DSV in English
1 In order to ensure adequate data security, the controller and the processor must determine the need for protection of personal data and specify the technical and organisational measures that are appropriate in view of the risk.
2 The need for protection of personal data is assessed according to the following criteria:
3 The risk to the personality or fundamental rights of the data subject is assessed according to the following criteria:
4 The following criteria shall also be taken into account when determining the technical and organizational measures:
5 The need for protection of personal data, the risk and the technical and organizational measures shall be reviewed over the entire processing period. The measures shall be adapted if necessary.
The controller and the processor must take technical and organisational measures to ensure that in accordance with its need for protection the data is processed:
1 In order to ensure confidentiality, the controller and the processor must take appropriate measures to guarantee that:
2 In order to ensure availability and integrity, the controller and the processor must take appropriate measures to guarantee that:
3 In order to ensure traceability, the controller and the processor must take appropriate measures to guarantee that:
1 If sensitive personal data is processed automatically on a broad scale or if high-risk profiling is carried out and the preventive measures cannot guarantee data protection, the private controller and its private processor must at least record the storage, alteration, reading, disclosure, deletion and destruction of the data. The records must be kept in particular if it is otherwise not possible to establish retroactively whether the data was processed for the purposes for which it was collected or disclosed.
2 During the automated processing of personal data, the federal body responsible and its processor shall
at least record the storage, alteration, reading, disclosure, deletion or destruction of the data.
3 In the case of personal data that is generally accessible to the public, the storage, alteration, deletion and destruction of the data must at least be recorded.
4 The records must provide information on the identity of the person who carried out the processing, the nature, date and time of the processing and, if applicable, the identity of the recipient of the data.
5 The records must be kept for at least one year separately from the system in which the personal data is being processed. They must be accessible only to the bodies and persons responsible for monitoring the application of data protection regulations or for maintaining or restoring the confidentiality, integrity, availability and traceability of the data, and may only be used for this purpose.
1 The private controller and its private processor must draw up a processing policy for automated processing if they:
2 The processing policy must in particular contain information on the internal organization, the data processing and control procedure and the measures taken to ensure data security.
3 The private controller and its private processor must update the processing policy regularly. If a data protection advisor has been appointed, the processing policy must be made available to such advisor.
1 The federal body responsible and its processor shall draw up a processing policy for automated processing if they:
2 The processing policy must in particular contain information on the internal organization, the data processing and control procedure and the measures taken to ensure data security.
3 The federal body responsible and its processor must update the processing policy regularly and make it available to the data protection advisor.
1 The prior authorization of the controller allowing the processor to transfer the data processing to a third party may be of a specific or general nature.
2 In the case of a general authorization, the processor shall inform the controller of any intended changes with regard to the involvement or replacement of other third parties. The controller may object to such changes.
1 The States, territories, specific sectors in a State and international bodies with an adequate level of data protection are listed in Annex 1.
2 The assessment of whether a State, territory, specific sector within a State or international body ensures an adequate level of data protection must in particular be based on the following criteria:
data protection;
relevant case law;
3 The Federal Data Protection and Information Commissioner (FDPIC) shall be consulted on each assessment. The assessments of international bodies or foreign authorities responsible for data protection may be taken into account.
4 The adequacy of the level of data protection shall be reassessed periodically.
5 The assessments shall be published.
6 If an assessment under paragraph 4 or other information indicates that an adequate level of data
protection is no longer ensured, Annex 1 shall be amended. This amendment has no effect on data
disclosures made prior thereto.
1 The data protection provisions of a contract in accordance with Article 16(2)(b) FADP and the specific safeguards in accordance with Article 16(2)(c) FADP must at least contain the following aspects:
j. the rights of the data subjects, in particular:
2 The controller and, in the case of data protection provisions of a contract, the processor must take appropriate measures to ensure that the recipient complies with these provisions or the specific safeguards.
3 If the FDPIC has been informed of the data protection provisions of a contract or the specific safeguards, the duty of information shall be deemed to be fulfilled for all further disclosures that:
1 If the controller or the processor discloses personal data abroad by means of standard data protection clauses in accordance with Article 16(2)(d) FADP, the controller or the processor shall take appropriate measures to ensure that the recipient complies therewith.
2 The FDPIC has published a list of standard data protection clauses that he has approved, established or recognized. He shall communicate the result of his examination of the standard data protection clauses submitted to him within 90 days.
1 Binding corporate rules on data protection in accordance with Article 16(2)(e) FADP apply to all companies belonging to the same group.
2 They shall at least contain the aspects mentioned in Article 9(1) as well as the following information:
3 The FDPIC shall communicate the result of its examination of the binding corporate rules on data protection submitted to him within 90 days.
1 Personal data may be disclosed abroad if an adequate level of data protection is ensured by a code of conduct or certification.
2 The code of conduct must be submitted to the FDPIC for prior approval.
3 The code of conduct or certification must be linked to a binding and enforceable obligation on the part of the controller or the processor in the third country to apply the measures contained therein.
The controller must communicate to the data subject the information on the collection of personal data in a precise, transparent, comprehensible and easily accessible form.
The controller must retain the data protection impact assessment for at least two years after termination of the data processing activity.
1 The notification of a data security breach to the FDPIC must contain the following information:
including any risks;
2 If the controller is unable to provide all the information at the same time, it shall provide the missing information as soon as possible.
3 If the controller is obliged to inform the data subjects, the controller shall inform the data subjects in simple and comprehensible language of at least the information referred to in paragraph 1 letters a and e‑g.
4 The controller must document data security breaches. The documentation must contain all facts relating to the incidents, their effects and the measures taken. The documentation must be retained for at least two years from the date of notification according to paragraph 1.
1 Anyone who requests information from the controller as to whether personal data about him or her is being processed must do so in writing. If the controller agrees, the request may also be made verbally.
2 The information shall be provided in writing or in the form in which the data is available. With the agreement of the controller, the data subject may also inspect his or her data in situ. The information may be provided verbally if the data subject agrees.
3 The information request and the provision of information may be made electronically.
4 The information must be provided to the data subject in a comprehensible form.
5 The controller must take reasonable measures to identify the data subject. Data subjects are obliged to cooperate.
1 If several controllers jointly process personal data, the data subject may assert his or her access right against each controller.
2 If the information request relates to data that is being processed by a processor, the processor shall assist the controller in providing the information, unless the processor is responding to the request on behalf of the controller.
1 The information must be provided within 30 days of receipt of the information request.
2 If the information cannot be provided within 30 days, the controller must notify the data subject thereof and of the period within which the information will be provided.
3 If the controller refuses, restricts or defers the provision of the information, it must notify the data subject thereof within the same period.
1 The controller may request from the data subject the payment of an appropriate share of the costs if the provision of information involves a disproportionate effort.
2 The share of the costs amounts to a maximum of 300 Swiss Francs.
3 The controller must inform the data subject of the amount of the share before the information is provided. If the data subject does not confirm the information request within ten days, it shall be deemed to have been withdrawn without incurring any costs. The time limit in accordance with Article 18(1) shall begin to run after the expiry of the ten-day reflection period.
1 Personal data which the data subject has disclosed to the controller is deemed to be:
2 Personal data generated by the controller through its own evaluation of the personal data provided or
observed shall not be deemed to be personal data which the data subject has disclosed to the controller.
1 Common electronic formats are those that allow the personal data to be transferred with a
reasonable effort and to be further used by the data subject or another controller.
2 The right of data portability does not create an obligation for the controller to adopt or maintain technically compatible data processing systems.
3 A disproportionate effort for the transfer of personal data to another controller exists if the transfer is technically not possible.
Articles 16(1) and (5), and 17 – 19 apply mutatis mutandis to the right of data portability.
The controller must provide the data protection advisor with:
Companies and other organizations under private law which employ fewer than 250 members of staff on 1 January of a year, as well as natural persons, are exempt from the duty to keep an inventory of processing activities, unless one of the following conditions is met:
Each federal body appoints a data protection advisor. Several federal bodies may jointly appoint a data protection advisor.
1 The data protection advisor must meet the following requirements:
2 The data protection advisor must perform the following duties:
a. The data protection advisor assists in the application of the data protection regulations, in particular by:
1 The federal body has the following duties towards the data protection advisor:
2 The federal body publishes the contact details of the data protection advisor on the internet and communicates them to the FDPIC.
The data protection advisor serves as a contact point for the FDPIC for questions relating to the processing of personal data by the federal body concerned.
The federal body responsible shall notify the recipient of the up-to-dateness, reliability and completeness of the personal data that it discloses, provided this information is not evident from the data itself or from the circumstances.
Where a federal body collects personal data systematically, the federal body responsible must inform accordingly the data subjects who are not obliged to provide information.
1 The federal body responsible shall notify the FDPIC of the planned automated processing activities at
the time of the decision on the development of the project or the project approval.
2 The notification must include the information specified in Article 12(2)(a‑d) FADP and the expected
date of commencement of the processing activities.
3 The FDPIC shall include this notification in its register on processing activities.
4 The federal body responsible shall update the notification at the time of the transition into productive use.
operation or when the project is discontinued.
A pilot project is indispensable if one of the following conditions is met:
1 Before consulting the interested administrative units, the federal body responsible for the pilot project shall communicate as to how it is intended to meet compliance with the requirements of Article 35 FADP, and invite the FDPIC to comment thereon.
2 The FDPIC shall comment on the issue of whether the authorization requirements in terms of Article 35 FADP are fulfilled. The federal body shall provide him with all the documents required, and in particular with:
in accordance with Article 34(2) FADP and that a test phase before a formal law enters into force is indispensable;
4 The federal body shall inform the FDPIC of any important modification relating to compliance with the requirements of Article 35 FADP. If required, the FDPIC shall again state its views thereon.
5 The opinion of the FDPIC must be included in the application to the Federal Council.
6 Automated data processing is regulated in an ordinance.
1 The competent federal body shall submit the draft of the evaluation report for the Federal Council to the FDPIC for comment.
2 The competent federal body shall submit the evaluation report with the opinion of the FDPIC to the Federal Council.
If personal data is processed for purposes not related to specific persons, in particular research, planning and statistics, and at the same time for another purpose, the exceptions under Article 39(2) FADP are only applicable to processing for the purposes not related to specific persons.
1 The FDPIC’s headquarters are located in Bern.
2 The employment of the members of the FDPIC’s permanent secretariat is governed by the Federal Personnel Act. The employees are insured with the Federal Pension Fund within the framework of the Federal Pension Plan.
1 The FDPIC communicates with the Federal Council via the Federal Chancellor. The Federal Chancellor shall pass on any proposals, opinions and reports from the FDPIC unchanged to the Federal Council.
2 The FDPIC submits reports to the Federal Assembly via the Parliamentary Services.
1 The departments and the Federal Chancellery notify the FDPIC of their data protection decisions as well as their data protection guidelines in anonymised form.
2 The federal bodies shall submit to the FDPIC all draft legislation that relates to the processing of personal data, data protection or access to official documents.
The FDPIC may process personal data, including sensitive personal data, in particular for the following purposes:
The FDPIC draws up a processing policy for all automated processing activities. Article 6(1) shall not apply.
1 The FDPIC may pass on the notification of a data security breach to the National Cyber Security Centre (NCSC) for analysis of the incident with the consent of the controller that is subject to the notification duty. The notification may contain personal data.
2 The FDPIC shall invite the NCSC to submit its comments before ordering the federal body to take the measures in accordance with Article 8 FADP.
1 The register on the processing activities of federal bodies contains the information provided by the federal bodies according to Article 12(2) FADP and Article 31(2) of this Ordinance.
2 The register is published on the internet. The register entries on planned automated processing activities in accordance with Article 31 shall not be published.
If a code of conduct is submitted to the FDPIC, he shall state in his opinion whether the code of conduct meets the requirements of Article 22(5)(a) and (b) FADP.
1 The fees charged by the FDPIC are based on the time spent.
2 An hourly rate of 150 to 250 Swiss Francs applies, depending on the function of the staff performing the task.
3 In the case of services of exceptional scope, particular difficulty or urgency, surcharges of up to 50 percent of the fees pursuant to paragraph 2 may be levied.
4 If the service provided by the FDPIC can be further used for commercial purposes by the person who is
obliged to pay the fees, surcharges of up to 100 percent of the fees pursuant to paragraph 2 may be levied.
5 In all other respects, the General Fees Ordinance of 8 September 2004 applies.
The repeal and the amendments of other legislation are set forth in Annex 2.
1 For data processing activities that do not fall within the scope of Directive (EU) 2016/680, Article 4(2) shall apply at the latest three years after the entry into force of this Ordinance or at the latest at the end of the life cycle of the system. In the meantime, such processing activities shall be subject to Article 4(1).
2 Article 8(5) shall not apply to assessments carried out before the entry into force of this Ordinance.
3 Article 31 shall not apply to planned automated processing activities for which, at the time of entry into force of this Ordinance, the project has already been approved or the decision on the development of the project has already been made.
This Ordinance comes into force on 1 September 2023.
(Article 8(1))
States, territories, specific sectors in a State and
international bodies with an adequate level of data protection
An adequate level of data protection is ensured when the Canadian federal law “Loi sur la protection des renseignements personnels et les documents électroniques” of 13 April 2005 (Personal Information Protection and Electronic Documents Act) in the private sphere or a Canadian provincial law applies that is broadly equivalent to the federal law. The federal law applies to personal data that is collected, processed or disclosed in the context of commercial activities, irrespective of whether this is done by organisations such as associations, partnerships, individuals and trade unions or federally regulated entities such as facilities, plants, undertakings or business activities that fall within the legislative jurisdiction of the Canadian Parliament. The provinces of Québec, British Columbia and Alberta have enacted legislation that is broadly equivalent to the federal law. The provinces of Ontario, New Brunswick, Newfoundland and Labrador and Nova Scotia have enacted legislation that is broadly equivalent to the federal law with respect to health data. In all Canadian provinces the federal law applies to all personal data collected, processed or disclosed by federally regulated entities, including employee data of those entities. The federal law also applies to personal data transferred to another province or country in the course of commercial activities.
The data protection adequacy assessment includes the disclosure of personal data in accordance with Directive (EU) 2016/680.
The data protection adequacy assessment includes the disclosure of personal data in accordance with an implementing decision of the European Commission determining data protection adequacy under Directive (EU) 2016/680.
The data protection adequacy assessment does not include the disclosure of personal data in the context of the cooperation provided for by Directive (EU) 2016/680.