Data protection certifications in Switzerland
With the total revision of the Federal Data Protection Act (DSG), not only the Ordinance on the Data Protection Act (DSG) will be revised, but also the Ordinance on Data Protection Certificates (DSG).
In addition to data processing systems (procedures, organization) and products (programs, systems, apps), the revised Data Protection Certification Ordinance (VPD) now also allows the certification of services. This should, for example, increase the transparency of data processing or reduce the risk of data protection violations, which can strengthen trust in a service. Certified processors are exempt from the obligation to carry out a data protection impact assessment. The certification includes all components of data processing that should have been checked by a data protection impact assessment.
According to the FDPIC, the ISO standard 27701 is new in Art. 6 of the FDPIC. This is an extension of ISO/IEC 27001 to include data protection and can only be achieved in conjunction with it. ISO/IEC 27001 standardizes information security management systems. The addition of data protection-related components to this standard (ISO 27701) is intended to improve data protection in service offerings worldwide. The certification process remains optional. The Federal Office of Justice, the FDPIC and other federal agencies such as the Swiss Accreditation Body (SAS) and private certification bodies are involved in the revision. The draft of the VDSZ is not final yet.