Ordinance
on Data Protection
(Data Protection Ordinance, DPO)

¹ The private con­trol­ler and its private pro­cessor must is­sue reg­u­la­tions on auto­mated pro­cessing if they:

a.

pro­cess a large volume of sens­it­ive per­son­al data; or

b.

carry out high-risk pro­fil­ing.

² The reg­u­la­tions must in par­tic­u­lar in­clude de­tails of the in­tern­al or­gan­isa­tion­al struc­ture, data pro­cessing and con­trol pro­ced­ures and the meas­ures that guar­an­tee data se­cur­ity.

³ The private con­trol­ler and its private pro­cessor must up­date the reg­u­la­tions reg­u­larly. If a data pro­tec­tion of­ficer has been ap­poin­ted, the reg­u­la­tions must be made avail­able to the of­ficer.