draft FDPO

Text of the draft of the revi­sed VDSG from 23 June 2021. The texts have been con­ver­ted auto­ma­ti­cal­ly – we thank you for poin­ting out errors. Cri­ti­cal comm­ents on the E‑VDSG can be found at here, the revi­sed DPA here and the cur­rent VDSG here.
fold out | fold

Chap­ter 1: Gene­ral provisions

Sec­tion 1: Data security

Art. 1 Principles

1 Whe­ther the tech­ni­cal or orga­nizatio­nal mea­su­res to ensu­re data secu­ri­ty are appro­pria­te to the risk shall be asses­sed accor­ding to the fol­lo­wing cri­te­ria:
a. The pur­po­se, natu­re, scope and cir­cum­stances of data processing;
b. the pro­ba­bi­li­ty of occur­rence of a data breach and its poten­ti­al impact on data subjects;
c. the sta­te of the art;
d. Imple­men­ta­ti­on costs.
2 The mea­su­res must be review­ed at appro­pria­te inter­vals throug­hout the pro­ce­s­sing period.

Art. 2 Pro­tec­tion goals 

To the ext­ent appro­pria­te, data secu­ri­ty mea­su­res must achie­ve the fol­lo­wing pro­tec­tion goals:
a. Access con­trol: Access by aut­ho­ri­zed per­sons is limi­t­ed to the per­so­nal data they need to per­form their tasks.
b. Access con­trol: Access to faci­li­ties and equip­ment whe­re per­so­nal data is pro­ce­s­sed is denied to unaut­ho­ri­zed persons.
c. Disk con­trol: Pre­vents unaut­ho­ri­zed per­sons from rea­ding, copy­ing, modi­fy­ing, moving or remo­ving disks.
d. Memo­ry con­trol: Unaut­ho­ri­zed ent­ry into the data memo­ry and unaut­ho­ri­zed vie­w­ing, modi­fi­ca­ti­on or dele­ti­on of stored per­so­nal data is prevented.
e. User con­trol: The use of auto­ma­ted data pro­ce­s­sing systems by means of data trans­mis­si­on equip­ment by unaut­ho­ri­zed per­sons is prevented.
f. Trans­port con­trol: When per­so­nal data is dis­c­lo­sed and data car­ri­ers are trans­por­ted, it is pre­ven­ted that the data can be read, copied, modi­fi­ed or dele­ted wit­hout authorization.
g. Input con­trol: In auto­ma­ted systems, it is pos­si­ble to check which per­so­nal data was ente­red or chan­ged at what time and by which person.
h. Dis­clo­sure con­trol: It is pos­si­ble to check to whom per­so­nal data has been dis­c­lo­sed using data trans­mis­si­on equipment.
i. Reco­very: The avai­la­bi­li­ty of and access to per­so­nal data can be quick­ly resto­red in the event of a phy­si­cal or tech­ni­cal incident.
j. It is gua­ran­teed that all func­tions of the system are available (avai­la­bi­li­ty), occur­ring mal­func­tions are repor­ted (relia­bi­li­ty) and stored per­so­nal data can­not be dama­ged by mal­func­tions of the system (data integrity).
k. Detec­tion: Data secu­ri­ty brea­ches can be quick­ly detec­ted and miti­ga­ti­on or reme­dia­ti­on actions initiated.

Art. 3 Logging

1 If the data pro­tec­tion impact assess­ment shows that the­re is still a high risk to the per­so­na­li­ty or fun­da­men­tal rights of the data sub­jects in the auto­ma­ted pro­ce­s­sing of per­so­nal data despi­te the mea­su­res pro­vi­ded by the con­trol­ler, the pri­va­te con­trol­ler and its com­mis­sio­ned pro­ces­sor shall log at least the fol­lo­wing ope­ra­ti­ons: sto­rage, modi­fi­ca­ti­on, rea­ding, dis­clo­sure, dele­ti­on or destruction.
2 Fede­ral bodies and their com­mis­sio­ned pro­ces­sors shall log at least the fol­lo­wing pro­ce­s­ses during the auto­ma­ted pro­ce­s­sing of per­so­nal data: sto­rage, modi­fi­ca­ti­on, rea­ding, dis­clo­sure, dele­ti­on or destruction.
3 The log shall pro­vi­de infor­ma­ti­on on the type of pro­ce­s­sing ope­ra­ti­on, the iden­ti­ty of the per­son who car­ri­ed out the pro­ce­s­sing, the iden­ti­ty of the reci­pi­ent and the time at which the pro­ce­s­sing took place.
4 The logs must be kept for two years sepa­ra­te­ly from the system in which the per­so­nal data are pro­ce­s­sed. They shall be acce­s­si­ble only to the bodies or per­sons respon­si­ble for moni­to­ring data pro­tec­tion regu­la­ti­ons or for resto­ring the con­fi­den­tia­li­ty, inte­gri­ty, avai­la­bi­li­ty and tracea­bi­li­ty of the data, and may be used only for this purpose.

Art. 4 Pro­ce­s­sing regu­la­ti­ons of pri­va­te persons

1 The per­son respon­si­ble and his order pro­ces­sor must draw up regu­la­ti­ons for auto­ma­ted pro­ce­s­sing if they:
a. exten­si­ve­ly pro­cess per­so­nal data requi­ring spe­cial pro­tec­tion; or
b. Per­form high-risk profiling.
2 The regu­la­ti­ons must con­tain at least the fol­lo­wing infor­ma­ti­on:
a. for the pur­po­se of processing;
b. on the cate­go­ries of data sub­jects and the cate­go­ries of per­so­nal data processed;
c. on the reten­ti­on peri­od of the per­so­nal data or the cri­te­ria for deter­mi­ning this period;
d. to the inter­nal organization;
e. on the ori­gin of the per­so­nal data and how it was obtained;
f. on the tech­ni­cal and orga­nizatio­nal mea­su­res to ensu­re data security;
g. on access aut­ho­rizati­ons and on the type and scope of access;
h. on the mea­su­res taken to mini­mi­ze data;
i. on the data pro­ce­s­sing pro­ce­du­res, in par­ti­cu­lar the pro­ce­du­res for sto­rage, cor­rec­tion, dis­clo­sure, reten­ti­on, archi­ving, pseud­ony­mizati­on, anony­mizati­on and dele­ti­on or destruction;
j. on the pro­ce­du­re for exer­cis­ing the right of access and the right to issue or trans­fer data.
3 The pri­va­te indi­vi­du­al must regu­lar­ly update the regu­la­ti­ons and make them available to the data pro­tec­tion advi­sor in a form that the advi­sor can understand.

Art. 5 Pro­ce­s­sing regu­la­ti­ons of fede­ral bodies

1 The respon­si­ble fede­ral body and its com­mis­sio­ned pro­ces­sor shall draw up pro­ce­s­sing regu­la­ti­ons for auto­ma­ted pro­ce­s­sing ope­ra­ti­ons if they:
a. pro­cess per­so­nal data requi­ring spe­cial protection;
b. per­form profiling;
c. car­ry out data pro­ce­s­sing ope­ra­ti­ons within the mea­ning of Artic­le 34(2)(c) FADP;
d. Can­tons, for­eign aut­ho­ri­ties, inter­na­tio­nal orga­nizati­ons or pri­va­te per­sons will make per­so­nal data accessible;
e. Link data sets with each other; or
f. ope­ra­te an infor­ma­ti­on system or mana­ge data resour­ces tog­e­ther with other fede­ral bodies.
2 The regu­la­ti­ons must con­tain at least the infor­ma­ti­on spe­ci­fi­ed in Artic­le 4 para­graph 2.
3 The fede­ral body respon­si­ble must regu­lar­ly update the regu­la­ti­ons and make them available to the data pro­tec­tion advi­sor in a form that is com­pre­hen­si­ble to him or her and to the Fede­ral Data Pro­tec­tion and Infor­ma­ti­on Com­mis­sio­ner (FDPIC) upon request.

Sec­tion 2: Pro­ce­s­sing by Order Processors

Art. 6 Modalities

1 The con­trol­ler who ent­rusts the pro­ce­s­sing of per­so­nal data to a pro­ces­sor remains respon­si­ble for data pro­tec­tion. He must ensu­re that the data is pro­ce­s­sed in accordance with the con­tract or the law.
2 If the pro­ces­sor is not sub­ject to the FADP, the con­trol­ler must ensu­re that other legal pro­vi­si­ons gua­ran­tee equi­va­lent data pro­tec­tion. Other­wi­se, he must ensu­re this by con­trac­tu­al means.
3 If the con­trol­ler is a fede­ral body, the com­mis­sio­ned pro­ces­sor may trans­fer the data pro­ce­s­sing to a third par­ty if the fede­ral body has appro­ved this in writing.

Art. 7 Infor­ma­ti­on to the data pro­tec­tion advi­sor of the fede­ral body

The fede­ral body shall inform the data pro­tec­tion advi­sor wit­hout delay of the con­clu­si­on of a con­tract with a com­mis­sio­ned pro­ces­sor or of the aut­ho­rizati­on to trans­fer data pro­ce­s­sing to a third par­ty. Fur­ther­mo­re, it shall inform the data pro­tec­tion advi­sor if pro­blems ari­se in com­ply­ing with the sta­tu­to­ry or con­trac­tu­al data pro­tec­tion provisions.

Sec­tion 3: Dis­clo­sure of per­so­nal data abroad

Art. 8 Assess­ment of the ade­qua­cy of data pro­tec­tion of a for­eign sta­te or an inter­na­tio­nal body.

1 If per­so­nal data are dis­c­lo­sed abroad, the fol­lo­wing cri­te­ria in par­ti­cu­lar must be taken into account when asses­sing whe­ther a sta­te, a ter­ri­to­ry, one or more spe­ci­fic sec­tors in a sta­te or an inter­na­tio­nal body ensu­res ade­qua­te data pro­tec­tion:
a. the inter­na­tio­nal obli­ga­ti­ons of the sta­te or inter­na­tio­nal body in the field of data protection;
b. respect for human rights;
c. the appli­ca­ble legis­la­ti­on on data pro­tec­tion and its imple­men­ta­ti­on and the rele­vant case law;
d. the effec­ti­ve gua­ran­tee of the rights of data sub­jects and legal protection;
e. the effec­ti­ve func­tio­ning of one or more inde­pen­dent aut­ho­ri­ties in char­ge of data pro­tec­tion in the Sta­te con­cer­ned or to which an inter­na­tio­nal body is sub­or­di­na­te and which have suf­fi­ci­ent powers and competences.
2 The assess­ments of inter­na­tio­nal bodies or for­eign aut­ho­ri­ties respon­si­ble for data pro­tec­tion may be taken into account in the assessment.
3 The ade­qua­cy of data pro­tec­tion of the sta­te, ter­ri­to­ry, spe­ci­fic sec­tors in a sta­te or inter­na­tio­nal body con­cer­ned shall be reas­ses­sed periodically.
4 If it emer­ges from an assess­ment under para­graph 3 or from available infor­ma­ti­on that a sta­te, a ter­ri­to­ry, one or more spe­ci­fic sec­tors in a sta­te or an inter­na­tio­nal body no lon­ger ensu­res ade­qua­te data pro­tec­tion, the decis­i­on shall be amen­ded, sus­pen­ded or revo­ked in accordance with Artic­le 16 para­graph 1 FADP. This new decis­i­on has no effect on data dis­clo­sures that have alre­a­dy been made.
5 The Sta­tes, ter­ri­to­ries, spe­ci­fic sec­tors in a Sta­te and inter­na­tio­nal bodies with ade­qua­te data pro­tec­tion are listed in Annex 1.
6 The FDPIC shall be con­sul­ted pri­or to any decis­i­on on the ade­qua­cy of data protection.

Art. 9 Data pro­tec­tion clau­ses and spe­ci­fic safeguards

1 The data pro­tec­tion clau­ses in a con­tract pur­su­ant to Artic­le 16 para­graph 2 let­ter b FADP and the spe­ci­fic gua­ran­tees pur­su­ant to Artic­le 16 para­graph 2 let­ter c FADP must regu­la­te at least the fol­lo­wing points:
a. the appli­ca­ti­on of the prin­ci­ples of lega­li­ty, good faith, pro­por­tio­na­li­ty, pur­po­se limi­ta­ti­on and accuracy;
b. the cate­go­ries of per­so­nal data dis­c­lo­sed and the per­sons concerned;
c. the natu­re and pur­po­se of the dis­clo­sure of per­so­nal data;
d. the names of the sta­tes to which per­so­nal data are disclosed;
e. the names of the inter­na­tio­nal bodies to which per­so­nal data are disclosed;
f. the requi­re­ments for the reten­ti­on, dele­ti­on and des­truc­tion of per­so­nal data;
g. the reci­pi­en­ts aut­ho­ri­zed to pro­cess the data;
h. the mea­su­res taken to ensu­re data security;
i. the requi­re­ments for dis­clo­sure of per­so­nal data to ano­ther for­eign sta­te or to ano­ther inter­na­tio­nal body;
j. the obli­ga­ti­on of the reci­pi­ent to inform the data sub­jects about the processing;
k. the rights of the data sub­ject, name­ly:
1 . the right to information,
2 . the right to object,
3 . the right to rec­ti­fi­ca­ti­on, dele­ti­on or des­truc­tion of their data,
4 . the right to seek redress from an inde­pen­dent authority.
2 The con­trol­ler must take rea­sonable mea­su­res to ensu­re that the reci­pi­ent com­plies with the data pro­tec­tion clau­ses in a con­tract or with the spe­ci­fic safeguards.
3 If the FDPIC has been infor­med of the data pro­tec­tion clau­ses in a con­tract or of the spe­ci­fic safe­guards, the infor­ma­ti­on obli­ga­ti­on shall be dee­med to have been ful­fil­led for all fur­ther dis­clo­sures that:
a. take place under the same data pro­tec­tion clau­ses or safe­guards, pro­vi­ded that the cate­go­ries of reci­pi­en­ts, the pur­po­se of the pro­ce­s­sing and the cate­go­ries of data remain sub­stan­ti­al­ly unch­an­ged; or
b. take place within the same legal enti­ty or com­pa­ny or bet­ween com­pa­nies belon­ging to the same group, pro­vi­ded that the data pro­tec­tion clau­ses or safe­guards con­ti­n­ue to ensu­re appro­pria­te data protection.

Art. 10 Stan­dard data pro­tec­tion clauses

1 If the con­trol­ler dis­c­lo­ses per­so­nal data abroad using stan­dard data pro­tec­tion clau­ses in accordance with Artic­le 16 para­graph 2 let­ter d FADP, it shall take appro­pria­te mea­su­res to ensu­re that the reci­pi­ent com­plies with them.
2 The FDPIC publishes a list of stan­dard data pro­tec­tion clau­ses that it has appro­ved, issued or recognized.

Art. 11 Bin­ding cor­po­ra­te data pro­tec­tion regulations

1 Bin­ding cor­po­ra­te data pro­tec­tion regu­la­ti­ons pur­su­ant to Artic­le 16 para­graph 2 let­ter e FADP app­ly to all com­pa­nies belon­ging to the same group.
2 They shall include at least the items refer­red to in Artic­le 9(1) and the fol­lo­wing infor­ma­ti­on:
a. the orga­nizati­on and cont­act details of the Group and its companies;
b. the mea­su­res taken within the Group to ensu­re com­pli­ance with bin­ding inter­nal cor­po­ra­te data pro­tec­tion regulations.

Art. 12 Codes of con­duct and certifications

1 Per­so­nal data may be dis­c­lo­sed abroad if appro­pria­te data pro­tec­tion is gua­ran­teed by a code of con­duct or certification.
2 The code of con­duct shall con­tain at least the infor­ma­ti­on spe­ci­fi­ed in Artic­le 9 para­graph 1 and must be appro­ved in advan­ce by the FDPIC.
3 The code of con­duct or cer­ti­fi­ca­ti­on must be accom­pa­nied by a bin­ding and enforceable com­mit­ment by the con­trol­ler or pro­ces­sor in the third coun­try to app­ly the mea­su­res con­tai­ned therein.

Chap­ter 2: Obli­ga­ti­ons of the con­trol­ler and the processor

Art. 13 Moda­li­ties of the infor­ma­ti­on obligations

1 The con­trol­ler and the pro­ces­sor shall com­mu­ni­ca­te the infor­ma­ti­on on the acqui­si­ti­on of per­so­nal data in a pre­cise, com­pre­hen­si­ble and easi­ly acce­s­si­ble form.
2 If it com­mu­ni­ca­tes the infor­ma­ti­on in com­bi­na­ti­on with pic­to­grams that are dis­play­ed elec­tro­ni­cal­ly, the­se must be machine-readable.

Art. 14 Duty of the fede­ral bodies to pro­vi­de infor­ma­ti­on in the case of syste­ma­tic acqui­si­ti­on of per­so­nal data

If the data sub­ject is not obli­ged to pro­vi­de infor­ma­ti­on, the fede­ral body respon­si­ble shall inform him or her of the vol­un­t­a­ry natu­re of the pro­vi­si­on of infor­ma­ti­on in the event of a syste­ma­tic acqui­si­ti­on of per­so­nal data, in par­ti­cu­lar by means of a questionnaire. 

Art. 15 Infor­ma­ti­on on the dis­clo­sure of per­so­nal data

The data con­trol­ler and the order pro­ces­sor shall inform the reci­pi­ent about the up-to-daten­ess, relia­bi­li­ty and com­ple­ten­ess of the per­so­nal data dis­c­lo­sed by them, inso­far as this infor­ma­ti­on is not appa­rent from the data its­elf or from the circumstances. 

Art. 16 Infor­ma­ti­on on the cor­rec­tion, dele­ti­on or des­truc­tion as well as the rest­ric­tion of the pro­ce­s­sing of per­so­nal data

The data con­trol­ler shall inform the reci­pi­en­ts to whom it has dis­c­lo­sed per­so­nal data wit­hout undue delay about the cor­rec­tion, dele­ti­on or des­truc­tion as well as the rest­ric­tion of the pro­ce­s­sing of per­so­nal data, unless the noti­fi­ca­ti­on is impos­si­ble or invol­ves a dis­pro­por­tio­na­te effort. 

Art. 17 Review of an auto­ma­ted indi­vi­du­al decision

If a per­son affec­ted by an auto­ma­ted indi­vi­du­al decis­i­on requests that he or she be able to sta­te his or her posi­ti­on or that a natu­ral per­son review the decis­i­on, he or she may not be dis­ad­van­ta­ged as a result. 

Art. 18 Form and reten­ti­on of the data pro­tec­tion impact assessment

The data con­trol­ler must record the data pro­tec­tion impact assess­ment in wri­ting. It must be retai­ned for two years after the end of data processing. 

Art. 19 Noti­fi­ca­ti­on of data secu­ri­ty breaches

1 The con­trol­ler shall noti­fy the FDPIC in the event of a data breach:
a. the natu­re of the injury;
b. as far as pos­si­ble, the time and duration;
c. as far as pos­si­ble, the cate­go­ries and appro­xi­ma­te num­ber of per­so­nal data concerned;
d. as far as pos­si­ble, the cate­go­ries and appro­xi­ma­te num­ber of data subjects;
e. the con­se­quen­ces, inclu­ding any risks, for the per­sons concerned;
f. what mea­su­res have been taken or are plan­ned to reme­dy the defi­ci­en­cy or miti­ga­te the consequences;
g. the name and cont­act details of a cont­act person.
2 If, upon dis­co­very of the data breach, it is not pos­si­ble for the data con­trol­ler to pro­vi­de the FDPIC with all the infor­ma­ti­on refer­red to in para­graph 1 at the same time, it may pro­vi­de this infor­ma­ti­on in stages wit­hout undue fur­ther delay.
3 The con­trol­ler shall com­mu­ni­ca­te to the data sub­jects in plain and intel­li­gi­ble lan­guage at least the infor­ma­ti­on refer­red to in para­graph 1 let­ters a, e, f and g.
4 If the per­son respon­si­ble is a fede­ral body, the noti­fi­ca­ti­on to the FDPIC shall be made via the data pro­tec­tion advisor.
5 The respon­si­ble per­son must docu­ment the vio­la­ti­ons. The docu­men­ta­ti­on must con­tain all facts rela­ting to the inci­dents, their effects and the mea­su­res taken. It must be kept for at least three years from the time of noti­fi­ca­ti­on in accordance with para­graph 1.

Chap­ter 3: Rights of the data subject

Sec­tion 1: Right to information

Art. 20 Modalities

1 The request for infor­ma­ti­on shall be made in wri­ting. If the per­son respon­si­ble agrees, the request may also be made orally.
2 As a rule, infor­ma­ti­on shall be pro­vi­ded in wri­ting. In agree­ment with the per­son respon­si­ble or at his sug­ge­sti­on, the data sub­ject may also inspect his data on site. The infor­ma­ti­on may also be pro­vi­ded oral­ly if the data sub­ject has consented.
3 The infor­ma­ti­on must be com­pre­hen­si­ble to the data subject.
4 The con­trol­ler must take appro­pria­te mea­su­res to ensu­re the iden­ti­fi­ca­ti­on of the data sub­ject and to pro­tect the data subject’s per­so­nal data from access by unaut­ho­ri­zed third par­ties when pro­vi­ding infor­ma­ti­on. The data sub­ject must coope­ra­te in their identification.
5 The per­son respon­si­ble must docu­ment the rea­sons for refu­sing, rest­ric­ting or post­po­ning the infor­ma­ti­on. The docu­men­ta­ti­on shall be kept for at least three years.

Art. 21 Competence

1 If seve­ral per­sons are respon­si­ble for the pro­ce­s­sing of per­so­nal data, the data sub­ject may exer­cise his or her right of access with any of the per­sons responsible.
2 If a respon­si­ble per­son is not respon­si­ble for deal­ing with the request, he or she shall for­ward it to the respon­si­ble per­son in charge.
3 If the request rela­tes to data pro­ce­s­sed by a pro­ces­sor, the con­trol­ler shall for­ward the request to the pro­ces­sor if the con­trol­ler is not in a posi­ti­on to pro­vi­de infor­ma­ti­on itself.

Art. 22 Time limit

1 The infor­ma­ti­on shall be pro­vi­ded within 30 days of rece­ipt of the request. If the per­son respon­si­ble refu­ses, rest­ricts or post­po­nes the infor­ma­ti­on, he must noti­fy this within the same period.
2 If the infor­ma­ti­on can­not be pro­vi­ded within 30 days, the con­trol­ler must noti­fy the data sub­ject and inform him of the peri­od within which the infor­ma­ti­on will be provided.

Art. 23 Excep­ti­ons to the free of charge

1 A rea­sonable con­tri­bu­ti­on to the costs may be reque­sted if the pro­vi­si­on of infor­ma­ti­on invol­ves dis­pro­por­tio­na­te effort.
2 The maxi­mum con­tri­bu­ti­on is 300 Swiss francs.
3 The per­son con­cer­ned must be infor­med of the amount of the par­ti­ci­pa­ti­on befo­re the infor­ma­ti­on is pro­vi­ded and may with­draw his or her request within ten days.

Sec­tion 2: Right to issue or trans­fer data

Art. 24

Artic­les 20(1), (4) and (5), as well as 21, 22 and 23 shall app­ly muta­tis mut­an­dis to the right to issue and trans­fer data, as well as their limitations. 

Chap­ter 4: Spe­cial pro­vi­si­ons on data pro­ce­s­sing by pri­va­te persons

Art. 25 Data pro­tec­tion advisor

1 The data pro­tec­tion advi­sor of a pri­va­te con­trol­ler must per­form the fol­lo­wing tasks:
a. He or she reviews the pro­ce­s­sing of per­so­nal data and its requi­re­ments and recom­mends cor­rec­ti­ve mea­su­res if he or she finds that data pro­tec­tion regu­la­ti­ons have been violated.
b. He or she shall par­ti­ci­pa­te in the pre­pa­ra­ti­on of the data pro­tec­tion impact assess­ment and review it, in any case if the pri­va­te con­trol­ler wis­hes to refrain from con­sul­ting the FDPIC within the mea­ning of Art. 23(4) FADP.
2 The pri­va­te con­trol­ler must noti­fy the data pro­tec­tion advi­sor:
a. pro­vi­de the neces­sa­ry resources;
b. grant access to all infor­ma­ti­on, docu­ments, records of pro­ce­s­sing acti­vi­ties and per­so­nal data that he or she needs to per­form his or her duties.

Art. 26 Exemp­ti­on from the obli­ga­ti­on to keep a regi­ster of pro­ce­s­sing activities

Com­pa­nies and other orga­nizati­ons under pri­va­te law that employ fewer than 250 employees at the begin­ning of a year, as well as natu­ral per­sons, are exempt from the obli­ga­ti­on to keep a regi­ster of pro­ce­s­sing acti­vi­ties, unless one of the fol­lo­wing con­di­ti­ons is met:
a. Exten­si­ve per­so­nal data requi­ring spe­cial pro­tec­tion is processed.
b. High risk pro­fil­ing is performed.

Chap­ter 5: Spe­cial Pro­vi­si­ons on Data Pro­ce­s­sing by Fede­ral Bodies

Sec­tion 1: Data pro­tec­tion advisor

Art. 27 Appointment

Each fede­ral body shall appoint a data pro­tec­tion advi­sor. Seve­ral fede­ral bodies may joint­ly appoint a data pro­tec­tion advisor. 

Art. 28 Requi­re­ments and tasks

1 The pri­va­cy con­sul­tant must meet the fol­lo­wing requi­re­ments:
a. She or he has the neces­sa­ry expertise.
b. He or she shall exer­cise his or her func­tion vis-à-vis the fede­ral body in a pro­fes­sio­nal­ly inde­pen­dent man­ner and wit­hout being bound by instructions.
2 She or he must per­form the fol­lo­wing duties:
a. He or she reviews the pro­ce­s­sing of per­so­nal data and its requi­re­ments and recom­mends cor­rec­ti­ve mea­su­res if he or she finds that data pro­tec­tion regu­la­ti­ons have been violated.
b. She or he par­ti­ci­pa­tes in the pre­pa­ra­ti­on of the data pro­tec­tion impact assess­ment and reviews it.
c. She or he reports data secu­ri­ty brea­ches to the FDPIC.
d. She or he ser­ves as a point of cont­act for affec­ted individuals.
f. She or he trains and advi­ses the fede­ral body and its employees on data pro­tec­tion issues.

Art. 29 Duties of the fede­ral body

1 The fede­ral body shall grant the data pro­tec­tion advi­sor access to all infor­ma­ti­on, docu­ments, lists of pro­ce­s­sing acti­vi­ties and per­so­nal data that he or she requi­res to per­form his or her duties.
2 It shall publish the cont­act details of the data pro­tec­tion advi­sor on the inter­net and com­mu­ni­ca­te the­se to the FDPIC.

Art. 30 Cont­act point of the FDPIC

The data pro­tec­tion advi­sor ser­ves as a point of cont­act for the FDPIC for que­sti­ons rela­ting to the pro­ce­s­sing of per­so­nal data by the fede­ral body concerned. 

Sec­tion 2: Pro­jects of Fede­ral Bodies for the Auto­ma­ted Pro­ce­s­sing of Per­so­nal Data

Art. 31 Infor­ma­ti­on to the data pro­tec­tion advisor

The fede­ral body respon­si­ble shall inform the data pro­tec­tion advi­sor in good time when plan­ning a pro­ject for the auto­ma­ted pro­ce­s­sing of per­so­nal data and in the event of adjust­ments after com­ple­ti­on of the pro­ject so that data pro­tec­tion requi­re­ments are taken into account immediately. 

Art. 32 Noti­fi­ca­ti­on to the FDPIC

1 The respon­si­ble fede­ral body shall noti­fy the FDPIC of the plan­ned auto­ma­ted pro­ce­s­sing acti­vi­ties at the time of the pro­ject appr­oval or the decis­i­on to deve­lop the pro­ject. The FDPIC shall include this noti­fi­ca­ti­on in the regi­ster of pro­ce­s­sing activities.
2 The noti­fi­ca­ti­on must con­tain the infor­ma­ti­on in accordance with Artic­le 12 para­graph 2 let­ters a‑d FADP and the expec­ted date of com­mence­ment of the pro­ce­s­sing activities.
3 The respon­si­ble fede­ral body shall update the noti­fi­ca­ti­on upon tran­si­ti­on to pro­duc­ti­ve ope­ra­ti­on or upon pro­ject termination.

Sec­tion 3: Pilot testing

Art. 33 Indis­pensa­bi­li­ty of the test phase

A test pha­se as a pilot test is indis­pensable if one of the fol­lo­wing con­di­ti­ons is met:
a. The ful­fill­ment of a task requi­res tech­ni­cal inno­va­tions, the effects of which must first be evaluated.
b. The ful­fill­ment of a task requi­res signi­fi­cant orga­nizatio­nal or tech­ni­cal mea­su­res, the effec­ti­ve­ness of which must first be tested, espe­ci­al­ly in the case of coope­ra­ti­on bet­ween fede­ral and can­to­nal bodies.
c. The ful­fill­ment of the tasks requi­res that the per­so­nal data be made acce­s­si­ble by means of a retrie­val procedure.

Art. 34 Authorization

1 Pri­or to con­sul­ting the inte­re­sted admi­ni­stra­ti­ve units, the fede­ral body respon­si­ble for the pilot sche­me shall explain to the FDPIC how com­pli­ance with the requi­re­ments under Artic­le 35 FADP is to be ensu­red and shall invi­te the FDPIC to sub­mit comments.
2 The FDPIC issues an opi­ni­on on whe­ther the licen­sing requi­re­ments under Artic­le 35 FADP have been met. The com­pe­tent fede­ral body shall pro­vi­de him with all the docu­ments neces­sa­ry for this pur­po­se, in par­ti­cu­lar:
a. A gene­ral descrip­ti­on of the pilot test;
b. a report pro­ving that the ful­fill­ment of the tasks pro­vi­ded for by law requi­res pro­ce­s­sing within the mea­ning of Artic­le 34 para­graph 2 FADP and that a test pha­se pri­or to the ent­ry into force of the law is indis­pensable in the for­mal sen­se (Artic­le 35 para­graph 1 let­ter c FADP);
c. a descrip­ti­on of the inter­nal orga­nizati­on and data pro­ce­s­sing and con­trol procedures;
d. a descrip­ti­on of the secu­ri­ty and data pro­tec­tion measures;
e. the draft of an ordi­nan­ce regu­la­ting the details of pro­ce­s­sing, or the con­cept of an ordinance;
f. the infor­ma­ti­on con­cer­ning the plan­ning of the dif­fe­rent pha­ses of the pilot test.
3 The FDPIC may request fur­ther docu­ments and car­ry out addi­tio­nal investigations.
4 The com­pe­tent fede­ral body shall inform the FDPIC of any important chan­ge affec­ting com­pli­ance with the requi­re­ments of Artic­le 35 FADP. The FDPIC shall com­ment again if necessary.
5 The opi­ni­on of the FDPIC must be atta­ched to the appli­ca­ti­on to the Fede­ral Council.
6 The moda­li­ties of auto­ma­ted data pro­ce­s­sing are gover­ned by an ordinance.

Art. 35 Eva­lua­ti­on report

The com­pe­tent fede­ral body shall sub­mit the draft eva­lua­ti­on report to the FDPIC for the Fede­ral Council’s opi­ni­on. The opi­ni­on of the FDPIC shall be brought to the atten­ti­on of the Fede­ral Council.

Sec­tion 4: Data pro­ce­s­sing for non-per­so­nal purposes

Art. 36

If per­so­nal data are pro­ce­s­sed for non-per­so­nal pur­po­ses, in par­ti­cu­lar rese­arch, plan­ning and sta­tis­tics, and at the same time for ano­ther pur­po­se, the excep­ti­ons under Artic­le 39 para­graph 2 FADP shall only app­ly to pro­ce­s­sing for the non-per­so­nal purposes. 

Chap­ter 6: Fede­ral Data Pro­tec­tion and Infor­ma­ti­on Commissioner

Art. 37 Head­quar­ters and per­ma­nent secretariat

1 The seat of the FDPIC is in Bern.
2 The employment rela­ti­on­ships of the employees of the per­ma­nent secre­ta­ri­at of the FDPIC are gover­ned by fede­ral per­son­nel legis­la­ti­on. The employees of the per­ma­nent secre­ta­ri­at of the FDPIC are insu­red against the eco­no­mic con­se­quen­ces of old age, disa­bi­li­ty and death with the Fede­ral Pen­si­on Fund PUBLICA.

Art. 38 Com­mu­ni­ca­ti­on channel

1 The FDPIC com­mu­ni­ca­tes with the Fede­ral Coun­cil via the Fede­ral Chan­cell­or. The lat­ter shall for­ward the pro­po­sals, opi­ni­ons and reports unch­an­ged to the Fede­ral Council.
2 It shall sub­mit reports to the Fede­ral Assem­bly via the Par­lia­men­ta­ry Services.

Art. 39 Noti­fi­ca­ti­on of gui­de­lines and decisions

1 The depart­ments and the Fede­ral Chan­cel­lery shall noti­fy the FDPIC of their gui­de­lines in the area of data pro­tec­tion and their decis­i­ons in anony­mous form.
2 The fede­ral bodies shall sub­mit to the FDPIC all draft legis­la­ti­on rela­ting to the pro­ce­s­sing of per­so­nal data, data pro­tec­tion and access to offi­ci­al documents.

Art. 40 Pro­ce­s­sing of per­so­nal data

The FDPIC pro­ce­s­ses per­so­nal data, inclu­ding per­so­nal data requi­ring spe­cial pro­tec­tion, in par­ti­cu­lar for the fol­lo­wing pur­po­ses:
a. to car­ry out its super­vi­so­ry activities;
b. to inve­sti­ga­te brea­ches of data pro­tec­tion regulations;
c. for trai­ning and con­sul­ting of fede­ral bodies and pri­va­te persons;
d. to coope­ra­te with fede­ral, can­to­nal and for­eign authorities;
e. to con­duct con­ci­lia­ti­on pro­ce­e­dings and eva­lua­tions in accordance with the Fede­ral Act of Decem­ber 17, 2004 2 on the Prin­ci­ple of Publi­ci­ty of the Admi­ni­stra­ti­on (BGÖ);
f. To respond to citi­zen inquiries.

Art. 41 Self-regulation

1 The FDPIC shall draw up pro­ce­s­sing regu­la­ti­ons for all auto­ma­ted pro­ce­s­sing ope­ra­ti­ons. Artic­le 5 para­graph 1 does not apply.
2 It shall pro­vi­de for inter­nal pro­ce­s­ses to ensu­re that pro­ce­s­sing is car­ri­ed out in accordance with the pro­ce­s­sing regu­la­ti­ons. It shall review annu­al­ly whe­ther the pro­ce­s­sing regu­la­ti­ons are being com­plied with.

Art. 42 Coope­ra­ti­on with the Natio­nal Cyber Secu­ri­ty Cen­ter (NCSC).

1 The FDPIC may for­ward the data breach noti­fi­ca­ti­on infor­ma­ti­on to the NCSC for the pur­po­se of ana­ly­zing the inci­dent. The FDPIC must first obtain the con­sent of the per­son respon­si­ble for the notification.
2 It shall invi­te the NCSC to sub­mit its comm­ents befo­re orde­ring a mea­su­re in accordance with Artic­le 51 para­graph 3 let­ter b FADP in respect of data secu­ri­ty vis-à-vis a fede­ral body.

Art. 43 Regi­ster of pro­ce­s­sing acti­vi­ties of fede­ral bodies

1 The regi­ster of pro­ce­s­sing acti­vi­ties of fede­ral bodies con­ta­ins the infor­ma­ti­on pro­vi­ded by fede­ral bodies and their com­mis­sio­ned pro­ces­sors in accordance with Artic­le 12 para­graphs 2 and 3 FADP and Artic­le 32 para­graph 2 of this Ordinance.
2 It shall be published on the inter­net. The regi­ster ent­ries on plan­ned auto­ma­ted pro­ce­s­sing acti­vi­ties in accordance with Artic­le 32 shall not be published.

Art. 44 Codes of conduct

If a code of con­duct is sub­mit­ted to the FDPIC, the FDPIC shall sta­te in its opi­ni­on whe­ther the code of con­duct meets the requi­re­ments of Artic­le 22(5)(a) and (b) FADP. 

Art. 45 Fees

1 The fees char­ged by the FDPIC are based on the time spent.
2 An hour­ly rate of 150 to 350 francs shall app­ly. This is based on the com­ple­xi­ty of the tran­sac­tion and the func­tion of the per­son respon­si­ble for pro­ce­s­sing it.
3 In all other respects, the Gene­ral Fees Ordi­nan­ce of Sep­tem­ber 8, 2004 3 shall apply.

Chap­ter 7: Final Provisions

Art. 46 Repeal and amend­ment of other enactments

The repeal and amend­ment of other enact­ments are regu­la­ted in Annex 2. 

Art. 47 Tran­si­tio­nal pro­vi­si­on con­cer­ning the noti­fi­ca­ti­on of plan­ned auto­ma­ted pro­ce­s­sing acti­vi­ties to the FDPIC

Artic­le 32 does not app­ly to plan­ned auto­ma­ted pro­ce­s­sing acti­vi­ties for which the pro­ject appr­oval or pro­ject deve­lo­p­ment decis­i­on has alre­a­dy been made at the time of ent­ry into force. 

Art. 48 Ent­ry into force

This Regu­la­ti­on shall enter into force on .…
Annex 1 (Artic­le 8(5)) Sta­tes, ter­ri­to­ries, spe­ci­fic sec­tors within a Sta­te, and inter­na­tio­nal bodies with ade­qua­te data pro­tec­tion […] Annex 2 (Artic­le 46) Repeal and Amend­ment of Other Decrees […]