The revised data protection law prescribes documentation obligations for companies. It may be advisable to create and maintain certain documentation even if not explicitly required. Documentation facilitates compliance and monitoring of obligations.
| Document | Up to 250 employees * | Up to 250 employees ** | More than 250 employees * | More than 250 employees ** |
| Register of Processing Activities (Art. 12 nDSG) | Generally mandatory, exception possible for SMEs | mandatory, exception possible for SMEs | Mandatory | Mandatory |
| Inventory of Applications | Recommended | Recommended | Recommended | Recommended |
| Internal Data Protection Policies | Recommended | Recommended | Recommended | Recommended |
| Information for Employees (Art. 6 u. 19 nDSG; art. 328b CO) | Mandatory | Mandatory | Mandatory | Mandatory |
| Privacy Policy for Website (Art. 6 u. 19 nDSG) | Mandatory | Mandatory | Mandatory | Mandatory |
| Process for Data Subject Rights (Art. 28 nDSG; Art. 16 ff. nDSV) | Recommended | Mandatory | Recommended | Mandatory |
| Documentation of Data Security Measures (Art. 8 nDSG; Art. 1 ff. nDSV) | Recommended | Recommended | Recommended | Recommended |
| Guidelines for Data Security Breaches (Art. 24 DSG, Art. 15 nDSV) | Recommended | Mandatory | Mandatory | Mandatory |
| Data Protection Impact Assessment (Art. 22 nDSG) | Recommended | Mandatory | Recommended | Mandatory |
| Agreements with Data Processors | Mandatory | Mandatory | Mandatory | Mandatory |
| Access Logs (Art. 8 nDSG; Art. 4 nDSV) | – | *** | – | *** |
Legend:
PD = Personal Data
* No processing of particularly sensitive PD
** Processing of particularly sensitive PD
*** Mandatory if processing a large volume of particularly sensitive personal data in an automated manner or conducting high-risk profiling, and data protection cannot be ensured through preventive measures.
