Federal Act
on Data Protection
(Data Protection Act, FADP)

¹ The con­trol­ler and the pro­cessor shall each main­tain a re­cord of their pro­cessing activ­it­ies.

² The con­trol­ler's re­cord shall as a min­im­um con­tain:

a.

the iden­tity of the con­trol­ler;

b.

the pur­pose of pro­cessing;

c.

a de­scrip­tion of the cat­egor­ies of data sub­jects and the cat­egor­ies of pro­cessed per­son­al data;

d.

the cat­egor­ies of re­cip­i­ents;

e.

if pos­sible, the re­ten­tion peri­od for the per­son­al data or the cri­ter­ia for de­term­in­ing this peri­od;

f.

if pos­sible, a gen­er­al de­scrip­tion of the meas­ures taken to guar­an­tee data se­cur­ity un­der Art­icle 8;

g.

if the data are dis­closed abroad, de­tails of the State con­cerned and the guar­an­tees un­der Art­icle 16 para­graph 2.

³ The pro­cessor's re­cord shall con­tain in­form­a­tion on iden­tity of the pro­cessor and of the con­trol­ler, the cat­egor­ies of pro­cessing car­ried out on be­half of the con­trol­ler, and the in­form­a­tion men­tioned in para­graph 2 let­ters f and g.

⁴ The fed­er­al bod­ies shall no­ti­fy the FD­PIC of their re­cords of pro­cessing activ­it­ies.

⁵ The Fed­er­al Coun­cil shall provide ex­cep­tions for leg­al en­tit­ies that have few­er than 250 em­ploy­ees and whose data pro­cessing poses a neg­li­gible risk of harm to the per­son­al­ity of the data sub­jects.