Skip to content Skip to footer



Loading Results

Data Protection & ICT Law

Helping our clients to control and protect their personal data and unlock their value in a compliant way

In today’s world, there is no way around protecting personal data through a robust data protection organization and governance. In fact, significant consequences arose for companies (also for Swiss companies) after the General Data Protection Regulation ("GDPR") came into force in the European Union a few years ago. Many countries globally have followed this trend. In Switzerland, the revised Swiss Data Protection Act ("DPA") is expected to apply in Switzerland from September 2023. Compared to the current data protection laws, the revised DPA will entail significant tightening of the law. In many respects, the revised DPA aims to align with the regulation in the EU but some aspects differ from the GDPR ("Swiss Finish"). In the event of any violations of the DPA, the responsible persons within a company may face criminal sanctions. Swiss companies should therefore analyse the need for implementation carefully regardless of their existing DPA compliance and take the necessary measures soon enough.

Data protection as a strategy 

Data protection is not only a regulatory requirement, but can also be pursued as a strategic approach and thus contribute to the business success of a company:

  • Particularly in the context of Big Data and the high value of personal data, our experience shows that carefully pursued data protection helps a company move forward in its strategy.
  • By implementing a robust data protection organization and governance, your company achieves a "gold standard" in handling personal data and builds trust with customers.

We would be happy to support you in using data protection as a strategic tool for business success in your company.

Strategic benefits of data protection

Information and Communication Technology Law (ICT Law)

In today's increasingly digitalized environment, companies are also increasingly confronted with technology law issues (e.g. digital transformation, e-commerce, artificial intelligence, licence management, etc.). We have in-depth experience with ICT legal topics and also support our clients in the implementation of industry-specific ICT legal requirements (e.g. in the financial and life sciences sectors).


Cyberlaw is the body of rules in relation of information technology and information and communications technology (ICT) security.

The legal services offered by Cyberlaw provide a 360° protection framework for companies, institutions and individuals.

All companies across industries are susceptible to a cyber security incident that can arise from insider, e.g. employees or contractors or outsiders, e.g. competitors or governments.

Which companies need to incorporate Cyberlaw into their compliance models?
  • Regulated entities, such as financial sector, health & life sciences, insurance
  • Critical infrastructure operators and essential service operators
  • Companies subject to secrecy obligations or holding intangible assets and/or trade secrets
  • Companies in charge for data processing for third parties, e.g. IT service operators or platforms


Our services

With our experience and expertise in data protection and ICT law, we are the partner of choice both for setting up your data protection organisation and for specific data protection and ICT law concerns. Thanks to our coordinated support, complex regulations become conceivably simple.

Data protection laws require the ability to identify, control and react to data protection risks, including clearly defined data protection roles and responsibilities. We will develop a data protection management system that enables you to govern your organisation.

What we can support you with:
  • Definition of the relevant roles and TCRs (task – competence - responsibility) within the client in order to meet the new data protection requirements, e.g.: Data Protection Officer and Data Owners
  • Drafting and Review of a data protection governance framework, including policies and procedures
  • GAP analysis: We uncover your data protection gaps and help you close them

Many privacy laws give data subjects a number of rights to which organisations are obliged to respond. It is essential for an organisation to be able to facilitate such requests.

What we can support you with:
  • Assessment whether appropriate processes are in place to deal with data subject rights and definition of the necessary processes for the enforcement of rights of access, rectification, deletion, restriction of processing, objection and data portability
  • Design of processes related to data subject requests
  • Definition of deletion rules and process for periodic deletion of personal data
  • Advice on individual requests

Data controllers must provide users with sufficient information before processing personal data.

What we can support you with:
  • Analysis of the client's information duties and creation of a long-list of information needed to be provided to the data subjects (clients) in order to enable them to exercise their rights
  • Review resp. update of the Data Privacy Policy in order to ensure compliance with the revised DPA
  • Review resp. provision of a Data Processing Agreement template incl. Confidentiality Declaration
  • Checklist to assess whether a Data Processing Agreement, a Joint Controller Agreement or a Confidentiality Declaration is needed in case of exchange of personal data with third parties

It is essential that your employees know how to handle personal data.

What we can support you with:
  • Review and update of the internal data protection policies and procedures

A detailed and precise documentation of your processing activities is required by law.

What we can support you with:
  • Identification of the relevant internal and external data processing activities
  • Assessment of the legal basis for the processing activities
  • Creation of the inventory incl. the relevant attributes (e.g. purpose of processing, description of the data subjects and categories of personal data, categories of recipients, etc.)
  • Definition of a process for maintaining the inventory

A significant impetus of global data protection laws is the need to conduct DPIAs to help identify and minimise data protection risks which a new process, technology, system or device might have on an individual.

What we can support you with:
  • Deliver a policy and procedure that enables you to assess privacy risks across all activities that process personal data;
  • Assist you with conducting the DPIA (DPIA-as-a-service);
  • Provide you with a tool to conduct the DPIA

The transparency principle requires controllers to inform individuals about how they collect, use, store, transfer and secure personal data through a website privacy notice at the time the data is collected.

What we can support you with:
  • Review and modify website privacy notices for the applicable data privacy laws
  • Provision of a template to inform data subjects and obtain consent (if required)
  • Advise on consent management processes

Your marketing and communication activities require compliance to the data protection laws.

What we can support you with:
  • Review and update of the cookie notification
  • Provision of a template for the assessment of the legitimate interest
  • Analysis of the profiling activities

The revision of the Data Protection Act requires that your staff know the legal regulations and apply them consistently. Building awareness also means raising awareness.

What we can support you with:
  • Creation of documents for awareness raising and training of staff (e.g. one-pager, leaflets, handbooks, content for intranet, etc.)
  • Conduct training and awareness courses and / or webinars
  • Drafting of information letter raising awareness of the employees regarding the new data protection requirements

The Data Protection Laws require that personal data must be deleted if it is no more required. At the same time, data may be subject to retention obligations.

What we can support you with:
  • Design deletion approach;
  • Identify retention periods;
  • Draft general deletion concept; and
  • Assist in questions of implementation

For important or critical processing operations, companies want to know whether they comply with applicable data protection laws, especially whether the processing is lawful.

What we can support you with:
  • Memoranda and legal opinions

The FDPIC requires a risk assessment event if Standard Contractual Clauses (SCC) are submitted. Moreover, you are required to reach compliance with data protection laws

What we can support you with:
  • Re-evaluation and (cloud) risk assessment: Especially for companies transferring personal data from Switzerland to the US
  • Data protection / privacy concept: Support in the design of the configuration to achieve compliance with data protection laws

Companies must ensure that their numerous contracts with third parties processing data for them are legally compliant.

What we can support you with:
  • Preparation of templates for standard data processing and joint controller agreements
  • Implement software-based contract management solutions for data processing and joint controller agreements.
  • Audits of data processors

Supervisory Board and Management Board nowadays want to know, whether their data protection management system is robust enough and whether the staffing is appropriate. The aim is to understand the risk exposure and maturity towards the market.

What we can support you with:
  • Identify and assess in-scope processes
  • Calculate the necessary FTEs
  • Recommendations on how to close any gaps identified
  • Risk rate the findings so that you can easily understand what tasks have the highest priority and which pose the highest level of risk

The ability to notify and forensically investigate the breach is critical to protecting data. Data breaches may have to be reported within a specified time frame.

What we can support you with:
  • Advice on legal requirements for data breach response policies and procedures
  • Advise in case of required notification of data breaches, including how to deal with public authorities.

Many data privacy laws place restrictions on transfers of personal data outside their country of jurisdiction, e.g. when introducing cloud services like Office365, Successfactors, Workday etc. We help designing the architecture from a legal standpoint and recommend the safeguards that are required to be put in place.

What we can support you with:
  • Identify legal requirements across the globe including localization requirements;
  • Identify necessary safeguards;
  • Draft and implement Binding Corporate Rules

Information and communication technologies (ICT) shape our everyday lives. IT solutions sometimes form the basis of an entire business model. For all parties involved, it is of great interest that the corresponding contracts are clear and comprehensive.

What we can support you with:
  • Advice for ICT projects and transactions, including concept, structure, contracting, negotiations, SLAs, and legal support for implementation.
  • Issues related to the Internet, e-commerce, or the Internet of Things (e.g., disclaimers and terms of use, legal framework)
  • Legal issues relating to communication technology

Your benefits

Industry-leading services covering the whole spectrum of data protection


Professional advice from internal and external experts and lawyers


Guaranteed compliance with EU GDPR and/or Swiss FADP


Data is the “new oil”. Every organisation should have adequate technical controls to safeguard their most precious asset.

Philipp Rosenauer, Head Data Privacy | ICT | Implementationᐩ, PwC Switzerland

Do you have any questions?

Contact us

Philipp Rosenauer

Philipp Rosenauer

Head Data Privacy | ICT | Implementationᐩ, PwC Switzerland

Tel: +41 58 792 18 56

Claudia Liliane Jung

Claudia Liliane Jung

Data Privacy | ICT | Implementationᐩ, PwC Switzerland

Tel: +41 58 792 4728

Adrien Tharin

Adrien Tharin

Co-Head of FinTech, Blockchain and Digital Assets, PwC Switzerland

Tel: +41 58 792 92 24

Lorena Rota

Lorena Rota

Data Privacy | ICT | Implementationᐩ, PwC Switzerland

Tel: +41 58 792 2750

Anna Maria Tonikidou

Anna Maria Tonikidou

Data Privacy | ICT | Implementationᐩ, PwC Switzerland

Tel: +41 58 792 46 89