Record keeping

Processing Records

Under the revised FADP, every controller must keep a Record of Processing Activities (sometimes also called a “Processing Directory”), similar to the GDPR’s ROPA. This record provides the foundation for accountability and transparency.

The processing record must document:

The identity and contact details of the controller (and any joint controllers)
The purposes of data processing
The categories of data subjects and personal data processed
The categories of recipients, including data transfers abroad
The retention periods, if known
A general description of data security measures
The basis of justification (e.g., consent, overriding private/public interest, legal duty)

Accountability

Governance and Accountability Documents

Controllers should maintain a Data Protection Policy that outlines compliance principles, roles, and responsibilities.

This document demonstrates implementation of the accountability principle and defines how data protection is integrated into daily operations.

Complementary training logs, internal audits, and data protection governance records show ongoing awareness and oversight.

Privacy notices

Transparency and Communication Documents

To meet the information duties, controllers must provide clear Privacy Notices describing:

Identity of the controller and purposes of processing
Recipients and transfer details
Rights of data subjects
Automated decision-making, if applicable

These notices ensure that data subjects can understand and control how their data is used.

DPIA requirements

Risk and Impact Assessment Documents

For processing activities that pose a high risk to data subjects’ personality or fundamental rights, a Data Protection Impact Assessment (DPIA) must be conducted.

A DPIA Register or documentation file should include:

Description of processing and risks
Assessment of necessity and proportionality
Measures to mitigate risks
Evidence of consultation with the FDPIC if required

This serves as proof that risks were evaluated and addressed.

Third-party management

Processor and Third-Party Management Documents

Controllers are responsible for ensuring that processors provide sufficient guarantees for data protection.

A Processor Contract Register should record:

Processor identities and purposes
Key contractual clauses ensuring compliance
Any cross-border subcontractors

This register demonstrates due diligence and compliance with controller–processor responsibilities.

Breach notification

Security and Incident Management Documents

The Technical and Organizational Measures (TOMs) Documentation provides detailed information about security controls such as access management, encryption, and data backup.

Controllers must also maintain a Data Breach Register to document all personal data breaches, including:

Date, nature, and scope of the breach
Risk assessment and mitigating actions
Notifications made to the FDPIC and affected persons

Together, these ensure evidence of compliance with Art. 8 (Data Security) and Art. 24 (Breach Notification).

Data transfers

Cross-Border Transfer Documentation

For transfers to countries without adequate protection, controllers must document:

The destination country and legal safeguard used (e.g., standard clauses, consent, overriding interest)
The Transfer Impact Assessment (TIA) if risks exist

This documentation supports compliance with Art. 16–17 FADP and evidences transfer due diligence.

You need to fulfill the Swiss FADP requirements? No problem.