of 28 September 2007 (Status as of 1 April 2010)



Similar documents
Federal Act on Combating Money Laundering and Terrorist Financing in the Financial Sector 1

Federal law on certification services in the area of the electronic signature

Federal Act on Data Protection (FADP) Aim, Scope and Definitions

Guidelines of the Higher Education Council for accreditation within the higher education sector

Electronic Documents Law

ANNEX F. Organic agriculture (Art. 11) ARTICLE 1. Objectives

LAW FOR THE ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE

ACT. of 15 March 2002

General Rules for the certification of Management Systems

TG TRANSITIONAL GUIDELINES FOR ISO/IEC :2015, ISO 9001:2015 and ISO 14001:2015 CERTIFICATION BODIES

IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems

Appendix 11 - Swiss Data Protection Act

UKAS Guidance for bodies operating certification of Trust Service Providers seeking approval under tscheme

LAW FOR THE ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE. Chapter two. ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE

Federal Electronic Signature Law. (Signature Law - SigG)

UNOFFICIAL CONSOLIDATION AND TRANSLATION OF LAWS 128(I) OF 2009 AND 52(I) OF 2010 THE PAYMENT SERVICES LAWS OF 2009 TO 2010

General Rules for the Certification of Management Systems Code: RG

Oversight of payment and securities settlement systems by the Swiss National Bank

Guidelines of the Swiss University Conference for Academic Accreditation in Switzerland

Document Reference APMG 15/015

CHECKLIST ISO/IEC 17021:2011 Conformity Assessment Requirements for Bodies Providing Audit and Certification of Management Systems

General Protocol relating to the collaboration of the insurance supervisory authorities of the Member States of the European Union March 2008

KINGDOM OF SAUDI ARABIA. Capital Market Authority CREDIT RATING AGENCIES REGULATIONS

Certification Procedure of RSPO Supply Chain Audit

REGULATION (EEC) No 2309/93

Rules of Alternative Trading System organised by the BondSpot S.A.

KINGDOM OF SAUDI ARABIA. Capital Market Authority CREDIT RATING AGENCIES REGULATIONS

Option Table - Directive on Statutory Audits of Annual and Consolidated Accounts

Ordinance on Collective Investment Schemes

Translation Service Provider according to ISO 17100

TRANSPOSITION NOTE. Directive 2013/11/EU on alternative dispute resolution for consumer disputes

Audit of the control body through the monitoring of compliance with control plan. Measures for the irregularities

Federal Act on the Implementation of International Sanctions

RTO Delegations Guidelines

How To Get A Basic Health Insurance In Swissand

VPO NOK Rules. Rules for the Central Securities Settlement. in Norwegian Kroner

Tax Agent Services Act 2009

DQS UL ASSESSMENT AND CERTIFICATION REGULATIONS

Network Certification Body

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

Merchants and Trade - Act No 28/2001 on electronic signatures

Property, Stock and Business Agents Act Director General s Guidelines for Continuing Professional Development.

OVERSIGHT CONCEPT DIVISION FINANCIAL AUDIT

COMMISSION REGULATION (EU)

Act on Investment Firms /579

THE RULES ON THE SECURITIES SETTLEMENT SYSTEM OF THE CENTRAL SECURITIES DEPOSITORY OF LITHUANIA I. GENERAL PROVISIONS

ACT. of 22 May on insurance mediation 1. Chapter 1. General Provisions

This document is meant purely as a documentation tool and the institutions do not assume any liability for its contents

Microsoft Online Services - Data Processing Agreement

The National Council of the Slovak Republic has adopted the following Act: Article I. 1 Scope of the act

Management Systems Recognition Booklet

TERMS AND CONDITIONS FOR THE NATIONAL MANAGEMENT SYSTEMS CERTIFICATION SCHEME

Guidance Note AGN 520.1

Exception: If the player is already in possession of a FIBA Identity Card, the card number should be indicated on the list.

ELECTRONIC SIGNATURE LAW. (Published in the Official Journal No 25355, ) CHAPTER ONE Purpose, Scope and Definitions

ELECTRONIC SIGNATURE LAW

Spillemyndigheden s Certification Programme Change Management Programme

Authorised Persons Regulations

PLANT VARIETIES PROTECTION ACT (CHAPTER 232A, SECTION 54) PLANT VARIETIES PROTECTION RULES

Act on Insurance. The National Council of the Slovak Republic has adopted the following Act: SECTION I PART ONE GENERAL PROVISIONS

POLICIES, RULES AND GUIDELINES

Executive Order No. 67 of 25. January 2012 on online casinos 1

EXCHANGE RULES, SECTION XII. Conditions for Admission of Collective Investment Securities to Trading on the Regulated Market of the Exchange

Specific Conditions for the Assessment of Management Systems and Product Certifications

ELECTRICITY SUPPLY/ TRADE LICENSE KORLEA INVEST A.S

Part 1 Qualifications for certificates of endorsement

CONTENT OF THE AUDIT LAW

Listing and Admission to Trading Rules for. Short Term Paper. Release 2

LAW. ON ELECTRONIC SIGNATURE (Official Gazette of the Republic of Montenegro 55/03 and 31/05)

Certification Regulations and Requirements. International Certification Management GmbH

Regulations for certification of quality management systems

CROATIAN PARLIAMENT 242

FOR INFORMATION PURPOSES ONLY

Claims Management Services Regulation. Conduct of Authorised Persons Rules 2013 (2)

COMMISSION OF THE EUROPEAN COMMUNITIES. COMMISSION REGULATION (EC) No /..

Australian Transport Council. National Standard for the Administration of Marine Safety SECTION 5

and the President has proclaimed the following Law:

LISTING RULES. Listing Rules

Swedbank Life Insurance SE Terms and Conditions of Life Insurance Savings for Child s Future. Savings with guaranteed amount (IV 2011)

At its meeting held on 11 and 12 February 2004 the Working Party completed the third reading of the above Proposal.

Mutual Recognition Arrangements (MRA) Scheme. Designating Local Testing Laboratories and Certification Bodies for Conformity Assessment

Managing Outsourcing Arrangements

(15 November October 2008) FINANCIAL ADVISORY AND INTERMEDIARY SERVICES ACT 37 OF 2002

PERMANENT COURT OF ARBITRATION OPTIONAL RULES FOR ARBITRATING DISPUTES BETWEEN TWO STATES

How To Write A Takeover Offer In Swissitzerland

on Electronic Signature and change to some other laws (Electronic Signature Act) The Parliament has hereby agreed on this Act of the Czech Republic:

Transcription:

English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Ordinance on Data Protection Certification (DPCO) 235.13 of 28 September 2007 (Status as of 1 April 2010) The Swiss Federal Council, based on Article 11 paragraph 2 of the Federal Act of 19 June 1992 1 on Data Protection (FADP), ordains: Section 1: Certification Organisations Art. 1 Requirements 1 The organisations that carry out data protection certification in accordance with Article 11 FADP (certification organisations) must be accredited. Accreditation is governed by the Accreditation and Designation Ordinance of 17 June 1996 2, unless the present Ordinance provides otherwise. 2 Separate accreditation is required in each case for the certification of: a. the organisation of and procedure for data protection; b. products (hardware, software or systems for automated data processing procedures). 3 The certification organisations must have established organisational regulations and an established certification procedure (checking program), in which the following in particular are regulated: a. the assessment or checking criteria and the resultant requirements that must be fulfilled by the organisations or products to be certified (assessment and/or checking scheme); and b. the details of the procedure, and in particular the course of action in the event that irregularities are detected. 4 The minimum requirements for the checking program are governed by the standards and principles applicable in accordance with Annex 2 of the Accreditation and Designation Ordinance of 17 June 1996 and in accordance with Articles 4 6 hereof. AS 2007 5003 1 SR 235.1 2 SR 946.512 1

235.13 Data Protection 5 The minimum qualification requirements for the staff that carry out certification procedures are set out in the Annex. Art. 2 Accreditation procedure The Swiss Accreditation Service shall consult the Federal Data Protection and Information Commissioner (the Commissioner) on the accreditation procedure and the follow-up inspection as well as on the suspension or the withdrawal of accreditation. Art. 3 Foreign certification organisations 1 The Commissioner, in consultation with the Swiss Accreditation Service, shall recognise foreign certification organisations as being qualified to carry out their activities on Swiss territory provided they are able to prove that they hold an equivalent qualification to that required in Switzerland. 2 The certification organisations must in particular provide proof that they fulfil the requirements of Article 1 paragraphs 3 and 4 and that they have adequate knowledge of Swiss data protection legislation. 3 The Commissioner may place a time limit on recognition and make it subject to conditions or requirements. He shall withdraw recognition if essential conditions or requirements are not fulfilled. Section 2: Subject Matter and Procedure Art. 4 Certification of organisation and procedure 1 The following may be certified: a. any data processing procedures for which an organisation is responsible; b. individual, separately definable data processing procedures. 2 The subject matter of the assessment is the data protection management system. This includes in particular: a. the data protection policy; b. the documentation on objectives and measures relating to the guarantee of data protection and data security; c. the organisational and technical measures for the achievement of the goals and measures laid down, and in particular the measures to rectify any irregularities detected. 3 The Commissioner shall issue guidelines on the minimum requirements for the data protection management system. In doing so, he shall take account of international standards relating to the construction, operation, monitoring and improvement of management systems, and in particular the standards ISO 9001:2000 and ISO 27001:2005. 2

Data Protection Certification 235.13 4 The exemption from the obligation to register data files in accordance with Article11a paragraph 5 letter f FADP is only applicable if all data processing procedures that apply to a data file are certified. Art. 5 Certification of products 1 Products may be certified if their primary purpose relates to the processing of personal data or their use results in the generation of personal data, and in particular data on the user. 2 The subject matter of the assessment is in particular the guarantee inherent to the product: a. of the confidentiality, integrity, availability and authenticity of the processed personal data taking account of the purpose of the product; b. of the avoidance of the unnecessary generation, storage or other processing of personal data taking account of the purpose of the product; c. of the transparency and comprehensibility of the automated processing of personal data that results from the functionality of the product determined by the manufacturer; d. of technical measures to support the user in complying with data protection requirements and obligations under data protection law. 3 The Commissioner shall issue guidelines on which specific data protection criteria must as a minimum be assessed in terms of the product certification procedure. 3 Art. 6 Grant and validity of certification 1 The certificate is granted if the certification procedure based on the assessment or checking criteria applied by the certification organisation establishes that the requirements under data protection law as well as the requirements imposed by this Ordinance and the guidelines issued by the Commissioner (Art. 4 para. 3 and 5 para. 3) or any other equivalent standards are fulfilled. Certification may be made subject to conditions or requirements. 2 The certification of a data protection management system is valid for three years. The certification organisation must conduct an annual summary review of whether the requirements for certification continue to be fulfilled. 3 The certification of a product is valid for two years. A product must be certified again as soon as any fundamental changes are made thereto. Art. 7 Recognition of foreign data protection certification The Commissioner in consultation with the Swiss Accreditation Service shall recognise foreign certifications provided a guarantee is given that the requirements of the Swiss legislation are fulfilled. 3 Amended in accordance with No. I of the Ordinance of 12 March 2010, in force since 1 April 2010 (AS 2010 949). 3

235.13 Data Protection Art. 8 Notification of the result of the certification procedure 1 If a certified organisation notifies the Commissioner that it has successfully undergone the certification procedure in accordance with Article 4 in order to be exempted under Article 11a paragraph 5 letter f FADP from the obligation to register its data files, it must submit the following documents on request: a. the assessment report; b. the certification documents. 2 If the certification organisation in the course of its monitoring activities detects substantial changes in conditions for certification, for example relating to the fulfilment of conditions or requirements, the certified organisation must notify the Commissioner of this. 3 The Commissioner shall publish a list of organisations that have been certified and are relieved of the obligation to register their data files (Art. 28 para. 3 of the Ordinance of 14 June 1993 4 to the Data Protection Act). In particular, this list provides information on the term of validity of the certification. Section 3: Sanctions Art. 9 Suspension and withdrawal of the certification 1 The certification organisation may suspend or withdraw certification, in particular if it establishes serious irregularities in the course of an inspection (Art. 6 para. 2). A serious irregularity is constituted in particular where: a. essential requirements for data protection certification are no longer fulfilled; or b. a certificate is being used in a misleading or unlawful manner. 2 In the event of any dispute in relation to the suspension or the withdrawal, the assessment and the procedure for the case are governed by the provisions of civil law that are applicable to the contractual relationship between the certification organisation and certified organisation. 3 The certification organisation shall notify the Commissioner of the suspension or the withdrawal the data protection certification provided the Commissioner has been notified of certification in accordance with Article 8 paragraph 1. Art. 10 Procedure in the case of supervisory measures by the Commissioner 1 If the Commissioner detects serious irregularities in the supervisory activity in accordance with Article 27 or 29 FADP in the case of a certified organisation, he shall notify the certification organisation thereof. 4 SR 235.11 4

Data Protection Certification 235.13 2 The certification organisation shall immediately arrange for the certified organisation to rectify the irregularity within 30 days of receipt of notification from the Commissioner. 3 If the certified organisation fails to rectify the irregularity within this time, the certification organisation shall suspend the certification. If there is no prospect of the lawful position being established or restored within a reasonable time, certification must be withdrawn. 4 If within the period in accordance with paragraph 2 the certified organisation fails to rectify the irregularity and the certification organisation does not suspend or withdraw certification, the Commissioner shall issue a recommendation in accordance with Article 27 paragraph 4 or Article 29 paragraph 3 FADP to the certified organisation or to the certification organisation. He may in particular recommend that the certification organisation suspend or withdraw the certification. If he issues the recommendation to the certification organisation, he must notify the Swiss Accreditation Service. Section 4: Commencement Art. 11 This Ordinance comes into force on 1 January 2008. 5

235.13 Data Protection Annex (Art. 1 para. 5) Minimum Qualification Requirements for Staff at Certification Organisations that conduct Certification Procedures 1 Certification of Data Protection Management Systems The certification organisation must provide proof that its staff who certify data protection management systems when taken together hold the following qualifications: knowledge of data protection law: proof is required of a minimum of two years practical experience in the field of data protection or a successfully completed course of studies at a university or university of applied sciences of a minimum of one year in duration with data protection law as the main subject; knowledge of the field of information technology security: proof is required of a minimum of two years practical experience in the field of information technology security or a successfully completed course of studies at a university or university of applied sciences of a minimum of one year in duration with information technology security as the main subject; training as a management systems auditor (in accordance with ISO/IEC- Guide 62 [ISO/IEC 17021:2006]). The certification organisation must provide proof that it has qualified staff in each of the individual specialist fields. The assessment of data protection management systems by an interdisciplinary team is permitted. 2 Certification of products The certification organisation must provide proof that its staff who certify products when taken together hold the following qualifications: knowledge of data protection law: proof is required of a minimum of two years practical experience in the field of data protection or a successfully completed course of studies at a university or university of applied sciences of a minimum of one year in duration with data protection law as the main subject; knowledge of the field of information technology security: proof is required of a minimum of two years practical experience in the field of information technology security or a successfully completed course of studies at a university or university of applied sciences of a minimum of one year in duration with information technology security as the main subject; specialist knowledge in relation to the product testing (in accordance with ISO/IEC-Guide 65). 6

Data Protection Certification 235.13 The certification organisation must provide proof that it has qualified staff in each of the individual specialist fields. Product testing by an interdisciplinary team is permitted. 7

235.13 Data Protection 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information