What are the basic legal and regulatory obligations of an internal data protection officer (DPO) in Switzerland? The Swiss Federal Act on Data Protection (FADP) in its current version gives the controller the possibility to appoint a DPO voluntarily. This appointment grants the controller an exemption from the obligation to report data processing activities of sensitive data to the Federal Data Protection and Information Commissioner (FDPIC). However, since this law is only going to be in force until 23 August 2023, we will instead focus on the new revised FADP, which will enter into force on 1 September 2023 without any grace period. Article 10 of the revised FADP determines the role of the DPO (in Switzerland called the Data Protection Advisor) in greater detail. The appointment of a DPO is voluntary for private controllers in Switzerland. However, the appointment enables the controller to invoke an exception from the consultation obligation of the FDPIC in the course of a Data Protection Impact Assessment. According to the FADP, the DPO acts as the contact point for the data subjects and for the competent data protection authorities responsible for data protection matters in Switzerland, namely the FDPIC. In particular, he or she has the following duties: • to train and advise the private controller in matters of data protection; • to participate in the enforcement of data protection regulations. If a DPO is appointed and the controller wants to benefit from the abovementioned exemption to the consultation obligation, the following requirements must be met: • the DPO performs his/her function towards the controller in a professionally independent manner and without being bound by instructions; • the DPO does not perform any activities which are incompatible with their tasks as DPO; • the DPO possesses the necessary professional knowledge; • the controller publishes the contact details of the data protection advisor and communicates them to the FDPIC. Supporting Internal Data Protection Officers 62 LAWYER MONTHLY APRIL 2023 Data protection regulations are essential for an internationally operating business to navigate, and they can also be among the most complicated. But in some capacities, the responsibilities of a data protection officer (DPO) can be eased with the assistance of external legal counsel. Experienced DPO Lukas Lezzi examines Swiss DPOs’ many obligations and the possibility of mitigating them in this feature. Expert Insight
RkJQdWJsaXNoZXIy Mjk3Mzkz