The Data Protection Advisor (DPA)

Philipp Rosenauer
Partner Legal, PwC Switzerland

In the revised Federal Act on Data Protection (revFADP), a new position called the Data Protection Advisor – the Swiss counterpart of the EU Data Protection Officer (DPO) – has been created. At first glance, this position seems similar to its EU counterpart as envisaged in the General Data Protection Regulation (GDPR). What are the main differences between these two positions?

Data Protection Advisor and Data Protection Officer – a difference in name only?

There are some differences between the Swiss Data Protection Advisor (DPA) and the GDPR Data Protection Officer (DPO).

First, under the revFADP it is in general not mandatory to appoint a DPA. The Data Protection Advisor is only appointed voluntarily.

A major incentive for companies to appoint a DPA is that the controller is not obliged to consult the Federal Data Protection and Information Commissioner (FDPIC) if a Data Protection Impact Assessment (DPIA) results in a high level of risk for the data subject, but may consult its DPA instead. It should be noted that it is still the controller, not the DPA, who is accountable for compliance with data protection rules. You can also appoint an external party to fulfil this role.

Why should I appoint a DPA?

The DPA serves not only as a point of contact within the company, but also as a link to the data protection authorities, in particular the FDPIC. The DPA therefore needs to have an adequate level of knowledge as required for the position.

If you decide to appoint a Data Protection Advisor, their name and contact details must be listed in the Privacy Notice.

The DPA must be independent and not subject to instructions, meaning that they must not have an executive function.

Finally, it is essential that the DPA receives the necessary resources and is given the opportunity to be part of the compliance function within the company.

What are the tasks of the DPA?

In particular, the DPA has the following duties and responsibilities:

Training and advising the controller in matters of data protection.
Participating in the implementation of data protection regulations.
Monitoring the processing of personal data and the corresponding requirements. Accordingly, the DPA should recommend corrective measures if they determine that data protection regulations have been violated.
The DPA is also involved in conducting and analysing DPIAs (in particular if the company refrains from consulting the FDPIC). To this end, the controller must provide the necessary resources to the DPA and grant access to all information, documents, lists of processing activities and personal data.

My company already has a DPO appointed under the GDPR. Does this suffice?

If your company already has a DPO, e.g. because it operates as a company group, the group DPO can act as the company DPA as well. For example, if your company has established a group DPO under the GDPR in an EU country, your branch located in Switzerland does not necessarily need its own Swiss DPA. Otherwise, you can also outsource this position to an external firm.