235.13 order on certifications for the protection of data (OCPD) September 28, 2007 (status 1 April 2010) the Swiss federal Council, under art. 11, al. 2, of the Federal law of June 19, 1992, on the protection of data (LPD), stop: Section 1 article certification bodies 1 requirements organizations performing certifications within the meaning of art. 11 LPD (certification bodies) must be accredited. Accreditation is governed by the Ordinance of 17 June 1996 on the accreditation and designation, except otherwise provided in this order.
A separate certification is required for certification on: a. the Organization and the procedure for the protection of data; b. the products (hardware and software products or systems for automated procedures of data processing).
Certification bodies must have an organization and a certification (control program) determined procedure. The following points should particularly be addressed: a. the criteria for assessment or test as well as the requirements in that must comply with the organizations or products to certify (schema evaluation or testing), etb. the procedures for the conduct of the proceedings and in particular measures to be taken if deficiencies are found.
The minimum requirements concerning the monitoring programme are governed by standards and principles according to annex 2 of the Ordinance of 17 June 1996 on accreditation and designation and by the art. 4 to 6.
Minimum requirements concerning the qualifications of the staff running certifications are set in the annex.
SR 946.512 art. 2 accreditation procedure the Swiss Accreditation Service combines the Swiss federal data protection and transparency (the attendant) in the accreditation procedure and control as well as the suspension and revocation of accreditation.
S. 3 certification bodies foreign after consultation with the Swiss Accreditation Service, the attendant recognizes foreign certification bodies wishing to carry out activities on Swiss territory, if these organisations shall demonstrate that they have a qualification equivalent to that required in Switzerland.
Certification bodies in particular must prove that they meet the requirements laid down in art. 1, al. 3 and 4, and that they know enough about the Swiss legislation on data protection.
The officer may grant recognition for a limited period and the subject to conditions or loads. It cancels the recognition if critical loads or conditions are not met.
Section 2 object and procedure for certification article 4 certification of the Organization and the procedure can be the subject of certification: a. all procedures for the processing of data for which a body is responsible for; b. treatment procedures determined.
The evaluation focuses on the protection of the data management system. The latter includes: a. a data protection Charter; b. a documentation about the objectives and the measures to ensure the protection and security of data; c. technical provisions and organizational necessary for the attainment of objectives and fixed measurements and in particular measures aimed at eliminating the deficiencies.
The officer issues guidelines on the minimum requirements that a data protection management system should comply with. It takes into account the international standards relating to the installation, operation, monitoring and improvement of management systems, including in particular the ISO 9001: 2000 and ISO 27001: 2005.
The exception to the obligation to notify provided for in art. 11A, al. 5, let. f, HPA does apply if the benefit of a certification body has obtained this certification for all the procedures of processing of the data in the file to declare.
S. 5 certification of products may be the subject of certification products used primarily for the treatment of personal data or generating during their use, personal data including user.
The certification body looks especially if the product itself guarantees: a. the confidentiality, integrity, availability and authenticity of the personal data processed, in the light of the purposes of product or system; b. the prevention of the generation, recording or any other treatment of personal data unnecessary in the light of the aims of the product; c. transparency and reproducibility of automated processing of personal data carried out in the context of the functionality of the product defined by the manufacturer; d. the implementation of technical measures allowing the user to other principles and obligations regarding data protection.
The attendant issues directives laying down specific criteria for the protection of the data that a product must complete as part of a certification.
New content according to chapter I of O on March 12, 2010, in force since April 1, 2010 (RO 2010 949).
S. 6 grant and period of validity of certification certification is granted when the certification procedure allows to conclude, on the basis of the evaluation or test criteria applied by the certification body, that the requirements laid down by the law of the protection of data and those resulting from this order and directives of the servant (art. 4 al. 3, and art. 5, al. (3) or any other equivalent standard are met. The granting of certification may be accompanied by conditions or loads.
The period of validity of the certification of data protection management system is three years. Each year, the certification body verifies summarily that the certification requirements are met.
The period of validity of the certification of a product is two years. The product is subject to re-certification if essential changes are made.
S. 7 recognition of certifications foreign after consultation with the Swiss Accreditation Service, the attendant recognized foreign qualifications, provided that compliance with the requirements of Swiss legislation is guaranteed.
S. 8 communication of the results of the procedure for certification if, in order to be released from his obligation to report its files under art. 11A, al. 5, let. f, LPD, the Organization for the benefit of a certification communicates to the attendant that he has obtained a certification in accordance with art. 4, on request, sends it the following documents: a. the evaluation report; b. the certification documents.
Where the certification body finds, in the context of its monitoring activity, essential changes regarding certification requirements, including as regards respect loads or conditions, the Organization for the benefit of a certification shall inform the attendant.
The attendant publishes a list of agencies for the benefit of a certification and who are untied their obligation to declare their files (art. 28, Al 3, W of 14 June 1993 concerning the Federal law on data protection). The list States, inter alia, the period of validity of the certification.
SR 235.11 Section 3 Sanctions art. 9 suspension and revocation of certification the certification body may suspend or revoke certification, particularly when, as part of the audit (art. 6, Al 2), it finds serious breaches. There is serious especially when breach: a. the essential conditions for certification are no longer satisfied, or Quebec. the Organization for the benefit of a certification uses a certificate in a misleading or abusive.
Any litigation respecting the suspension or revocation is subject to the provisions of civil law applicable to the contractual relationship binding the certification body for the benefit of a certification body.
The certification body shall inform the attendant suspension or revocation, provided that the certification has been communicated to him in accordance with art. 8, al. 1 s. 10 procedure for monitoring of attendant attendant informed the Organization of certification if, in the context of its activity of supervision within the meaning of art. 27 or 29 HPA, it finds serious breaches with a body for the benefit of a certification.
The certification body immediately invite the Organization to benefit from certification to remedy within a period of 30 days from the receipt of the communication of the officer, the deficiencies.
If the body for the benefit of a certification does not remedy the situation within the fixed period, the certification body suspends certification. It revokes the certification there is no prospect to get or restore a situation in conformity with the law within an appropriate period.
If the earnings from a certification body does not remedy the situation within the period prescribed in the al. 2 and if the certification body does suspend or revoke certification, the officer issues a recommendation within the meaning of art. 27, al. 4, or 29, al. 3, LPD for the Organization for the benefit of a certification or certification body concerned. It may in particular recommend to the certification body to suspend or revoke the certification. If it addressed the recommendation to the certification body, it shall inform the Swiss Accreditation Service.
Section 4 entry into force art. 11. this order comes into force on January 1, 2008.
Annex (art. 1, para. 5)
Minimum requirements for the qualifications of personnel certification bodies responsible for carrying out the certification 1 Certification of data protection management systems certification body must prove that staff who certifies the management systems of data protection, as a whole, taken has the following qualifications:-knowledge of the law of protection of data : must be proven a business practice for at least two years in the field of the protection of the data or a graduate of a high school or a high school lasting a year at least, with as main material the right to the protection of data; - knowledge in the field of computer security: must be proved a practical activity of at least two years in the field of computer security or a graduate of a high school or a high school lasting a year at least, with as main computer security; - management systems auditor training (according to the ISO guide / IEC 62 [ISO / IEC 17021: 2006]).
The certification body must prove that it has qualified for each of the areas it covers. The evaluation of the systems of management by an interdisciplinary team is permitted.
2 product certification the certification body must prove that staff that certifies products, taken as a whole, have the following qualifications:-knowledge of the law of protection of data: must be proved a practical activity of at least two years in the field of the protection of the data or a graduate of a high school or a high school lasting at least a year , with as main material the right to the protection of data;-knowledge in the field of computer security: must be proved a practical activity of at least two years in the field of computer security or a graduate of a high school or a high school lasting a year at least, with as main material security;-expertise concerning the certification products (according to the ISO guide / IEC 65).
The certification body must prove that it has qualified for each of the areas it covers. The evaluation of products by an interdisciplinary team is permitted.
Status as of April 1, 2010