Data Protection Services

Helping our clients to control and protect their personal data and unlock their value in a compliant way

In today’s world, protecting personal data through a robust data protection organization and governance is “key”. In fact, significant consequences arose for companies (including Swiss) upon the entry into force of the EU General Data Protection Regulation ("GDPR") in May 2018. Many countries globally have followed this regulatory trend.

In Switzerland, the revised Swiss Data Protection Act ("DPA") came into force on the 1. September 2023 and entails significant tightening of the law. In many respects, the revised DPA aims to align with the regulation in the European Union, but some aspects differ from the GDPR ("Swiss Finish"). Notably, under the DPA, natural persons acting on behalf of a company (as the responsible party) may be personally liable to prosecution. Swiss companies should therefore review their existing data protection framework, carefully analyze the “gaps” to the revised DPA and take the necessary measures timely, in order to be DPA-ready from 1. September, 2023.

Compliance with data law regulations

With our experience and expertise in data protection and ICT law, we are the partner of choice both for setting up your data protection organisation and for specific data protection and ICT law concerns. Thanks to our coordinated support, complex regulations become conceivably simple.

Do you want to know how to prepare for the implementation of the revised FADP? Find all the relevant information here in our data protection blog series


Maturity Assessment

Supervisory Board and Management Board nowadays want to know, whether their data protection management system is robust enough and whether the staffing is appropriate. The aim is to understand the risk exposure and maturity towards the market.

What we can support you with:
  • Identify and assess in-scope processes
  • Calculate the necessary FTEs
  • Recommendations on how to close any gaps identified
  • Risk rate the findings so that you can easily understand what tasks have the highest priority and which pose the highest level of risk


Data protection laws require the ability to identify, control and react to data protection risks, including clearly defined data protection roles and responsibilities. We will develop a data protection management system that enables you to govern your organisation.

What we can support you with:
  • Definition of the relevant roles and TCRs (task – competence - responsibility) within the client in order to meet the new data protection requirements, e.g.: Data Protection Officer and Data Owners
  • Drafting and Review of a data protection governance framework, including policies and procedures
  • GAP analysis: We uncover your data protection gaps and help you close them

Cloud Journey

With a planned cloud migration, data protection considerations arise, especially in connection with cross-border data transfers. In regulated industries, regulatory requirements (e.g. FINMA) and industry standards are also relevant. In addition, professional secrecy considerations arise.

What we can support you with:
  • Cloud risk assessment: Especially for companies transferring personal data from Switzerland to other countries (for example, the US)
  • Provision of a targeted Cloud Assessment Checklists for your self-assessment (with our without further PwC support)
  • Vendor Assessment
  • Data protection / privacy concept: Support in the design of the configuration to achieve compliance with data protection laws
  • Contract design and review
  • Provision of Cloud Computing Contract Checklist
  • Drafting and review of and policies and procedures (e.g. IT Acceptable Use, IT Cloud Computing Policy)

Data Protection Impact Assessment (DPIA)

A significant impetus of global data protection laws is the need to conduct DPIAs to help identify and minimise data protection risks which a new process, technology, system or device might have on an individual.

What we can support you with:
  • Deliver a policy and procedure that enables you to assess privacy risks across all activities that process personal data;
  • Assist you with conducting the DPIA (DPIA-as-a-service);
  • Provide you with a tool to conduct the DPIA

Third Party Management and Vendor Assessment

Companies (“controllers”) that entrust another company with the processing of personal data (“processors”, e.g. supplier) must ensure by contract that the entrusted company takes appropriate technical and organizational measures to protect the data.

Also in case of joint controllership, there may be a legal obligation (or other sound reasons) to contractually regulate the respective obligations and rights with respect to the personal data.

What we can support you with:
  • Third party assessments
  • Drafting and review of contracts with processors or other third parties
  • Provision of templates for data processing agreements and joint controllership contracts
  • Provision of checklists to evaluate the qualification of a third party as processor
  • Implement software-based contract management solutions for data processing and joint controller agreements

Data protection as a strategy 

Data protection is not only a regulatory requirement, but can also be pursued as a strategic approach and thus contribute to the business success of a company:

  • Particularly in the context of Big Data and the high value of personal data, our experience shows that carefully pursued data protection helps a company move forward in its strategy.
  • By implementing a robust data protection organization and governance, your company achieves a "gold standard" in handling personal data and builds trust with customers.

We would be happy to support you in using data protection as a strategic tool for business success in your company.


Cyberlaw is the body of rules in relation of information technology and information and communications technology (ICT) security.

The legal services offered by Cyberlaw provide a 360° protection framework for companies, institutions and individuals.

All companies across industries are susceptible to a cyber security incident that can arise from insider, e.g. employees or contractors or outsiders, e.g. competitors or governments.

Attacks on information and communications technology (ICT) systems have significantly increased since the beginning of the pandemic. Swiss companies have also recently been more and more affected across all sectors. In this context, regulatory and legal aspects of dealing with ICT risks are becoming increasingly important. In this context, digital workplace design is of great importance. Please find out here how we can help your company to protect your modern workplace.

All companies across industries are susceptible to a cyber security incident that can arise from:

  1. Insiders: employees, partners, contractors, due to negligence, information leakage or human error
  2. Outsiders: hackers, organized crime, competitors, governments, industrial espionage
Which companies need to incorporate Cyberlaw into their compliance models?
  • Regulated entities, such as financial sector, health & life sciences, insurance
  • Critical infrastructure operators and essential service operators
  • Companies subject to secrecy obligations or holding intangible assets and/or trade secrets
  • Companies in charge for data processing for third parties, e.g. IT service operators or platforms


What we can support you with

Your benefits

Industry-leading services covering the whole spectrum of data protection


Professional advice from internal and external experts and lawyers


Guaranteed compliance with EU GDPR and/or Swiss FADP


Data protection is not only about being compliant with the law. It is also about building trust as a company vis-a-vis your stakeholders, clients and employees.

Philipp RosenauerPartner, Legal, PwC Switzerland