In the revised Federal Act on Data Protection (revFADP), a new position called the Data Protection Advisor – the Swiss counterpart of the EU Data Protection Officer (DPO) – has been created. At first glance, this position seems similar to its EU counterpart as envisaged in the General Data Protection Regulation (GDPR). What are the main differences between these two positions?
There are some differences between the Swiss Data Protection Advisor (DPA) and the GDPR Data Protection Officer (DPO).
First, under the revFADP it is in general not mandatory to appoint a DPA. The Data Protection Advisor is only appointed voluntarily.
A major incentive for companies to appoint a DPA is that the controller is not obliged to consult the Federal Data Protection and Information Commissioner (FDPIC) if a Data Protection Impact Assessment (DPIA) results in a high level of risk for the data subject, but may consult its DPA instead. It should be noted that it is still the controller, not the DPA, who is accountable for compliance with data protection rules. You can also appoint an external party to fulfil this role.
The DPA serves not only as a point of contact within the company, but also as a link to the data protection authorities, in particular the FDPIC. The DPA therefore needs to have an adequate level of knowledge as required for the position.
If you decide to appoint a Data Protection Advisor, their name and contact details must be listed in the Privacy Notice.
The DPA must be independent and not subject to instructions, meaning that they must not have an executive function.
Finally, it is essential that the DPA receives the necessary resources and is given the opportunity to be part of the compliance function within the company.
In particular, the DPA has the following duties and responsibilities:
If your company already has a DPO, e.g. because it operates as a company group, the group DPO can act as the company DPA as well. For example, if your company has established a group DPO under the GDPR in an EU country, your branch located in Switzerland does not necessarily need its own Swiss DPA. Otherwise, you can also outsource this position to an external firm.
Dr. Günther Dobrauz
Partner and Leader Legal, PwC Switzerland
Tel: +41 58 792 14 97
Partner Legal, PwC Switzerland
Tel: +41 58 792 18 56
Senior Manager | Data Privacy | ICT | Implementationᐩ, PwC Switzerland
Tel: +41 58 792 4728
Director | Co-Head of FinTech, Blockchain and Digital Assets, PwC Switzerland
Tel: +41 58 792 92 24
Data Privacy | ICT | Implementationᐩ, PwC Switzerland
Tel: +41 58 792 2750
Anna Maria Tonikidou
Senior Associate | Data Privacy | ICT | Implementationᐩ, PwC Switzerland
Tel: +41 58 792 46 89