Does HR data processing require registration under data protection laws?
Data protection laws sometimes include conformity assessments, which help to ensure businesses follow regulations. Requirements can include registration before the Data Protection Authority and random audits.
In Switzerland, employers must declare data files to the Federal Data Protection and Information Commissioner if they regularly process sensitive personal data or personality profiles. Note that it’s expected that this registration requirement will be removed under the revised Data Protection Act. Appointing a Data Protection Officer may exempt an employer from the registration requirement.
Employers are not required to declare files when processing data to meet a statutory obligation (e.g. collection of information in order to provide a job reference, obligations in relation to tax or, social security laws). Also, where medical data is collected and processed based on a legal obligation, no notification obligation applies.
If data processing is carried with a cloud service provider or similar, then there must be a data processing agreement. If the cloud provider stores or accesses the data abroad, then it must be assessed in the relevant case, whether a data transfer clause or agreement must be included.
Finally, please note that sector specific regulations might apply. For example, in the banking and insurance sector, FINMA outsourcing regulations may apply and must be assessed on a case by case basis.