Compliance with legal requirements, including data protection laws, is one of the main duties of the board of directors and the management of a company. Data protection law requires organisations to deal with personal data in a structured, controlled and forward-looking manner. At the same time, this makes it possible to make better use of the potential of data for the company, for example in the area of data-based or digitised business models (such as “Big Data” or “Industry 4.0”) and for a more targeted approach to customers.
Compliance requires an appropriate organisation and processes within the company (Data Protection Governance), i.a.
- Internal data protection organisation: assignment of the responsibilities in data protection issues, appointment of the contact persons and, if necessary, appointment of a data protection officer / data protection advisor.
- Enactment of binding regulations on data protection as well as their communication and regular internal training.
- Appointment of an external data protection officer / data protection advisor: Certain companies are obliged to appoint a data protection officer. The other companies can benefit from administrative simplifications when appointing a data protection officer / advisor. The function can be filled internally or by an external person. The appointment of a qualified data protection officer / advisor can be very useful and make a significant contribution to data protection compliance.
- Swiss companies that are directly subject to the GDPR, must appoint a representative in the EU under certain conditions (art. 27 GDPR).
The measures for data protection compliance must be documented. This includes among others:
- Documentation of the rules and porcesses for processing personal data.
- Records of data processing activities: Most companies must keep a records of data processing activities in their company under the GDPR and, in future, also under Swiss law. The law prescribes the minimum content.
- Process in the case of a data breach.
- Proof of the declarations of consent, insofar as data processing is based on the consent of the data subject, and of the compliance with the statutory notice and information obligations.
- Data Protection Impact Assessment