Guide for Conducting
Data Protection Impact Assessments
Gstaad Palace
1. Purpose and Basis
This guide (Guide) aims to provide the responsible employees of the company Gstaad Palace (Company) with the fundamental basics for conducting a Data Protection Impact Assessment (DPIA) and, together with other measures and documents, enable them to carry out DPIA in accordance with applicable data protection laws. The specific responsibilities are described in detail in Section 14 of this Guide.
The Guide is based on the requirements of the current and also the revised Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR).
In addition to this Guide, the competent data protection department may have to adopt countryspecific rules and take them into account.
2. Objective of this Guide
This Guide describes what a DSFA is and how it must be carried out and when.
3. Scope
These Guide applies to all employees of the Company who process personal data, are potentially involved in data processing activities, and may thus have to carry out a DPIA Within the scope of their employment relationship, employees are obliged to comply with all applicable data protection laws as well as with this Guide
4. Definitions
The applicable data protection law defines some important terms.
The definition of personal data is especially relevant:
Personal data
Definition
Personal data means all information relating to an identified or identifiable natural person
Sensitive personal data
Personal data of the following categories: data on religious, ideological, political or trade union-related views or activities; data concerning health, intimate sphere, or racial or ethnic origin; genetic data; biometric data that uniquely identify a natural person; data concerning administrative or criminal proceedings and sanctions; data concerning social security measures.
"Persons" refers to natural persons and not legal entities. Information about a contact person of a supplier or another company in B2B relationships is also considered personal data.
The applicable data protection law does not contain a definition of the term "Data Protection Impact Assessment". The purpose of a DPIA is to assess the risks associated with a specific data processing before it is started. Based on the DPIA, risk-mitigating measures can then be implemented.
5. What is the purpose of a DPIA?
DPIA is a tool for a systematic and comprehensive analysis of processing activities and for identification and mitigation data protection risks in a specific case. DPIA should in particular consider the risks to the privacy and the fundamental rights of the data subjects. Therefore, DPIA focuses on the potential damage to the data subjects or society as a whole, whether it is physical, material, or non-material damage
To assess the risk associated with a processing activity, a DPIA must take into account both the probability and the severity of the impact on data subjects. However, a DPIA does not have to conclude that all risks have been eliminated. Nevertheless, it helps the Company to document and assess whether the remaining risks are justified and the whether the processing activity can therefore be carried out.
6. Time for Conducting DPIA
DPIA must be conducted in accordance with the law before the start of a processing activity that is likely to result in a high risk to the privacy or the fundamental rights of the data subjects (see Section 7 below).
If DPIA is required for a data processing activity, it should be carried out as early as possible in a project, particularly before the organization initiates or modifies any processing activity. Ideally, the DPIA should be conducted in parallel with the project's planning and development process.
7. Preliminary assessment: is a DPIA required?
Under current data protection law, not every new processing activity or modification of an existing processing activity requires the conduct of a DPIA. In an initial preliminary assessment, it is evaluated whether a specific processing activity necessitates the performance of a DPIA or not.
A DPIA is legally required when a processing activity is likely to result in a high risk to the privacy and the fundamental rights of the data subjects.
Whether a high risk is likely to exist depends on several criteria and is not always easy to assess. There are, however, two legally prescribed cases in which a high risk is always presumed and therefore a DPIA must be conducted:
1. extensive processing of sensitive personal data, or
2. systematic and extensive monitoring of public areas (e.g., video surveillance)
In all other cases, the necessity of conducting a DPIA is less clear. According to the law, a high risk may arise from the following aspects:
1. the use of new technologies,
2. the nature of the processing,
3. the scope of the processing,
4. the circumstances of the processing, or
5. the purpose of the processing
Important: whether the processing actually poses a high risk becomes clear only after conducting the DPIA. Instead, the preliminary assessment focuses on the overarching question: Are there any characteristics that indicate a potentially high risk?
Many data protection authorities have published examples in guidelines and checklists of data processing activities that may indicate a potentially high risk. In Annex 2, some examples are provided as a guide to when a DPIA may be required.
Important: such guidelines and checklists are formulated in a general manner and cannot consider all facets of individual cases - just like this present guide. The inclusion of a data processing activity in Annex 2 or other checklists by data protection authorities does not mean that these types of processing are always associated with a high risk. It simply indicates the reasonable possibility that they may be associated with a high risk, requiring a DPIA to assess the level of risk more precisely.
If the intended data processing is not described in Annex 2 or checklists of data protection authorities, the Company shall determine whether, considering the nature, scope, context, and purposes of the processing, it is likely to pose a high risk. In case of doubt, a DPIA should be conducted. It is important to document the reasons for or against conducting a DPIA
Prior to the introduction of new data processing activities and systems, or new business processes and services involving the processing of personal data, the person responsible for that shall inform the data protection coordination unit in a timely manner. This notification is also required when existing processes or processing purposes are to be changed. In the latter case, the person primarily responsible for the change shall also notify the data protection coordination unit. New data processing activities and systems, or changes to existing processing activities, should only be carried out after consultation and assessment by the data protection coordination unit
To ensure that new applications and IT solutions are introduced and implemented in accordance with applicable data protection regulations, employees shall not implement such applications and IT solutions on their own.
Conduct of a
The assessment of the necessity of a DPIA (see Section 7 above) is a preliminary assessment and therefore not part of the actual DPIA. However, the preliminary assessment is closely related to the conduct of the DPIA, which is why it is mentioned in the following diagram
In general, conducting a DPIA involves the following steps:
Content of a
A DPIA is conducted by the Company using the questionnaire in Annex 1 and can cover a single processing operation or a series of similar processing operations. The questionnaire provides the necessary information for conducting the DPIA
8.
DPIA
9.
DPIA
Contacting the data protection coordination unit and assessing the need for a DPIA
Description of the processing activity
Assessment of the necessity and proportionality of the processing activity
Identification and assessment of risks
Identification of measures to mitigate risks
Checking whether there is an obligation to consult the relevant data protection authority
Documentation of the results
Integration of risk mitigation measures into the planned processing activity
Regular review of the DPIA
The completed questionnaire shall be submitted to the data protection coordination unit for documentation and approval.
Processing activities may only be carried out after approval by the data protection coordination unit
Companies within a corporate group can jointly conduct a DPIA for identical data processing activities, provided that the same applicable law applies to all involved group companies or their data processing. This should be carefully examined. It may occur that one group company is subject exclusively to the FADP, while other group companies are subject to the GDPR, for example. Although this guide aligns with the requirements of both the FADP and the GDPR, there may be slight deviations.
Annex 1 is mostly self-explanatory. Section 2 of Annex 1 (Necessity of a DPIA) refers to the preliminary assessment described in Section 7 above (please note that even if the preliminary assessment determines that no DPIA is required, Annex 1 must be completed at least up to the Section 2. This allows for later traceability of the reasons why a specific processing activity did not require a DPIA). The following explains the aspects to consider regarding Section 5 of Annex 1 (Identification and Assessment of Risks) and Section 6 of Annex 1 (Measures for Risk Mitigation).
10. Identification and Assessment of Risks (Section 5 of Annex 1)
As part of the DPIA, the Company must examine the potential impact on the data subjects and any harm that the intended data processing could cause – whether physical, emotional, or material –particularly whether the data processing could lead to the following situations for the data subjects:
- inability to exercise rights (including but not limited to data protection rights);
- impossibility to access services;
- loss of control over the use of personal data;
- discrimination;
- identity theft or fraud;
- financial loss;
- damage to reputation;
- physical injury;
- loss of confidentiality;
- re-identification of pseudonymised data; or
- any other significant economic or social disadvantage
The DPIA shall consider all possible sources of risk and identify possible effects on the privacy and the fundamental rights of the data subjects in events such as unauthorised access, unwanted alteration, and disappearance of data or other risk scenarios. It should identify threats that could lead to unauthorised access, unwanted alteration, disappearance of data, or other risk scenarios, and assess the probability and severity of the event.
The risk is evaluated based on the intersection of the probability and severity of a specific event. The Company must conduct an objective assessment of the risks. It is helpful to use a structured matrix to consider the probability and severity of risks.
11. Identification of Measures for Risk Mitigation (Section 6 of Annex 1)
For each identified risk, the cause should be identified and measures for mitigating the risk should be explored. The following risk mitigation measures are exemplary options:
- Decision not to collect certain types of data;
- Reduction of the scope of data processing;
- Shortening retention periods;
- Implementation of additional technical security measures;
- Training of staff to anticipate and manage risks;
- Anonymisation or pseudonymisation of data where possible;
- Development of internal guidelines or processes to avoid risks;
- Adoption of alternative technology;
- Clear agreements on data sharing in a joint controller scenario;
- Amendments to privacy notices;
- Provision of an option for data subjects to opt-out of data processing; or
- Introduction of new systems to assist data subjects in exercising their rights.
This list is not exhaustive
In Section 6 of Annex 1, it should be documented whether a measure would reduce or mitigate the risk. The Company may consider the cost and benefits of each measure to determine its appropriateness. These considerations should also be documented
12. Consultation with the competent data protection authority
The Company first obtains approval from the data protection coordination unit before consulting the competent data protection authorities.
The data protection coordination unit shall determine whether consultation with the relevant data protection authority is necessary. In general, consultation with the relevant data protection authority is required if the DPIA indicates that, despite the planned measures, the intended processing still poses a high risk to the privacy or the fundamental rights of the data subjects.
Where necessary, the data protection coordination unit may seek the opinion of the data subjects or their representatives regarding the planned processing. The data protection coordination unit shall determine how and when such consultation should be conducted.
13. Regular review of DPIA
The Company or the responsible employees shall review the DPIA regularly and upon request of the data protection coordination unit. A DPIA shall be conducted again if there are significant changes in the nature, scope, context, or purposes of the processing activity.
The data protection coordination unit may establish the periodicity for the regular review of DPIA in a directive or, at its discretion, require the Company to review all or certain DPIA
14. Responsibilities
14.1
Management
Management establishes the overall framework for conducting DPIA. It appoints one (or more) person(s) responsible for data protection - the data protection coordination unit - who acts as the lead, advisory, and controlling body for conducting DPIA
14.2
Supervisors
Supervisors at all levels are responsible for enforcing and complying with data protection regulations within their areas of responsibility. They collaborate with the data protection coordination unit, to provide training and awareness to their employees. They act as role models and encourage employees to comply with data protection measures.
14.3
Employees
Each employee must ensure that the data protection coordination unit is involved in the planning of future processing activities at an early stage Within their area of responsibility, employees are responsible for providing the data protection coordination unit with all information in accordance with Annex 1 Employees must follow the instructions of the data protection coordination unit
14.4 Data Protection Coordination Unit
The Company appoints a data protection coordination unit. The data protection coordination unit is the central point of contact for questions relating to data protection and data security and is also the advisory authority when conducting DPIA. It can be contacted via fbm@palace.ch or telephone 861
The data protection coordination unit is responsible for ensuring that DPIA is carried out in accordance with the law and that DPIA conducted is documented in order to comply with accountability standards. It shall ensure that the documentation is retained for a minimum of two years.
Switzerland: if the data protection coordination unit meets the requirements of Article 10(3) of the FADP, the Company may refrain from consulting the FDPIC in accordance with Article 23(4) of the FADP.
15.
Sanctions
Violations of this Guide may result in disciplinary measures and/or civil and/or criminal proceedings.
16. Final Provisions
16.1 Amendments and Supplements
This Guide may only be amended, supplemented or rescinded by written resolution of the management. Any addition, deletion or modification of individual provisions shall qualify as an amendment or supplement. Corrections of a formal nature are excepted from this.
16.2 Additional Documents
This Guide is the basis for conducting DPIA. The guide can be used as a basis for developing other documents that are required in connection with the processing of personal data, in particular user-specific or department-specific guides.
16.3 Integrated Annexes
The following Annexes are an integral part of this Guide:
Annex 1: DPIA questionnaire
Annex 2: Examples
In the event of contradictions, this Guide shall prevail
16.4 Miscellaneous
This Guide shall be available to all employees via the Company's existing instruction system or via other channels as determined by the data protection coordination unit
Amendments or supplements to this Guide shall become effective at the moment of publication on https://issuu.com/gstaadpalace/docs/guideline_for_conducting_dpia_en_11.01.2025.docx?fr=sYTNlNTY5Mjg5ODA
16.5 Effective Date
This Guide shall become effective on Monday, 13th January 2025.
1. Information about the Controller(s) (to be filled in for each processing activity)
Name of the Controller(s)
Name and contact details of the Data Protection Officer (if applicable)
Name of the contact person(s) responsible for the processing
2. Pre-assessment: legal obligation to carry out DPIA? (to be filled in for each processing activity)
Please provide a rough overview of what your project aims to achieve and what type of data processing it involves. Describe whether the processing is likely to pose a high risk to the privacy or fundamental rights of the data subjects, taking into account the nature, scope, context, and purposes of the processing. In case of doubt, a DPIA should be conducted. If you rely on examples from guidelines, checklists, or Annex 2, describe how the specific processing differs from or resembles the examples used. It is important to document the reasons for or against conducting a DPIA, even if it is concluded that no DPIA is necessary.
3. Describe the data processing (starting from here, only fill in if DPIA needs to be conducted)
Describe the nature of the processing (most of the information requested here should be taken from the record of processing activities):
In a few keywords, what is the data processing about? What types of data processing are conducted (collection, disclosure, retention, deletion, etc.)?
Which processing activities, identified as likely to be high-risk, are being conducted?
From which source do the data originate?
Are the data shared with third parties, and if so, with which ones? Please include diagrams or other documentation regarding the data flow.
Describe the scope of the processing:
How much data is processed and how often?
How long is the data retained?
How many persons are concerned by the processing activity?
Are personal data from other jurisdictions (e.g., the EU) also processed, and if so, which countries are concerned?
Describe the context of the processing:
What is the nature of the relationship between the Company and the data subjects? What control do the data subjects have over the processing of their data?
What are the reasonable expectations of the data subjects? Can the data subjects reasonably expect this nature of data processing?
Are personal data of children or other particularly vulnerable persons processed?
Have there been any concerns regarding the nature of processing or potential security vulnerabilities?
Is the processing activity in some way new?
What is the current state of the art in this field?
Has the Company (or any subcontractor) signed up to an approved code of conduct or certification scheme (once such has been approved by data protection authorities)?
Are there any current topics of public interest in connection with the planned data processing that should be taken into account?
Describe the purpose of the processing:
What is the purpose of the processing activity?
What is the intended effect on the data subjects?
What are the benefits of the processing?
4. Assessment of Necessity and Proportionality
Describe in particular the measures taken to comply with data protection regulations and to ensure the proportionality of the processing activities:
How is compliance with the principles of data processing ensured (lawfulness of data processing, good faith in data processing, purpose limitation, principle of proportionality, data accuracy, data security)?
FADP: if the principles of data processing are not complied with: which justification under Article 31 of the FADP is applicable?
GDPR: which legal basis under Article 6 of the GDPR (consent, contract, legal obligation, legitimate interest) is relevant for the data processing?
Does the processing actually achieve its purpose?
Is there an alternative way to achieve the same result?
How are so-called function creeps, i.e., gradual function enhancements in software/applications, avoided or monitored?
How is data quality and data minimization ensured?
What information is provided to data subjects?
How is it ensured that data subjects can exercise their rights (e.g., the right to access)?
What technical and organisational measures are implemented to protect personal data?
What measures are taken to ensure that any processors employed comply with data protection regulations?
What safeguards are implemented to ensure that personal data transferred abroad ensures an adequate level of data protection?
5. Identification and Assessment of Risks
Description of the risks and effects on the data subjects
If relevant, any related compliance risks and corporate risks shall be included
6. Measures for Risk Mitigation
Additional measures that can be taken to reduce or mitigate the risks classified in Section 5 as medium or high Risk Technical or organisational measures to reduce or mitigate the existing risks
Effect on the risk Remaining risk Approved measure
7. Approval and Documentation of the Results of the DPIA
Name/Function/Date
Measures approved by:
Residual risks approved by:
Responsible person at the data protection coordination unit:
Comment
Integrate the measures into the project plan
If, despite the implemented measures, there is still a high residual risk, the competent data protection authority must be consulted before implementing the processing activity
The data protection coordination unit contributes to compliance with the regulations and implementation of the measures outlined in Section 6, and provides a recommendation for carrying out the processing activity.
Summary of the recommendations of the data protection coordination unit
Recommendation from the data protection coordination unit accepted or rejected by:
Comments:
The responses from the consultation with the competent data protection authority were reviewed by:
Comments: This DPIA is regularly reviewed by:
If the recommendations are rejected, the reasons for the rejection must be specified
The data protection coordination unit should also verify the ongoing compliance with the DPIA.
Annex 2
Examples of the necessity for conducting DPIA
The list provided in this Annex is a compilation of examples from various guidelines and does not claim to be exhaustive. In each case, it is necessary to examine whether the competent data protection authorities have published their own lists. The inclusion of examples for assessing whether a DPIA needs to be conducted or not should be documented under Section 2 of Annex 1.
Example DPIA required?
Decisions regarding a data subject's access to a product or service that are based, to some extent, on an automated individual decision (including profiling) or involve the processing of sensitive personal data.
The use of innovative technologies such as AI, intelligent transportation systems, smart technologies (smartwatches or wearables), or market research involving neuro-measurements such as analysis of emotional reactions.
The use of a camera system to monitor customer behaviour in retail stores through an intelligent video analysis system to identify customers and offer them tailored services based on their existing profiles.
Systematic monitoring of employees' activities, including workplace monitoring, internet activities, etc.
Collecting public social media data to create profiles.
An e-commerce website displaying advertisements for specific products or services based on the items viewed or purchased on the same website.
An online shop using a mailing list to send a general daily summary (of top news) to its subscribers.
Yes
Yes
Yes
Yes
Yes
No
No