Every federal body shall appoint a data protection officer. Two or more federal authorities may appoint a joint data protection officer.
Chapter 5 (Art. 25 - 35) — Special Provisions on Data Processing by Federal Bodies
Section 1: Data Protection Officer
- The data protection officer must meet the following requirements:
- a. He or she has the required specialist knowledge.
- b. He or she carries out his or her work in relation to the federal body in a professionally independent manner and is not bound by instructions.
- He or she must carry out the following tasks:
- a. He or she participates in applying the data protection regulations, in particular in that he or she:
- examines the processing of personal data and recommends corrective measures if a breach of the data protection regulations is established;
- advises the controller on preparing the data protection impact assessment and reviews its implementation.
- b. He or she serves as a contact point for data subjects.
- c. He or she trains and advises employees of the federal body on data protection matters.
- a. He or she participates in applying the data protection regulations, in particular in that he or she:
- The federal body has the following obligations in relation to the data protection officer:
- a. It shall grant him or her access to all information, documents, records of processing activities and personal data that he or she requires to fulfil his or her tasks.
- b. It shall ensure that he or she is notified of any breach of data security.
- It shall publish contact details for the data protection officer online and notify the FDPIC of these details.
The data protection officer serves as the FDPIC’s contact point for any questions in connection with the processing of personal data by the federal body concerned.
Section 2: Duties to Provide Information
The federal body shall inform the recipient about the up-to-dateness, reliability and completeness of the personal data that it has disclosed, unless this information is evident from the data themselves or from the circumstances.
If the data subject is not under any obligation to provide information, the responsible federal body shall inform him or her of this fact in relation to any systematic collection of personal data.
Section 3: Notifying the FDPIC of Projects for the Automated Processing of Personal Data
- The responsible federal body shall notify the FDPIC of any planned automated processing activities at the time that the decision is taken to develop or approve the project.
- Notification must include the details in Article 12 paragraph 2 letters a–d FADP and the anticipated date on which the processing activities will begin.
- The FDPIC shall record the notification in the register of processing activities.
- The responsible federal body shall update the notification on transition to productive operations or termination of the project.
Section 4: Pilot Projects
A pilot trial is mandatory if any one of the following conditions is satisfied:
- a. Fulfilling a task requires technical innovations, the effects of which must first be evaluated.
- b. Fulfilling a task requires significant organisational or technical measures, the effectiveness of which must first be tested, in particular in the case of the cooperation between federal and cantonal authorities.
- c. Fulfilling a task requires personal data to be made accessible in the online search process.
- Before consulting the administrative units with an interest, the federal body responsible for the pilot trial shall explain how it planned to comply with the requirements under Article 35 FADP, and invite the FDPIC to provide its opinion.
- The FDPIC shall provide its opinion on whether the authorisation requirements under Article 35 FADP are met. The federal body shall provide it with all the documents required to do this, and in particular:
- a. a general description of the pilot trial;
- b. a report that demonstrates that fulfilling the statutory tasks requires processing under Article 34 paragraph 2 FADP and that a test phase before the act formally comes into force is essential;
- c. a description of the internal organisational structure and the data processing and control procedures;
- d. a description of the security and data protection measures;
- e. the draft of an ordinance that regulates the details of the processing, or the plan for an ordinance;
- f. the plans for the various phases of the pilot trial.
- The FDPIC may request further documents and conduct additional enquiries.
- The federal body shall inform the FDPIC of any significant change that affects compliance the requirements of Article 35 FADP. The FDPIC shall again provide its opinion if required.
- The FDPIC’s opinion shall be included with the application to the Federal Council.
- Automated data processing shall be regulated in an ordinance.
- The competent federal body shall submit the draft of the evaluation report for the Federal Council to the FDPIC for the FDPIC to provide an opinion.
- The competent federal body shall submit the evaluation report to the Federal Council with the FDPIC’s opinion.
If personal data are processed for purposes not related to specific persons, in particular research, planning and statistics, but at the same time are processed for a different purpose, the exceptions under Article 39 paragraph 2 FADP only apply to the processing for purposes not related to specific persons.