Federal Act
on Data Protection
(Data Protection Act, FADP)

¹ If pro­cessing is likely to res­ult in a high risk to the data sub­ject's per­son­al­ity or fun­da­ment­al rights, the con­trol­ler shall carry out a data pro­tec­tion im­pact as­sess­ment be­fore­hand. If sev­er­al sim­il­ar pro­cessing pro­ced­ures are planned, a joint as­sess­ment may be car­ried out.

² The ex­ist­ence of a high risk, in par­tic­u­lar when us­ing new tech­no­lo­gies, de­pends on the nature, ex­tent, cir­cum­stances and pur­pose of the pro­cessing. A high risk arises in par­tic­u­lar:

a.

in the case of the large-scale pro­cessing of sens­it­ive per­son­al data;

b.

if pub­lic areas are sys­tem­at­ic­ally mon­itored on a large scale.

³ The data pro­tec­tion im­pact as­sess­ment shall in­clude a de­scrip­tion of the planned pro­cessing, an eval­u­ation of the risks to the data sub­ject's per­son­al­ity or fun­da­ment­al rights and a de­scrip­tion of the meas­ures to pro­tect per­son­al­ity and fun­da­ment­al rights.

⁴ Private con­trol­lers are ex­empt from hav­ing to carry out a data pro­tec­tion im­pact as­sess­ment if they are re­quired by law to pro­cess the data.

⁵ A private con­trol­ler may dis­pense with car­ry­ing out a data pro­tec­tion im­pact as­sess­ment if it uses a sys­tem, product or ser­vice that is cer­ti­fied un­der Art­icle 13 for the in­ten­ded use, or if it com­plies with a code of con­duct un­der Art­icle 11 that sat­is­fies the fol­low­ing re­quire­ments:

a.

The code of con­duct is based on a data pro­tec­tion im­pact as­sess­ment.

b.

It provides for meas­ures to pro­tect the per­son­al­ity and the data sub­ject's fun­da­ment­al rights.

c.

It has been sub­mit­ted to the FD­PIC.