, can­to­nal and for­eign authorities;
e. to con­duct con­ci­lia­ti­on pro­ce­e­dings and eva­lua­tions in accordance with the Federal Act of Decem­ber 17, 2004 2 on the Princip­le of Publi­ci­ty of the Admi­ni­stra­ti­on (BGÖ);
f. To respond to citi­zen inquiries.

Art. 41 Self-regulation

1 The FDPIC shall draw up pro­ces­sing regu­la­ti­ons for all auto­ma­ted pro­ces­sing ope­ra­ti­ons. Arti­cle 5(1) does not apply.

2 It pro­vi­des for inter­nal pro­ces­ses to ensu­re that pro­ces­sing is car­ri­ed out in accordance with the pro­ces­sing regu­la­ti­ons. It checks annu­al­ly whe­ther the pro­ces­sing regu­la­ti­ons are being com­plied with.

Art. 42 Coope­ra­ti­on with the Natio­nal Cyber Secu­ri­ty Cen­ter (NCSC).

1 The FDPIC may for­ward the data bre­ach noti­fi­ca­ti­on infor­ma­ti­on to the NCSC for ana­ly­sis of the inci­dent. The FDPIC must first obtain the con­sent of the respon­si­ble par­ty sub­ject to the notification.

2 It shall invi­te the NCSC to sub­mit its com­ments befo­re orde­ring a mea­su­re pur­suant to Arti­cle 51 para­graph 3 let­ter b FADP with regard to data secu­ri­ty vis-à-vis a federal body.

Art. 43 Regi­ster of pro­ces­sing acti­vi­ties of federal bodies

1 The regi­ster of pro­ces­sing acti­vi­ties of federal bodies con­tains the infor­ma­ti­on pro­vi­ded by federal bodies and their com­mis­sio­ned pro­ces­sors in accordance with Arti­cle 12 para­graphs 2 and 3 FADP and Arti­cle 32 para­graph 2 of this Ordinance.

2 It shall be published on the Inter­net. The regi­ster ent­ries on plan­ned auto­ma­ted pro­ces­sing acti­vi­ties pur­suant to Arti­cle 32 shall not be published.

Art. 44 Codes of conduct

If a code of con­duct is sub­mit­ted to the FDPIC, the FDPIC shall sta­te in its opi­ni­on whe­ther the code of con­duct meets the requi­re­ments of Arti­cle 22(5)(a) and (b) FADP.

Art. 45 Fees

1 The fees char­ged by the FDPIC are based on the time spent.

2 An hour­ly rate of 150 to 350 francs app­lies. This depends on the com­ple­xi­ty of the tran­sac­tion and the func­tion of the per­son respon­si­ble for pro­ces­sing it.

3 In all other respects, the Gene­ral Fees Ordi­nan­ce of Sep­tem­ber 8, 2004 3 applies.

Chap­ter 7: Final Provisions

Art. 46 Repeal and amend­ment of other enactments

The repeal and amend­ment of other enact­ments are regu­la­ted in Annex 2.

Art. 47 Tran­si­tio­nal pro­vi­si­on con­cer­ning the noti­fi­ca­ti­on of plan­ned auto­ma­ted pro­ces­sing acti­vi­ties to the FDPIC

Arti­cle 32 does not app­ly to plan­ned auto­ma­ted pro­ces­sing acti­vi­ties for which the pro­ject appro­val or pro­ject deve­lo­p­ment deci­si­on has alrea­dy been made at the time of ent­ry into force.

Art. 48 Ent­ry into force

This Regu­la­ti­on shall enter into for­ce on .…

Annex 1 (Arti­cle 8(5)) Sta­tes, ter­ri­to­ries, spe­ci­fic sec­tors in a Sta­te, and inter­na­tio­nal bodies with ade­qua­te data protection
[…] Annex 2 (Arti­cle 46) Repeal and amend­ment of other enactments
[…]

Table of Contents