Switzerland introduces new standards in the field of data protection certifications. It is worth for all entrepreneurs to familiarize themselves with the latest legal architecture regarding this issue.
With the complete revision of the Federal Act on Data Protection (FADP), both the Regulation to the Data Protection Act (DPA) and the Ordinance on Data Protection Certifications (DPC) are amended.
In addition to data processing systems (procedures, organization) and products (programs, systems, applications), the revised Ordinance on Data Protection Certification (ODPD) will now also enable the certification of a segment of services. In principle, this should, for example, increase the transparency of data processing or reduce the risk of events such as data protection breaches, which in turn may improve trust in the service. Certified data processors are exempt from the obligation to carry out a data protection impact assessment. The certification process covers all relevant data processing elements that would need to be checked as part of a data protection impact assessment.
According to the FDPIC, ISO 27701 will now be listed in Art. 6 FDPIC. It is an extension of ISO/IEC 27001 to data protection and can only be achieved in conjunction with it. ISO/IEC 27001 is responsible for the standardization of information security management systems. The addition of data protection elements to this standard (ISO 27701) is aimed at improving data protection in service offerings worldwide. It is worth adding that the certification procedure remains optional. The verification process will involve the Federal Office of Justice, the FDPIC and other federal agencies such as the Swiss Accreditation Service (SAS), as well as private certification bodies. At this stage, the VDSZ project is not yet final.