22 July 2022

Data protection certifications in Switzerland

  • Articles
  • Legal
  • Data / Technology / IP
  • Regulatory Compliance

With the total revision of the Federal Act on Data Protection (FADP), not only the Ordinance to the Data Protection Act (DPA) is being revised, but also the Ordinance on Data Protection Certifications (DPC).

In addition to data processing systems (procedures, organisation) and products (programmes, systems, apps), the revised Ordinance on Data Protection Certification (ODPD) will now also allow services to be certified. This should, for example, increase the transparency of data processing or reduce the risk of data protection violations, which can improve trust in a service. Certified data processors are exempt from the obligation to conduct a data protection impact assessment. Certification includes all components of data processing that would have had to be checked by means of a data protection impact assessment. 

According to the FDPIC, the ISO standard 27701 will now be mentioned in Art. 6 of the FDPIC. This is an extension of ISO/IEC 27001 to include data protection and can only be achieved in conjunction with it. ISO/IEC 27001 standardises management systems for information security. The addition of data protection-relevant components to this standard (ISO 27701) is intended to improve data protection in service offerings worldwide. The certification procedure remains optional. The Federal Office of Justice, the FDPIC and other federal agencies such as the Swiss Accreditation Service (SAS) as well as private certification bodies are involved in the revision. The draft of the VDSZ is not yet final.