Structured data protection implementation
Automated data processing is now an integral part of almost all work and administrative processes. It takes place in a wide variety of systems and applications, from HR and specialist solutions to online platforms and information and management systems.
Processing rules set out binding provisions on how data protection is implemented in practice. They describe the organisation, processes and controls as well as the technical and organisational protective measures, thereby creating a reliable basis for internal management and providing robust evidence for supervisory bodies and internal audits.
Anyone who processes personal data automatically must document in a reproducible manner that the principles of data protection are being observed and that appropriate technical and organisational measures have been implemented.
What are processing rules?
Processing rules describe how automated data processing is structured, controlled and protected within an organisation. They specify who is responsible for what, how access to data is regulated and which technical and organisational measures apply.
Automated processing refers to data processing that is carried out using IT systems and in which personal data is systematically processed. This includes, in particular, procedures in which data is collected, stored, evaluated, linked, transmitted or deleted electronically.
Private controllers and their processors must establish processing rules for automated processing if they
- process particularly sensitive personal data on a large scale; or
- carry out high-risk profiling.
Federal bodies and their processors must draw up processing rules for automated processing if
- they process particularly sensitive personal data;
- they carry out profiling;
- the purpose of the processing or the manner in which the data is processed leads to a serious infringement of the fundamental rights of the data subjects;
- they make personal data accessible to cantons, foreign authorities, international organisations or private individuals;
- they link data sets; or
- they operate information systems or manage data sets jointly with other federal bodies.
The processing rules thus implement the risk-based approach of data protection law. The more sensitive or complex the processing, the higher the requirements for documentation, traceability and organisational control.
Content and significance of processing rules
The processing rules document an organisation’s data protection-related processes and form a central basis for transparency, traceability and control. They describe the internal structure, responsibilities, processing and control procedures, and specify the technical and organisational measures used to ensure data protection.
The rules can be maintained as a separate document or as part of a higher-level data protection or information security concept. Existing guidelines, directives or ISMS documents can be included or referenced, provided they cover the requirements. A single, cross-departmental set of rules can cover several processes, provided that the structure and references are clear.
The processing rules must be reviewed regularly and updated in the event of changes to data processing. If a data protection officer has been appointed, the rules must be made available to him or her.
Relationship with other data protection instruments
The processing rules supplement the register of processing activities and the data protection impact assessment (DPIA). While the register provides an overview of all processing activities and the DPIA assesses risks, the processing rules document the specific operational implementation with the corresponding organisational and technical measures.
Information from the processing register or the results of a DSFA can be incorporated into the rules or included by means of references to ensure consistent and verifiable overall documentation. This creates a comprehensive picture of data processing that is transparent both internally and to supervisory authorities.
Legal significance and risks of omission
The processing rules are part of the minimum organisational requirements for adequate data security. If they are missing, even though the legal requirements are met, this constitutes a breach of data security obligations.
According to Art. 61 FADP, such a breach of duty, especially in the case of intentional omission, may be punishable by law.
This means that the rules are more than just a formal requirement: they document compliance with data protection duties of care, prove the implementation of appropriate technical and organisational measures, and reduce legal and reputational risks.
Our assistance
We support you every step of the way: from determining whether processing rules are necessary, to structured creation, to integration into existing data protection and security concepts.
Our consulting services combine legal, organisational and technical perspectives and are based on legal requirements and proven standards such as ISO 27001.
This creates a practical, verifiable document that strengthens your data protection organisation and reliably meets regulatory requirements.
Your benefit
Well-structured processing rules create clarity, transparency and trust.
In doing so, you fulfil a key legal obligation, reduce liability and criminal risks, and strengthen internal accountability for data protection and information security. Data protection thus becomes not a formality, but a living, verifiable part of your organisation: legally compliant, efficient and sustainable.