ARTICLE
29 July 2025

What Security Measures Are Organisations Required To Take To Protect Personal Data And Reduce The Risk Of Cybersecurity Incidents?

FP
FABIAN PRIVACY LEGAL GmbH

Contributor

FABIAN PRIVACY LEGAL GmbH logo
We are a boutique law firm specializing in data, privacy and data protection laws and related issues, information security, data and privacy governance, risk management, program implementation and legal compliance. Our strengths are the combination of expert knowledge and practical in-house experience as well as a strong network with industry groups, privacy associations and experts around the world.
Explore Firm Details
In this part of our series, we explore what security measures are required under the Federal Act on Data Protection (FADP) to secure personal data and prevent data security breaches to the extent possible.
Switzerland Privacy
Daniela Fabian

Part 13 of our series on data protection law in Switzerland

In this part of our series, we explore what security measures are required under the Federal Act on Data Protection (FADP) to secure personal data and prevent data security breaches to the extent possible.

Pursuant to Art. 8 FADP, the controller and the processor must take appropriate technical and organisational measures (TOMs) to ensure a level of data security appropriate to the risk and to prevent data security breaches. The Ordinance on Data Protection (DPO) regulates the data security requirements in more detail.

Risk-based approach

To ensure adequate data security, the controller and the processor must determine the need for appropriate protection of personal data and specify the TOMs that are appropriate in view of the risk.

The following criteria are essential to determine the need for protection of personal data:

  • The type of data being processed;
  • The purposes, nature, extent and circumstances of the processing.

The risk for the data subjects' personality or fundamental rights is assessed considering the causes of the risk, the main threats, the risk-mitigation measures taken or planned and the probability and seriousness of a data security breach despite these measures.

To determine the appropriate TOMs, the state of the art and the implementation costs shall be considered.

Objectives of the TOMs

TOMs shall ensure that the data processed is:

  • confidential, i.e., only accessible to authorised persons,
  • available when it is needed,
  • integer, i.e., not changed by unauthorised persons or not changed unintentionally, and
  • processed in traceable manner.

To achieve these objectives, the controller and the processor must take appropriate measures:

  • To ensure confidentiality, guarantee that
    • access by authorised persons is limited to the personal data that they require to fulfil their tasks (access control);
    • unauthorised persons are denied access to the premises and installations in which personal data is being processed (entrance control);
    • unauthorised persons may not use automated data processing systems by means of devices for data transmission (usage control).
  • To ensure availability and integrity, guarantee that
    • unauthorised persons may not read, copy, alter, move, delete or destroy data carriers (data carrier control);
    • unauthorised persons may not store, read, change, delete or destroy personal data in storage (storage control);
    • when disclosing personal data and during the transport of data carriers, unauthorised persons may not read, copy, alter, delete or destroy personal data (transport control);
    • the availability of and access to personal data can be rapidly restored in the event of a physical or technical incident (recovery);
    • all functions of the automated data processing system are available (availability), that malfunctions are reported (reliability) and that stored personal data cannot be damaged by system malfunctions (data integrity);
    • operating systems and application software are always kept up to date and known critical gaps are closed (system security).
  • To ensure traceability, guarantee that
    • it can be checked what personal data is entered or altered in the automated data processing system, at what time and by which person (input control);
    • it can be checked to whom personal data has been disclosed by means of devices for data transmission (disclosure control);
    • data security breaches can be quickly detected (detection), and measures can be taken to mitigate or eliminate their impact (elimination).

Logging and processing regulations

Private controllers and processors who process a large volume of sensitive personal data by automated means or carry out high-risk profiling must keep a log file that records at least the storage, alteration, reading, disclosure, deletion and destruction of the data and must issue processing regulations, including in particular details of the internal organisational structure, data processing and control procedures and the measures that guarantee data security.

Federal bodies must keep a log file whenever they process personal data by automated means and must issue processing regulations when they process sensitive personal data by automated means or carry out profiling.

The Federal Data Protection and Information Commissioner (FDPIC) has issued several guides with respect to IT and information security, which can be found on the dedicated webpage: https://www.edoeb.admin.ch/en/information-security.

For a more detailed overview of Swiss cybersecurity legislation, you may also consult our contribution to the ICLG Cybersecurity Laws and Regulations Report 2025 here.

To learn more about personal data breach prevention and response strategy, you may read our contribution to the Legal500 Data Protection Cybersecurity Guide here.

Preview of Part 14

In part 14 of our series, we will examine if and under what circumstances data security breaches must be notified to the Swiss authorities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Daniela Fabian
Daniela Fabian
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More