Data Protection Officer
A data protection officer (DPO) monitors an organization's compliance with data protection law, advises on it, and is the contact point for authorities and data subjects. Under the GDPR a DPO is mandatory in certain cases; in Switzerland it is voluntary.
A data protection officer (DPO) is a qualified person who oversees an organization’s compliance with data protection law, advises management, and acts as the contact point for supervisory authorities and data subjects. It should not be confused with the FDPIC, Switzerland’s federal data protection supervisory authority. Whether the role is mandatory depends on the legal regime. Note: This article is a general overview, not legal advice.
What does a data protection officer do?
The DPO informs and advises on data protection obligations, monitors compliance, advises on data protection impact assessments, and cooperates with the supervisory authority (Art. 39 GDPR). The DPO must perform these tasks independently and may not be dismissed or penalized for carrying them out (Art. 38 GDPR).
When is a data protection officer mandatory?
Under the GDPR, a DPO is mandatory in three independent cases (Art. 37 GDPR):
- The organization is a public authority or body.
- Its core activity consists of large-scale, regular, and systematic monitoring of individuals.
- Its core activity involves large-scale processing of special categories of personal data, such as health or biometric data.
For most private companies, the second and third cases are the relevant ones; the first applies to state bodies.
Does a Swiss company need a data protection officer?
Unlike the GDPR, Switzerland’s revised Federal Act on Data Protection does not require a data protection officer. For private companies the role is voluntary: you may appoint a data protection advisor, but you do not have to (Art. 10 FADP). Doing so brings benefits, such as a simplified consultation for data protection impact assessments. The advisor must be qualified and independent and be notified to the FDPIC.