DPCO:2014

Certification of data protection management systems pursuant to Swiss data protection legislation - certification of systems and organisations which process personal data.

Incentive

When the revised data privacy act came into force on 1 January 2008, it created room for data protection certification processes. Conducted by entirely private certification bodies, they are conducive to the improvement of data protection and data security. Given that it is an entirely new procedure, it merited its own special law, hence the enactment of the VDSZ (SR 235.13) or Federal Data Protection Certification Ordinance (DPCO) including a set of guidelines issued by the Federal Data Protection and Information Commissioner (FDPIC) on the minimum standards required of a data protection management system, and appendix (guide to data protection management).

Outcome

An efficient data protection management system is an adequate basis for meeting the required standards in relation to the safe administration of personal data and effective conformity with data privacy law and basic legislation, including appropriate levels of information security. The certificate helps to promote a good image and inspires trust in business partners, consumers, local authorities and public bodies. A certification process can be carried out by SQS which is duly accredited (for VDSZ/DPCO).

Target groups

The VDSZ certificate can be obtained by all organisations (companies, institutions and public authorities) which process personal data as defined by data protection legislation.

Validity

3 years - there is an annual audit to ensure that standards are being maintained and a recertification audit every 3 years.

Recognition

The SQS certificate of conformity with DPCO has national recognition.

Combinations

VDSZ/DPCO can be combined with ISO 9001 (quality management), ISO/IEC 27001 (information security management) and GoodPriv@cy (data protection).

Peter Reber