Imple­men­ta­ti­on

Das Daten­schutz­recht ver­langt eine Rei­he von Mass­nah­men. Eini­ge davon wer­den im lau­fen­den Betrieb erfor­der­lich, bspw. eine Mel­dung einer Daten­si­cher­heits­ver­let­zung oder eine Ant­wort auf ein Aus­kunfts­be­geh­ren. Das kann aber eine gewis­se Vor­be­rei­tung ver­lan­gen, wes­halb sich Unter­neh­men – jeden­falls grö­sse­re – pro­ak­tiv mit die­sen Fra­gen befas­sen müs­sen. Ande­re Mass­nah­men müs­sen unab­hän­gig von einem Ein­zel­er­eig­nis im Vor­feld getrof­fen werden. 

Data pro­tec­tion law the­r­e­fo­re requi­res “imple­men­ta­ti­on,” i.e., cer­tain mea­su­res to avo­id the risk of a data breach, in the inte­rest of the data sub­jects as well as the com­pa­ny and its employees and manage­ment bodies. 

How to imple­ment this depends very much on the indi­vi­du­al case. Very small com­pa­nies can get by with a pri­va­cy poli­cy, lar­ge com­pa­nies have to do a lot more. 

How should I pro­ce­ed with the imple­men­ta­ti­on? The imple­men­ta­ti­on of the revi­sed DPA can, but need not, be cost­ly. Depen­ding on the size of the com­pa­ny, the com­ple­xi­ty of its pro­ce­s­ses and the scope and sen­si­ti­vi­ty of its data and pro­ce­s­sing, the effort requi­red varies con­sider­a­b­ly. In extre­me cases, a data pro­tec­tion state­ment on the web­site is suf­fi­ci­ent. In most cases, howe­ver, a num­ber of addi­tio­nal points need to be taken into account. The fol­lo­wing list is accor­din­gly not exhaus­ti­ve, but not ever­ything is man­da­to­ry eit­her. The todos the­r­e­fo­re also con­tain points of note and con­side­ra­ti­ons that a com­pa­ny should make. 

Check­lists and guides

We pro­vi­de gui­des and check­lists for the imple­men­ta­ti­on of the nDSG, for SMEs (under Swiss law) and for lar­ger com­pa­nies (also with a view to the GDPR).

Not only lar­ge com­pa­nies have to imple­ment the new data pro­tec­tion law, but also SMEs. The­re are only mar­gi­nal excep­ti­ons for SMEs in the nDSG – most of the requi­re­ments also app­ly to them. Howe­ver, the expec­ta­ti­ons for the stan­dard of imple­men­ta­ti­on are different.

We have the­r­e­fo­re pre­pared a check­list for SMEs. It is desi­gned for simp­ler cir­cum­stances and pri­va­te com­pa­nies (not for public bodies). It does not cla­im to be com­ple­te and does not con­sti­tu­te legal advice.

In the case of lar­ger or inter­na­tio­nal­ly acti­ve com­pa­nies, it can often be assu­med that the GDPR will be imple­men­ted, inso­far as this is pos­si­ble. Accor­din­gly, such com­pa­nies ask them­sel­ves less which requi­re­ments of the new DPA and more whe­re dif­fe­ren­ces exist bet­ween the GDPR and the nDSG. For this pur­po­se, we pro­vi­de a guide:

You can also find docu­ments under Down­loads.

Appli­ca­bi­li­ty of the GDPR?

Do I fall under the GDPR? The GDPR (Gene­ral Data Pro­tec­tion Regu­la­ti­on) applies in the ter­ri­to­ry of the EU and the rest of the EEA. Howe­ver, it may also app­ly to com­pa­nies in Switz­er­land – under cer­tain con­di­ti­ons. If you are not sure whe­ther this also applies to you, you can use our Do self test.

Notes & Links

You will find various Links to data pro­tec­tion law

You can also find fur­ther infor­ma­ti­on at rosenthal.ch and a self-test at the Vischer Pri­va­cy Score.

Lost in Translation?