Part 7 of our series on data protection law in Switzerland
In this part of our series, we analyse if and under what circumstances the appointment of a Data Protection Officer (DPO) is mandatory under the Swiss Federal Act on Data Protection (FADP).
Mandatory nomination of a DPO for federal bodies
With respect to the nomination of a DPO, the rules also differ between private persons and federal bodies (meaning federal authorities or agencies or persons entrusted with public tasks of the federal government, such as a pension fund). Pursuant to Art. 25 of the Data Protection Ordinance, every federal body must appoint a DPO, whereby two or more federal bodies may appoint a joint DPO. The DPO must have the required specialist knowledge and must carry out their work in relation to the federal body in a professionally independent manner without being bound by instructions. The contact details of the DPO must be published online and notified to the Federal Data Protection and Information Commissioner (FDPIC).
The statutory tasks of the DPO include support in applying the data protection regulations, in particular by examining personal data processing activities and recommending corrective measures, if necessary, and by assisting the federal body in preparing data protection impact assessments and reviewing their implementation; provision of training and advice on data protection matters to employees of the federal body; and serving as contact point for data subjects and the FDPIC.
Voluntary nomination of a DPO for private controllers
Private controllers may voluntarily appoint a DPO, who serves as contact point for data subjects and for the data protection authorities. The DPO's tasks include training and advising the controller in data protection matters and providing support in applying the data protection regulations.
Private controllers who have nominated a DPO can refrain from consulting the FDPIC if a data protection impact assessment reveals a high residual risk despite the measures envisaged, provided that they consult their DPO and that the DPO has the required expertise, exercises their function in a professionally independent manner without being bound by instructions and does not carry out any activities that are incompatible with their tasks as a DPO. To benefit from this exemption, the controller must furthermore publish the DPO's contact details, ideally in the privacy notice, and notify the FDPIC thereof.
Preview of Part 8
In part 8 of our series, we will examine what rules must be followed when appointing a processor.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
