Is a data-protection advisor mandatory under the DSG?

No. Appointing a data-protection advisor is voluntary for private controllers under Art. 10 DSG: the provision says they “may” appoint one. The benefit is operational: where a data-protection impact assessment shows that planned processing still carries a high residual risk, a controller that has consulted its appointed advisor may forgo consulting the EDÖB (Art. 23(1) and (4) DSG). The advisor must exercise the function independently, hold the necessary expertise, and have its contact details published and notified to the EDÖB.

How is the Art. 10 DSG advisor different from the Art. 14 DSG representative?

They are distinct roles. The Art. 10 DSG data-protection advisor is an internal-facing advisory function that trains the controller, supports application of the data-protection rules, and unlocks the EDÖB-consultation exemption in Art. 23(4) DSG. The Art. 14 DSG representative is a Swiss-based contact point that certain controllers without a Swiss establishment must designate so that data subjects and the authority can reach them in Switzerland. They are offered as separate services here, and a single client may need both.

When must a data-protection impact assessment be carried out?

Under Art. 22 DSG the controller must carry out a data-protection impact assessment in advance where the planned processing is likely to entail a high risk to the personality or fundamental rights of the data subject, in particular when new technologies are used, when sensitive personal data are processed on a large scale, or when public areas are systematically monitored on a large scale. If the assessment shows that a high residual risk remains despite the planned measures, the controller consults the EDÖB under Art. 23(1) DSG, unless it has instead consulted its Art. 10 advisor (Art. 23(4) DSG).

What does the ongoing privacy-operations retainer cover?

The retainer covers the recurring obligations a controller has to keep running: maintaining the record of processing under Art. 12 DSG, assessing cross-border disclosures under Art. 16 DSG against adequacy decisions and contractual safeguards, preparing and reviewing impact assessments under Arts. 22-23 DSG, and keeping breach-notification readiness current so a security breach can be reported to the EDÖB as quickly as possible under Art. 24 DSG. Individual modules, for example a single impact assessment or a transfer-mechanism review, can be scoped separately and priced individually.

Service

Data-protection advisor & operations.

A Swiss controller may appoint a data-protection advisor under Art. 10 DSG; one that does so may consult its advisor instead of the EDÖB before high-risk processing flagged in an impact assessment. The firm acts as that independent advisor and runs the ongoing privacy operations: impact assessments, transfer reviews, the record of processing and breach readiness.

Appoint a data-protection advisor

Who this is for

Swiss controllers that want an independent Art. 10 DSG data-protection advisor.
Companies needing ongoing DPIA, transfer, record-keeping and breach support.
Life-sciences and ICT controllers running data-intensive or high-risk processing.

What's included

Data-protection advisor under Art. 10 DSG. The firm acts as the appointed, independent advisor: a contact point for data subjects and the authority, training and advising the controller and supporting the application of the data-protection rules (Art. 10(2) DSG).
EDÖB-consultation exemption: structuring the appointment so the controller can rely on the option to consult the advisor instead of the EDÖB where an impact assessment shows a high residual risk (Art. 23(1) and (4) DSG), including the independence, expertise and contact-publication conditions the exemption requires.
Data-protection impact assessments: preparing and reviewing impact assessments for processing likely to entail a high risk to the personality or fundamental rights of data subjects (Arts. 22-23 DSG).
Cross-border-transfer assessments: assessing disclosures abroad against adequacy decisions and the contractual and other safeguards that permit a transfer where no adequacy decision applies (Art. 16 DSG).
Record of processing: building and maintaining the Verzeichnis der Bearbeitungstätigkeiten, the record of processing activities required of controllers and processors (Art. 12 DSG).
Breach-notification readiness: playbooks and decision criteria so a data-security breach likely to entail a high risk can be reported to the EDÖB as quickly as possible, with data subjects informed where required (Art. 24 DSG).

How it works

Scoping. The firm maps the controller's processing, its risk profile, and whether an Art. 10 advisor appointment is the right fit.
Appointment. The firm structures the independent advisor role and the EDÖB-consultation exemption, with contact details published and notified.
Baseline. The firm builds the record of processing and reviews existing impact assessments and transfer mechanisms against the DSG.
Operations. The firm runs the recurring work (impact assessments, transfer reviews and breach readiness) on a retainer.
Review. The firm refreshes the record, the assessments and the readiness materials as processing and the legal position change.

Indicative pricing

Monthly subscription

from CHF 4,000 / month

An embedded senior-counsel data-protection function; the flagship tier is CHF 6,500 / month.

Indicative starting prices, net and exclusive of Swiss MWST (VAT) where applicable; final fee per written engagement letter.

Frequently asked questions

Is a data-protection advisor mandatory under the DSG?: No. Appointing a data-protection advisor is voluntary for private controllers under Art. 10 DSG: the provision says they “may” appoint one. The benefit is operational: where a data-protection impact assessment shows that planned processing still carries a high residual risk, a controller that has consulted its appointed advisor may forgo consulting the EDÖB (Art. 23(1) and (4) DSG). The advisor must exercise the function independently, hold the necessary expertise, and have its contact details published and notified to the EDÖB.
How is the Art. 10 DSG advisor different from the Art. 14 DSG representative?: They are distinct roles. The Art. 10 DSG data-protection advisor is an internal-facing advisory function that trains the controller, supports application of the data-protection rules, and unlocks the EDÖB-consultation exemption in Art. 23(4) DSG. The Art. 14 DSG representative is a Swiss-based contact point that certain controllers without a Swiss establishment must designate so that data subjects and the authority can reach them in Switzerland. They are offered as separate services here, and a single client may need both.
When must a data-protection impact assessment be carried out?: Under Art. 22 DSG the controller must carry out a data-protection impact assessment in advance where the planned processing is likely to entail a high risk to the personality or fundamental rights of the data subject, in particular when new technologies are used, when sensitive personal data are processed on a large scale, or when public areas are systematically monitored on a large scale. If the assessment shows that a high residual risk remains despite the planned measures, the controller consults the EDÖB under Art. 23(1) DSG, unless it has instead consulted its Art. 10 advisor (Art. 23(4) DSG).
What does the ongoing privacy-operations retainer cover?: The retainer covers the recurring obligations a controller has to keep running: maintaining the record of processing under Art. 12 DSG, assessing cross-border disclosures under Art. 16 DSG against adequacy decisions and contractual safeguards, preparing and reviewing impact assessments under Arts. 22-23 DSG, and keeping breach-notification readiness current so a security breach can be reported to the EDÖB as quickly as possible under Art. 24 DSG. Individual modules, for example a single impact assessment or a transfer-mechanism review, can be scoped separately and priced individually.

Last updated: 2026-05-31

Discuss a data-protection mandate