Data protection advisor

In this article

Under certain conditions, companies can or must appoint a data protection officer (DPO). This requirement is anchored, for example, in Art. 10 FADP, Art. 37 to 39 GDPR as well as in §38 BDSG.
Regardless of whether there is a legal obligation to appoint a DPO, companies can appoint a DPO on a voluntary basis to minimise data protection risks.

What specifically applies in Switzerland? (FADP)

Data controllers may appoint a data protection officer (DPO).

The data protection officer is the point of contact for data subjects and for the authorities responsible for data protection in Switzerland. They have the following tasks in particular:
  1. Training and advising the data controller on data protection issues
  2. Participation in the application of data protection rules
If the data controller does not appoint a DPO, they are still obliged to implement the requirements of the FADP. In this case, this task is incumbent on the management of the data controller.

If a significant risk to data subjects is identified during preparation of the processing directory (Art. 12 FADP) and the risk assessment contained therein, the data controller must carry out a data protection impact assessment in accordance with Art. 22 GDPR. If there is a high risk for the data subjects, the FDPIC must be consulted.

Preparation of the processing directory as well as a data protection impact assessment are challenging and time-consuming tasks. Not to mention the consultation of the FDPIC and the subsequent process. We therefore recommend - even if there is no obligation to appoint - the involvement of a data protection expert / appointment of a data protection officer.
Consultation of the FDPIC may be forgone if the following conditions are met:
  • The DPO exercises the function vis-à-vis the data controller in a professionally independent manner and not bound by instructions.
  • The DPO does not engage in any activity that is incompatible with the tasks as DPO.
  • The DPO has the necessary expertise.
  • The data controller publishes the contact details of the DPO and communicates them to the FDPIC.

What specifically applies to EU member states? (GDPR)

Art. 37 GDPR contains the rules for the appointment of a data protection officer (DPO), Art. 38 GDPR defines the position of the DPO within the company. Art. 39 GDPR specifies the tasks of a DPO.

The GDPR provides the legal framework for the mandatory appointment of a data protection officer. It does this regardless of the number of employees in a company. Rather, it places - according to Art. 37 (1) (b) GDPR - the core activities at the centre of the obligation:
An obligation to appoint exists if the core activity of a company consists in carrying out processing operations which, due to their nature, scope and/or purposes, require extensive regular and systematic monitoring of data subjects, or if the core activity of the company consists in the extensive processing of special categories of data (Article 9 GDPR) or of personal data relating to criminal convictions and offences pursuant to Article 10 GDPR.
If the data controller does not appoint a DPO, they are still obliged to implement the requirements of the GDPR. In this case, this task is incumbent on the management of the data controller.
We recommend - even if there is no obligation to appoint - the involvement of a data protection expert / appointment of a data protection officer.

German companies are subject to the BDSG (German Data Protection Act) in addition to the GDPR; the BDSG imposes additional requirements on the appointment of data protection officers (see below).

What specifically applies in Germany? (GDPR & BDSG)

In addition to the GDPR, Section 38 BDSG requires companies to appoint a data protection officer (DPO) if at least 20 people in the company are usually involved in the automated processing of personal data.

The term "automated processing" includes, for example, data processing using standard office communication programmes (e.g. email system, spreadsheet) as well as special application software, e.g. in the HR department and in marketing. Pursuant to Section 26 (8) BDSG, the number of employees also includes part-time employees, temporary workers and interns.
Furthermore, regardless of the number of employees, companies must appoint a DPO if the company is subject to the obligation to conduct a data protection impact assessment pursuant to Art. 35 DPA or if the company processes personal data on a business basis for the purpose of transmission, anonymised transmission or for the purpose of market or opinion research.

For German companies above a certain size, it can be assumed that there is an obligation to appoint. We recommend - even if there is no obligation to appoint - the involvement of a data protection expert / appointment of a data protection officer.