The revised data protection law (DSG) requires data controllers and data processors to maintain registers of their processing activities (Art. 12 nDSG).
The law defines the minimum content of the registers but does not provide specific instructions on how to maintain the register. It stipulates that small and medium-sized enterprises (SMEs) are exempt from keeping a register if they employ fewer than 250 employees and pose only a low risk to personal data protection.
The register of processing activities must include at least the following information:
- Identity of the data controller
- Purpose of the processing
- Description of the categories of data subjects and the types of personal data processed
- Retention period (if possible) or criteria used to determine the retention period
- General description of the measures taken to ensure data security
- If data is disclosed internationally, indication of the country or the guarantees provided by alternative measures
The register maintained by the data processor should include the following information:
- Identity of the data processor
- Identity of the data controller
- Categories of processing activities performed on behalf of the data controller
- Description of the measures taken to ensure data security
- Indication of the country where data is disclosed internationally or the guarantees provided by alternative measures
