Our Swiss Representative Services
Pursuant to Article 14 of the FADP do you need to Appoint a Data Protection Representative in Switzerland?
- You are a private controller;
- Your registered office or domicile is based outside Switzerland;
- Your processing activities relate to the offering of goods or services to individuals in Switzerland and/or to the monitoring of the behaviour of these individuals (such as tracking or profiling);
- You are processing personal data on a large scale;
- Your processing activities are done on a regular basis;
- Your processing poses a high risk for individuals
We provide a full range of high-quality representation services
We strive to understand your needs and expectations to provide you with personalized services.
Data Protection Representation services in Switzerland
We act as your Data Protection Representative in Switzerland pursuant to Article 14 of the Swiss Federal Act on Data Protection (FADP). Our offices are located in Geneva.
We handle an unlimited number of DSARs across Switzerland. By “handling”, we mean that we receive requests, perform identity checks (if you instruct us to do so), forward the requests to you (with a free English translation if needed), and answer your questions as to best practices on how to respond to the requests.
Requests from the Swiss Data Protection Authority
We handle an unlimited number of requests from the Swiss Data Protection Authority (the “FDPIC”). We understand that it can be quite daunting for companies to be contacted by data protection authorities. That’s why our team handles such requests with great care and diligence (including free translation if needed).
We assist and support you in the handling of an unlimited number of data breach notifications in Switzerland. We understand that the entire process can be very challenging. We assist in reducing the time and resources – and stress! – required to complete your data breach notifications.
IMPORTANT NOTICE IN CASE OF DATA BREACH: Our contract will not automatically terminate in the event that you experience a data breach. We support you all the time and all the way.
We provide you with a FADP Article 14 Compliance Certificate based on data protection technology through a unique high-level encryption / decryption process (including Blockchain technology) which can be used on your website and on your company material. Check our compliance page to see what it looks like!
We provide you with the wording that you have to include in your privacy policy on your website or in other documents (e.g. those required in clinical trials) with respect to the appointment of EDPO Switzerland as your Swiss Representative, including EDPO Switzerland’s contact details and logo.
We answer all your questions about our services and keep you updated with a weekly newsletter. Our experts are at your disposal to assist you beyond local office hours, accommodating your international time zone.
We provide you with a free English translation of all requests from data subjects and from the Swiss data protection authority (FDPIC) as well as a free English-to-original language reply.
EDPO
Just Stands Out
Partner and Head of the European Cyber/Data/Privacy practice of a top-tier American international law firm
What should you look for in a Data Protection Representative ?
- What services are included? Are there any extra (hidden) costs?
- What languages are covered? Is translation included in the fees?
- Who is the team? What are their qualifications and experience?
- Does the Data Protection Representative provide data breach notification support?
- What services are included? Are there any extra (hidden) costs?
- What languages are covered? Is translation included in the fees?
- Who is the team? What are their qualifications and experience?
- Does the Data Protection Representative provide data breach
notification support?
We cover the world. We cover all industries.
You'll find below a non-exhaustive list of industries that already work with us.
Frequently Asked Questions
Check our FAQ page for more questions and answers.
What is the Federal Act on Data Protection (FADP)?
The FADP, effective since 1 September 2023, is an update of the initial Swiss federal law of 19 June 1992 and it aims to ensure that Swiss data protection regulations align with our modern digital reality. The FADP also underscores Switzerland’s commitment to maintaining its adequacy status with the European Union (EU), ensuring smooth cross-border data transfers.
What is the territorial scope of the FADP? What are some examples of the territorial applicability of the law?
The scope of the revamped FADP is large. Notably, the law’s influence goes beyond Swiss borders, applying to «circumstances that have an effect in Switzerland, even if they were initiated abroad». This expanded jurisdiction ensures that individuals’ data rights remain intact, irrespective of where data processing originates. Moreover, the updated act introduces measures compelling foreign entities handling Swiss individuals’ personal data to comply with the law’s mandates, solidifying the commitment to safeguard data privacy across international boundaries.
Examples of the enlarged scope application:
🛍️ International E-commerce Platforms: Foreign online marketplaces catering to Swiss consumers.
📱 Social Media Networks: Overseas social media giants processing Swiss users’ data for tailored content and targeted ads.
☁️ Cloud Service Providers: Foreign cloud services storing or processing personal data of Swiss residents, even outside Swiss territory.
🏥 Healthcare Innovators: Foreign medical tech entities handling sensitive health data of Swiss patients, like telemedicine services.
💼 Financial Institutions: International financial players managing personal data of Swiss clients, be it for transactions, investments, or compliance.
🌐 IoT Innovations: Makers of IoT devices, no matter their location, collecting and processing personal data of Swiss individuals (like health trackers or smart home devices).
📢 Online Ad Networks: Foreign ad networks tracking Swiss internet users’ online behavior for customized ads or profiling.
📊 Data Analytics Pioneers: Overseas data analytics firms analyzing personal data for insights and decision-making.
Do we need to appoint a representative if we have an establishment in Switzerland?
Switzerland’s stance on this aspect is less straightforward than under the GDPR, which stipulates that foreign organizations do not have to appoint a Representative in the EU if they have an “establishment” there. An establishment in that context “implies the effective and real exercise of activities through stable arrangements.” This can be a branch or a subsidiary, but the legal form (i.e. whether it’s with or without a legal personality) is not the determining factor, so it can also be, for example, a sales office. Under the FADP, there is no specific reference to the term “establishment” and no guidance on the type of “domicile” or organizational structure necessary in Switzerland to exempt foreign companies from the obligation to appoint a Representative.
What constitutes "large scale processing"?
According to the Swiss authorities’ FAQs (in French), the term “on a large scale” refers to cases where data is not processed in isolation or when the processing of data forms a substantial part of the activities of the individual or entity in question.
For example, this can be the processing of patient data by a medical practice or hospital. On the other hand, the isolated processing of the data by a company of an employee who is absent due to illness does not constitute large-scale processing. Large-scale processing occurs in particular when the processing of data constitutes an essential part of the company’s activities.
What are considered processing activities which are performed “on a regular basis”?
According to the Swiss authorities’ FAQs (in French), processing is not considered regular when data is only processed for a limited duration or on an occasional basis. As per the FAQ, this condition should be met, for example, in online commerce. When personal data is the “raw material” for an activity (e.g. for social networks), this is also regular processing.
What processing poses a “high risk” for individuals?
According to the Swiss authorities’ FAQs (in French), this needs to be examined on a case-by-case basis. The high risk may notably arise from the quantity and type of data processed (especially if it involves sensitive data), the purpose of the processing, and the manner in which the data is processed (e.g., use of new technologies), any potential transfer of data abroad, and the rights of access to the data (e.g., if a significant or even unlimited number of individuals can access the data).
What is considered “sensitive data”?
The concept of sensitive data is defined exhaustively in Article 5(c) of the FADP. This includes data relating to religious, philosophical, political or trade union opinions or activities, as well as data relating to health, private life or racial origin, criminal or administrative proceedings or sanctions and social welfare measures.
What is the role of the Data Protection Representative under the FADP?
The Representative serves as a bridge between data subjects, data controllers, and the Federal Data Protection and Information Commissioner (FDPIC).
The responsibilities of the Swiss Data Protection Representative are as follows:
- Acting as a conduit for communication with data subjects and the FDPIC.
- Maintaining a copy of the foreign company’s record of processing activities (ROPA).
- Making the ROPA available to the FDPIC upon request.
What are the differences between the Data Protection Representative under the FADP and under the EU's General Data Protection Regulation (GDPR)?
While both share a common goal of fostering data protection, they diverge in certain aspects. For instance, under the FADP, the requirement to appoint a representative applies to a narrower set of circumstances, particularly focusing on processing activities posing high privacy risks. This specificity in scope underlines Switzerland’s unique approach to balancing data protection with practical considerations.
In addition, although the representative acts as point of contact for data subjects, the data controller remains responsible for fulfilling the duty to provide information during the collection of personal data. Data subjects can only exercise their right of access with the data controller, and not with its representative.
What if I fail to appoint a Data Protection Representative?
Enforcement mechanisms under the FADP take a unique approach. The Federal Data Protection and Information Commissioner (FDPIC) has the power to issue orders for foreign organizations to appoint a Representative. Additionally, the FDPIC can collaborate with foreign data protection authorities to share information or personal data to ensure their legal obligations are fulfilled, under specific conditions.
Non-compliance with the FADP can result in fines, with a maximum penalty of 250,000 CHF (approximately 260,000 EUR or 278.000 USD). Notably, these fines are categorized as criminal fines, rather than administrative fines, and they generally target individuals rather than organizations. When obligations pertain exclusively to companies, criminal liability rests with the directors. This implies that company leaders, governing body members, managing partners, and directors bear the responsibility. Employees are excluded. Irrespective of the circumstances, the individual in question must hold autonomous decision-making authority within a specific domain of the company. If the responsible individual within an organization can’t be identified during an investigation, companies may face fines of up to 50,000 CHF (approximately 52,400 EUR or 56.000 USD).
What is personal (regular) data?
Personal data under the GDPR has a very broad interpretation and includes any information that relates to an identified or identifiable natural person: name, pictures, addresses, phone numbers, e-mail addresses, IP addresses (even dynamic), identification numbers, location data, age, origins, pseudo, etc.
What is sensitive data ?
Sensitive data is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation.
What is considered to be processing “on a large scale"?
The GDPR and UK GDPR do not define what constitutes “large scale” processing but guidelines recommend that the following factors be considered when determining whether the processing is carried out on a large scale:
- The number of individuals concerned – either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity
Examples of large-scale processing include:
- processing of patient data in the regular course of business by a hospital
- processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
- processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
- processing of customer data in the regular course of business by an insurance company or a bank
- processing of personal data for behavioural advertising by a search engine
- processing of data (content, traffic, location) by telephone or internet service providers
Examples that do not constitute large-scale processing include:
- processing of patient data by an individual doctor
- processing of personal data relating to criminal convictions and offences by an individual lawyer
The Swiss Authority defines large scale: “The term "large-scale" refers to cases where data is not simply processed in an isolated way. For example, a medical practice or hospital might process patient data. On the other hand, the isolated processing of the data of an employee who is absent due to illness by a company does not constitute large-scale processing. Large-scale processing occurs in particular when the processing of sensitive data constitutes the essential part of the activities of the person or body in question.”)