Data Protection Officer, a key role with the arrival of the nFADP in Switzerland
In Switzerland, the new Federal Act on Data Protection (nFADP) enshrines the role of Data Protection Officer (DPO) in legislation.
When the new law comes into force on 1 September 2023, the obligation to appoint a DPO under the nFADP will not apply to all companies, but only to those that regularly process large-scale data or sensitive data such as health data or genetic data.
Furthermore, even for companies that are not obliged to appoint a DPO, it is strongly recommended that they do so in order to ensure good management of personal data and to comply with best practice in data protection.
DPO, a key role for organisations processing personal data
The Data Protection Officer (DPO) is responsible for ensuring that organisations comply with the laws and regulations on the protection of personal data.
It advises and assists organisations in data management, and ensures that data subjects can exercise their data protection rights. The DPO is also responsible for cooperating with the supervisory authority and reporting on the organisation’s compliance with data protection regulations. The role of the DPO is essential to ensure the confidentiality and security of personal data.
The nFADP does not require all organisations to appoint a DPO, except in certain specific cases which are listed in the regulations. However, even if your company is not one of these cases, it is advisable to have a DPO or a person with expertise in data protection if you process a large volume of data, have a certain number of employees or are subject to data protection compliance rules.
What are the missions of the Data Protection Officer?
The Data Protection Officer (DPO) is a key player in personal data protection compliance within an organisation. The DPO has several important tasks to fulfil:
-
Supervising the management of personal data
It must ensure that the organisation complies with regulations on the protection of personal data, in particular with the new Swiss act on Data Protection (nFADP). The DPO must therefore ensure that personal data is collected, processed and stored in compliance with the regulations.
-
Provide advice to the organisation on data protection obligations
It must help the organisation to put in place measures to guarantee the security and confidentiality of personal data. To do this, they must be able to identify risks and propose corrective measures.
-
Raising awareness of personal data protection regulations among the organisation's employees
It must explain to them the best practices to adopt and provide them with training so that they are able to manage personal data responsibly.
-
Ensuring that the organisation complies with regulations on the protection of personal data
The DPO must therefore ensure that the organisation puts in place suitable procedures to comply with the requirements of the RGPD and other applicable regulations.
-
Act as the organisation's point of contact with the Data Protection Supervisory Authority
It must therefore cooperate with this authority in the event of an inspection or security incident. In the event of a security or data breach, it is up to the customer to inform the Federal Data Protection and Information Commissioner (FDPIC).
The DPO is not responsible for non-compliance with the nFADP: EDPS guidelines
The guidelines of the European Data Protection Committee (EDPS) specify that the Data Protection Officer (DPO) is not responsible for non-compliance with the Data Protection Regulation.
This is the responsibility of the controller (RT) or processor (ST), who must ensure and be able to prove that data processing complies with the regulations. Data protection is therefore the responsibility of the RT or ST and cannot be transferred to the DPO by delegation of authority.
This is considered a conflict of interest as it would give the DPO decision-making power over the purpose and means of the processing.
Qualities and training required to become a DPO
The Data Protection Officer is a professional who must have a number of skills to carry out its missions successfully. Although there is no specific training for DPO, they are chosen on the basis of their professional skills. However, the Commission Nationale de l’Informatique et des Libertés (CNIL) has introduced certification for DPOs, so that they can be trained in the job and validate the necessary knowledge; it is not, however, compulsory.
As regards the qualities required to become Data Protection Officer (DPO) within a company, the person appointed must be able to communicate clearly, be independent in the performance of its duties and have a good knowledge of personal data law and data protection regulations (in particular the nFADP).
- It must therefore have a good knowledge of the business sector of the company they are working for,
- And have technical expertise in information security.
The DPO must be able to draw up an inventory and documentation of processing operations, and assess the risks of personal data processing from the point of view of the nFADP.
- It must be positioned in a hierarchy that enables him or her to report to management on a regular basis and to address it directly in the event of a data breach notification, without waiting too long.
- It must be able to advise the company’s management and data controllers on the measures to be put in place to comply with the nFADP.
- Be able to train and inform employees about the requirements of data protection regulations.
The DPO must also be able to assist and simplify the tasks of the audit bodies, as well as carrying out impact analyses.
Conclusion
With the new Federal Act on Data Protection (nFADP) on 1 September 2023, the obligation to appoint a Data Protection Officer (DPO) will only apply to companies that regularly process large-scale data or sensitive data such as health or genetic data.
However, it is recommended that companies that are not affected should appoint a DPO to ensure good management of personal data and to comply with best practice.
The DPO is a key player in data protection compliance within an organisation, responsible for overseeing the management of personal data, advising on data protection obligations, raising awareness among the organisation’s employees, ensuring the organisation’s compliance with data protection regulations, and acting as the organisation’s point of contact with the data protection supervisory authority.
It is important to note that the DPO is not responsible for non-compliance with the nFADP, which is the responsibility of the controller or processor.
The qualities and training required to become a DPO include a good knowledge of data protection regulations, project management and communication skills, as well as ongoing training to keep abreast of the latest trends and developments.
