How to Support Internal Data Protection Officers

Experienced DPO Lukas Lezzi examines Swiss DPOs’ many obligations and the possibility of mitigating them in the feature below.

What are the basic legal and regulatory obligations of an internal data protection officer (DPO) in Switzerland?

The Swiss Federal Act on Data Protection (FADP) in its current version gives the controller the possibility to appoint a DPO voluntarily. This appointment grants the controller an exemption from the obligation to report data processing activities of sensitive data to the Federal Data Protection and Information Commissioner (FDPIC).

However, since this law is only going to be in force until 23 August 2023, we will instead focus on the new revised FADP, which will enter into force on 1 September 2023 without any grace period. Article 10 of the revised FADP determines the role of the DPO (in Switzerland called the Data Protection Advisor) in greater detail.

The appointment of a DPO is voluntary for private controllers in Switzerland. However, the appointment enables the controller to invoke an exception from the consultation obligation of the FDPIC in the course of a Data Protection Impact Assessment.

According to the FADP, the DPO acts as the contact point for the data subjects and for the competent data protection authorities responsible for data protection matters in Switzerland, namely the FDPIC. In particular, he or she has the following duties:

• to train and advise the private controller in matters of data protection;
• to participate in the enforcement of data protection regulations.

If a DPO is appointed and the controller wants to benefit from the above-mentioned exemption to the consultation obligation, the following requirements must be met:

• the DPO performs his/her function towards the controller in a professionally independent manner and without being bound by instructions;
• the DPO does not perform any activities which are incompatible with their tasks as DPO;
• the DPO possesses the necessary professional knowledge;
• the controller publishes the contact details of the data protection advisor and communicates them to the FDPIC.

Furthermore, the controller ensures that the DPO:

• has the necessary resources;
• has access to all information, documents, inventories of processing activities and personal data that the he/she requires in order to fulfil his or her duties;
• has the right to inform the highest management or administrative body in important cases.

Generally speaking, the role of DPO in Switzerland under the new FADP will be very similar to the GDPR, but will remain voluntary for the controller. However, many companies in Switzerland have opted to create such a role, if they did not already have one (due to being subject to the GDPR).

What further considerations are created for DPOs in organisations involved in the financial market?

For many actors in the Swiss financial market, there is a professional secrecy obligation to be considered. These secrecy obligations for client data are relevant for banks, securities firms, asset managers, trustees, mangers of collective assets, fund management companies and financial market infrastructures (e.g. trading venues, payment systems or central security depositories).

For these regulated entities, the Swiss Financial Market Supervisory Authority (FINMA) lays down rules for handling critical data, a term which entails personal data. Thus, a DPO of a regulated entity in the financial market needs to consider not only the FADP, but also the respective regulatory framework, when advising their business.

Generally speaking, the role of DPO in Switzerland under the new FADP will be very similar to the GDPR, but will remain voluntary for the controller.

FINMA will also regularly audit regulated entities regarding their data protection and general information management framework. Consequently, it can be very challenging for a DPO to consider not only the relevant data protection laws, but also any regulation concerning the handling of data.

Finally, as in many industries, outsourcing is very important topic for any DPO in the financial market. However, due the various regulations, outsourcing can be a bothersome and complex process, particularly if FINMA has to be involved.

How does the addition of international data transference further complicate these duties?

The EU commission has decided that Switzerland has an adequate level of data protection regarding the GDPR and vice versa. Thus, data transfer between the EU/EEA and Switzerland is usually uncomplicated. However, when transferring personal in countries without an adequate level of data protection, it can be difficult for the DPO to advise on any necessary additional technical or organizational measures that will need to be taken.

Furthermore, the professional secrecy obligation can complicate such international data transfers even more. Conservative Swiss scholars seem to be still of the opinion that personal data covered by the professional secrecy obligation may not be transferred outside Switzerland without the consent of the clients. However, lately, an argument has emerged that such data may be transferred outside of Switzerland without the explicit consent of the client, provided that the security of the data is ensured.

What can external legal counsel offer a DPO that they might be unable to achieve on their own?

Given that a DPO is involved in various internal operational processes within a company, such as data subject requests or privacy impact assessments, and usually lacks the time and resources for in-depth legal research, an external counsel can support a DPO with the latest know-how. The highly regulated financial market, the regulation and practice of the supervisory authority tend to change particularly quickly.

What data protection matters most commonly require external support?

Usually, external legal support is advisable for reviewing privacy policies, for international data transfer or for designing internal processes (e.g. access requests, data breach notification, privacy impact assessments, etc.). Particularly important is external advice when conducting substantial internal project, such a migration to a new cloud (particularly if this cloud is hosted outside Switzerland). Generally, an external counsel can offer a DPO insight on how other, similar companies resolve similar issues regarding data protection, which can be very beneficial for the DPO.

Given that the revised FADP brings many new requirements and new processes, it is advisable that a DPO tasked with designing a data protection framework engage an external counsel in order to get the necessary know-how.

Do you expect new technology and the growth of digital assets to increase the need for DPOs to seek support?

New technologies such as ‘distributed ledgers’, the ‘internet of things’ and artificial intelligence can of course have an impact on data protection provided personal data is processed. It can be very challenging and time-consuming to design such products and services compliantly. This is where an external counsel can provide valuable support providing their know-how to the DPO.

Lukas Lezzi, Founder

LezziLegal

Etzelstrasse 3, Postfach, 8038 Zürich, Switzerland

Tel: +41 79 315 10 10

E: lezzi@lezzilegal.ch

Dr Lukas Lezzi is a qualified lawyer in Switzerland and holder of the IAPP certifications CIPP/E and CIPM. He studied law in Zurich and received his doctorate in financial market law, and has worked as the data protection officer for a major Swiss financial infrastructure provider and a major Swiss law firm before founding his own boutique firm. He advises national and international client in data protection and Swiss regulatory matters. Currently, he and his team are advising several companies in the implementation of the new FADP.