Data Protection-Compliant Organisation

Companies need not only technical, but also organizational and legal measures to reduce data privacy risks arising from the processing of customer, employee and supplier data.

The data protection laws are "mandatory targets" which must be met both in designing and managing IT systems and company work processes and in the organisation of the company itself. The organization, tasks, process flows and associated data flows in the company must be designed in compliance with data protection. It must be clearly defined which employees, which departments and business units are allowed to use existing personal data in the enterprise for any given task.

It is also equally necessary to manage who among your suppliers or other outside business contacts may legally use customer-related data and customer profiles such as for marketing and other services such as cross-selling.
The in-house and external sources of customer data (such as public records, web, data distributors, affiliates) have to be determined, as well as how, when and by whom these data assets are transferred to the company's own databases, maintained and for which predefined purposes they may be used.

In addition, legally-compliant custody and timely deletion of data has to be organised. Data protection-complaint waste paper and electronic data media disposal has to be arranged.
These and other data processing procedures should be set forth in a continuously updated data processing policy, which ensures the necessary transparency in the design and operation of IT systems and the processing of personal data.

Companies must also now register any data collections with the FDPIC when they regularly involve sensitive personal data or profiles. This is also the case when personal data is regularly disclosed to third parties. Federal agencies, on the other hand, must register all of their data collections. These are just a few of the many organizational tasks related to data protection for companies and government agencies.

In the area of organizational law, we offer the following data protection services:

Data protection plans

The beginning of every IT project is a plan. It must include a data protection plan. This raises the question of which legal, organizational and technical measures must be taken to implement the project to conform with data protection. We will take care of the data protection planning and accompany you through the successful implementation of your project.

Development / review of data protection regulations

  • Processing regulations
  • Video surveillance regulations
  • Email monitoring regulations
  • Record-keeping regulations
  • Evaluation rules
  • Data usage regulations
  • Regulations for customer loyalty and bonus programmes
  • Building safety regulations

Development / review of data protection directives

  • Instructions for the use of personal data
  • Filing instructions
  • Instructions for use of removable storage
  • Instructions for password use
  • Payments for private use of company email, internet and phone

Review of internal interfaces

In practice, there is often the desire to use personal data across departments and possibly indefinitely. There are, however, a number of legal requirements for data transfer from one organizational unit to another in the company/public agency. For example, in-house medical officers for an insurance company may pass on health-related data intended only for their eyes only in certain cases and to a limited extent to the insurance company (Article 57 para. 7 Swiss Health Insurance Law) . If a medical officer transmits data beyond that permitted by the Health Insurance Law, she or he may have just violated patient privacy provisions in Swiss insurance law (Art. 33 ATSG) as well as the doctor-patient confidentiality (Article 321 of the Criminal Code). The ordinary use of customer and employee information is subject to certain legal conditions. Steps must be taken, such as technical and organizational measures, to restrict access to personal data only to employees who need it to fulfil their contractual and statutory duties and functions.

We can clarify for you the extent to which data can be exchanged, used and analysed among your different departments and organizational units. In addition, we will also develop solutions so help you use your company's data in as unrestricted a manner as possible under the limits of the law.

Review of external interfaces

Companies often have numerous external interfaces for operation, to affiliated companies, other unrelated companies and sometimes to public agencies.  Typically, interfaces are provided for outsourcing contractors, suppliers and distributors. We check whether the data exchange that takes place on these external interfaces is in compliance with data protection.

Management of data collection lists

On request, we will keep a record of your data files. We will, of course, need your participation in this effort. We must in particular have access to your data collection in order to create and maintain a list.

Registration of data collections

We would be happy to help you register your data collections at the Swiss Federal Data Protection and Information Commissioner.


  • Data protection training for management
  • Data protection courses for employees
  • Industry-specific data protection training
  • Function-specific data protection training

Privacy Policy

For companies that operate in a website or an online store, we also will create a custom "Privacy Policy" to satisfy the legal requirements for transparency, information, choices, security and consent. This will help your company create trust with its online customers and website visitors. It can also take the teeth out of allegations of deliberate misrepresentation of the purposes of customer data collected online.


Schweizer Privacy Law
Hagenholzstrasse 81a
CH-8050 Zürich
Telefon: +41 (0)76 457 70 90