The new data protection law (nDSG) does not dictate how companies should organize themselves. However, implementing organisational measures is advisable for ensuring compliance and ongoing monitoring of regulatory requirements. These measures facilitate workflows, clarify responsibilities, and are helpful in safeguarding the rights of data subjects and providing information to the data protection authority (EDPB).
- Appointment of a Data Protection Officer (DPO) within the company
- Implementing and monitoring compliance with regulations, policies, and instructions
- Internal point of contact for data subjects
- Contact person for the EDPB
- Engagement of a data protection consultant if necessary
- For data processing by companies outside Switzerland: Appointment of a representative in Switzerland if the requirements are met
- Data acquisition and processing:
- Acquire and process only necessary data
- Implement system settings for Privacy by Default and Privacy by Design
- Data security:
- Restrict access (physical and digital) to necessary personnel
- Log IT system access (if necessary)
- Implement access controls if applicable
- Information obligations
- Establish standardized procedures for responding to data subject requests, such as access and data disclosure requests
- Establish standardized procedures for addressing data security breaches
