LPD compliance

    Compliance with the Federal Data Protection Act (DPA)

    The DPA was created and recently updated to protect individuals’ personal data and regulate its processing by organizations. It therefore aims to make companies more responsible in their handling of personal data.

    Compliance with the DPA is of vital importance to companies, both in legal terms and in terms of trust and reputation. For companies, this means putting in place appropriate measures and procedures to guarantee the confidentiality, integrity and availability of the personal data they collect, process and store.

    What is the HPA?

    The new DPA came into force on September 1, 2023.

    This law confers new rights on individuals in terms of personal data protection, and creates new responsibilities for organizations in terms of data confidentiality and security.

    Swiss data protection law is therefore once again compatible with the EU’s General Data Protection Regulation (GDPR).

    The top five data protection issues for SMEs


    Data security

    As an SME, where do you start when you want to protect the data you process?


    Demonstrating compliance

    How can an SME demonstrate that it processes data in compliance with data protection legislation?


    Security to suit your budget

    What salary burden does an SME have to bear if it needs to hire an Information Security Manager?


    Access to all necessary safety tools

    What additional resources are needed to find the right tools for end-to-end information security?


    Obtaining certifications

    What kind of certification can an SME achieve when it invests in information security?

    Who is affected?

    Any organization that processes personal data, virtually all, must take all necessary steps to ensure that the personal data they process is adequately protected. She must:

    • Respect the rights of data subjects (right of access, right to be forgotten, right to portability, etc.).
    • Ensure that data is accurate at all times, or delete it if necessary
    • Ensure that only the processing necessary to achieve the intended purpose is carried out
    • Restrict access to personal data to authorized persons (authorization)
    • Protect data for as long as it exists

    What does LPD compliance entail for companies? What’s the impact?

    Data protection means protecting any information about an identified or identifiable natural person, including names, dates of birth, photographs, e-mail addresses and telephone numbers. Other information such as IP addresses and the content of communications relating to or provided by end-users of communication services are also considered personal data.

    The impact of HPA compliance on businesses is significant. This often means investing in human resources, training and technology to implement the necessary safety measures and processes. Secondly, it may also require a review of data protection policies and practices, as well as contracts with third parties processing data on the company’s behalf.

    What’s more, it’s important that all employees understand the importance of protecting personal data. Regular training courses help to integrate this data protection culture into the company. Anyone handling personal data needs to be aware of what is and isn’t allowed, and what the impact will be.

    So when we talk about data protection, we’re talking about the whole company working together, in the broadest sense of the term.

    Where do you stand with your LPD compliance?
    The right questions to ask

    • Do you have a charter, policy or directive concerning the processing of personal data?
    • Are these commitments and rules well communicated, both internally and externally?
    • Do you regularly train your users in data protection?
    • Do you have an up-to-date incident response procedure?
    • Do you have a backup policy and do you test it regularly?
    • Do you carry out regular data governance and technical security audits?
    • Do you have a policy for monitoring the compliance of your subcontractors?
    • Do you have a budget for data protection and information security?
    • Have you assessed whether you are obliged to keep an up-to-date data processing register?
    • Have you assessed the need to appoint a Data Protection Officer (DPO)?

    Conduct an audit to assess your organization’s compliance with the DPA

    Where do you stand with your LPD compliance?

    The audit is an in-depth examination to assess your organization’s compliance with the DPA and the security of your information system, highlighting any flaws or malfunctions that could compromise your activities.

    Areas audited


    Take stock of your organization’s compliance with the HPA. Identify potential vulnerabilities within your company. Benefit from pragmatic recommendations.

    Data Protection Officer (DPO): internal or external?

    The Data Protection Officer, also known as the DPO, plays a crucial role in ensuring a company’s compliance with data protection laws and regulations, such as the DPA or RGPD.

    He is responsible for advising the company to ensure that its data processing practices comply with legal requirements. He monitors data processing activities, conducts audits and impact assessments, and acts as a point of contact for the supervisory authorities.

    You can either appoint someone internally, or choose to call in an external consultant specializing in data protection to carry out a compliance audit.

    At Meanquest, we can provide you with an as-a-service DPO, as often as you wish, to assist you with your procedures. His duties will include

    • Assess your current level of compliance.
    • Helping you achieve compliance.
    • Train your users and raise their awareness.
    • Establish the necessary contracts and controls with suppliers.
    • Manage formalities in the event of a personal data breach.
    • Act as a dedicated contact for prospects, customers and authorities.

    Unlike an in-house person who will take on the role of DPO, the external specialist has the experience gained from working with many different types and sizes of organization. In addition, outsourcing the DPO role avoids any conflict of interest, particularly in terms of hierarchy or accumulation of roles (speed of operations Vs security).


    What do we mean by “personal data”?

    The DPA defines personal data as “any information relating to an identified or identifiable natural person”. In other words, any information that enables a person to be identified directly (surname, first name) or indirectly (telephone number, number plate, AVS number, postal address, email, voice, photo, etc.).

    What do we mean by “sensitive data”?

    Sensitive data includes data on religious, philosophical, political or trade-union opinions or activities; health, intimacy or race; social welfare measures; criminal or administrative proceedings or sanctions; genetic data and biometric data. These data represent a particular risk, and will therefore be processed with greater care.

    Who is affected by the HPA?

    The DPA applies to companies and organizations that process the personal data of data subjects.

    What are the main principles of the law?

    To comply with the DPA, organizations must respect the following obligations:

    • Keep a register of processing activities unless the company has fewer than 250 employees AND presents a limited risk of personal injury.
    • Inform people when their personal data is collected.
    • Report personal data protection violations (loss of data, misuse of data, etc.).
    • Establish appropriate measures (technical and organizational) to guarantee data protection from the outset of processing (principle of privacy by design) as well as the protection of processed data by default (principle of privacy by default).
    • Obtain consent for high-risk profiling operations.
    • Carry out a Data Protection Impact Assessment (DPIA) when there is a high risk to the personality or fundamental rights of the data subjects.

    Why comply?

    Over and above the financial penalties and criminal prosecutions incurred, companies must mobilize to put in place an appropriate action plan to comply with the DPA.

    • To avoid administrative and financial penalties (personal fine of up to CHF 250,000).
    • Avoid data leaks that could damage your company’s reputation.
    • Reinforce the trust of your customers and partners by showing that you care about their personal data.
    • Differentiate yourself from your competitors to gain market share.
    • Sensitize your staff to the handling of (sensitive) data.
    • Strengthen your company’s security against cyber-attacks.

    What is information security?

    Information security is the set of measures which ensure that the confidentiality, integrity and availability of all forms of information – whether in electronic (digital) or paper form – are maintained, with the aim of ensuring the continuity of information and information and limiting the possible consequences of information security incidents to a predefined acceptable level.

    The term “management measure” covers all measures relating to policy, procedures, guidelines, methods and organizational structures. These measures can be administrative, technical, legal or management in nature.