Since September 1, 2023, companies located outside Switzerland that process personal data of individuals in Switzerland must designate a data protection representative in Switzerland under certain conditions (Art. 14 of the Swiss Federal Act on Data Protection, nDSG).
A data protection representative in Switzerland is not required in every case of processing personal data.
Who must appoint a data protection representative?
This requirement applies only to companies that offer goods or services in Switzerland or monitor the behavior of individuals in Switzerland. In order for the obligation to designate a data protection representative to apply, additional conditions must be met:
- The data processing is substantial.
- The data processing is carried out on a regular basis.
- The data processing poses a high risk to the privacy of the affected individuals.
A high risk may arise particularly from the nature, scope, circumstances, and purpose of the data processing, especially in cases involving the use of new technologies. A high risk exists, for example, when high-risk profiling or extensive processing of particularly sensitive personal data is planned (cf. Art. 22(2) of the nDSG).
The Federal Data Protection and Information Commissioner (FDPIC) may order a company based abroad to designate a data protection representative in Switzerland (Art. 51(4) of the nDSG).
Tasks of the representative
The data protection representative has the following tasks:
- Maintaining a record of processing activities of the foreign company with minimal information in accordance with Art. 12 para. 2 of the nDSG.
- Acting as a contact point for the FDPIC.
- Acting as a contact point for affected individuals.
The data protection representative depends on the foreign company based outside Switzerland to accurately maintain and provide the record of processing activities.
