FDPIC publishes Guidelines on technical and organisational measures (TOMS) for the protection of personal data

by András Gurovits, Clara-Ann Gordon, Victor Stancescu

Recently, the Federal Data Protection and Information Officer (FDPIC) published its Guidelines on technical and organisational measures (TOMS) for the protection of personal data (“Guideline”).

This Guideline is intended to support the implementation of TOMS that ensure appropriate protection of personal data in compliance with the Swiss Data Protection Act and the relevant Ordinance.

The Guideline is structured around four main topics:

• Access to data
• Lifecycle of data
• Exchange of data
• Right to information.

The Guideline discusses, in respect of each of these topics, the aspects and implications that the owner of an information system should consider when designing and implementing such a system. In addition, the Guideline proposes concrete technical and organisational measures which are, however, to be understood as general rules that need to be adapted to the particularities of each specific project and the organisation processing the personal data.

In sum, the Guideline specifies the meaning of TOMS under the Swiss Data Protection Act and its Ordinance and comprehensibly explains what is expected of companies processing personal data. The Guideline facilitates the implementation of information systems that are in compliance with data protection law. It helps companies to identify areas that have potential for improvement from a data protection law perspective as well as relevant measures that should be considered in this context.