ARTICLE
26 June 2025

Must Processing Activities Be Recorded Internally?

FP
FABIAN PRIVACY LEGAL GmbH

Contributor

FABIAN PRIVACY LEGAL GmbH logo
We are a boutique law firm specializing in data, privacy and data protection laws and related issues, information security, data and privacy governance, risk management, program implementation and legal compliance. Our strengths are the combination of expert knowledge and practical in-house experience as well as a strong network with industry groups, privacy associations and experts around the world.
Explore Firm Details
In this part of our series, we examine whether and under which conditions personal data processing activities must be recorded internally under the Swiss Federal Act on Data Protection (FADP).
Switzerland Privacy
Daniela Fabian

Part 5 of our series on data protection law in Switzerland

In this part of our series, we examine whether and under which conditions personal data processing activities must be recorded internally under the Swiss Federal Act on Data Protection (FADP).

General duty to keep a record of processing activities

Pursuant to Art. 12 FADP, controllers as well as processors must keep a record of their processing activities.

The controller's record must, as a minimum, contain the following elements: a) controller's identity; b) purpose of processing; c) categories of data subjects and of processed personal data; d) categories of recipients; e) if possible, the retention period for the personal data or the criteria for determining such period; f) if possible, a general description of the data security measures taken; g) if the data is disclosed abroad, the state and the applicable guarantee.

The processor's record must contain a) processor's and controller's identity; b) categories of processing carried out on behalf of the controller; c) if possible, a general description of the data security measures taken; d) if the data is disclosed abroad, the state and the applicable guarantee.

Duty to notify for federal bodies

Federal bodies must furthermore notify their record of processing activities to the Federal Data Protection and Information Commissioner (FDPIC). Notifications are made via a dedicated online reporting portal and are published in a publicly accessible register (https://datareg.edoeb.admin.ch).

Exception for small businesses

Private sector organisations with less than 250 employees on 1st January of any year are exempt from the obligation to keep a record of processing activities if their data processing poses a negligible risk of harm to the personality of the data subjects, i.e. if they neither process large volumes of sensitive personal data, nor carry out high-risk profiling.

To have an overview of all processing activities and to enable efficient data management and achieve privacy compliance, it is, however, strongly recommended for all organisations to keep a register of processing activities, even if they are not obliged to do so by law. The effort required for small organisations is kept to a minimum.

Preview on Part 6

In part 6 of our series, we will explore the privacy rights of individuals under the FADP.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Daniela Fabian
Daniela Fabian
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More