Data Protection-Compliance

Compliance requires an appropriate organisation and processes within the company (Data Protection Governance), i.a.

• Internal data protection organisation: assignment of the responsibilities in data protection issues, appointment of the contact persons and, if necessary, appointment of a data protection officer / data protection advisor.
• Enactment of binding regulations on data protection as well as their communication and regular internal training.
• Appointment of an external data protection officer / data protection advisor: Certain companies are obliged to appoint a data protection officer. The other companies can benefit from administrative simplifications when appointing a data protection officer / advisor. The function can be filled internally or by an external person. The appointment of a qualified data protection officer / advisor can be very useful and make a significant contribution to data protection compliance.
• Swiss companies that are directly subject to the GDPR, must appoint a representative in the EU under certain conditions (art. 27 GDPR).

The measures for data protection compliance must be documented. This includes among others:

• Documentation of the rules and porcesses for processing personal data.
• Records of data processing activities: Most companies must keep a records of data processing activities in their company under the GDPR and, in future, also under Swiss law. The law prescribes the minimum content.
• Process in the case of a data breach.
• Proof of the declarations of consent, insofar as data processing is based on the consent of the data subject, and of the compliance with the statutory notice and information obligations.
• Data Protection Impact Assessment