Data breach notification policy

1 - Definition

A breach of personal data is a breach of security resulting in destruction, loss, alteration, unauthorized disclosure or accidental or illegal access to personal data transmitted, stored or processed. A "breach", for these purposes, is identifiable as a security incident that has affected the confidentiality, integrity or availability of personal data.

As indicated above, a data breach for these purposes has a broader scope than data loss. The following examples are examples of data breaches:

  • Access by an unauthorized third party;
  • Deliberate or accidental action (or inaction) by a Data Controller or a person responsible for the processing of data;
  • Sending personal data to an incorrect recipient;
  • Loss or theft of computer devices containing personal data;
  • Alteration of personal data without authorization;
  • Loss of availability of personal data.


2 - Notification

For the purposes of this policy, a data breach will be notifiable if the company considers that it is likely to pose a risk to the rights and freedoms of individuals. If it does not pose this risk, the breach is not subject to notification, but it will be entered in the company's register of breaches.

A risk to the freedoms of individuals may include physical, material or non- material damage such as discrimination, identity theft or fraud, financial loss, and damage to reputation.

n assessing the likelihood of a risk to the rights and freedoms of individuals, the company will consider the following:

  • The type of breach;
  • The type of data involved, including what they reveal about individuals;
  • The amount of data involved;
  • The data subjects,e.g.their number,the ease with which they can be identified, if they are children, etc.;
  • The seriousness of the consequences for the data subjects and;
  • The nature of the company’s work and the seriousness of a breach.


3 - Actions undertaken by the company in the event of a breach

When the company is informed of a breach, it shall immediately initiate an investigation into what has happened and the measures to be taken to limit the consequences. At that time, it will be determined whether the breach is considered as a breach to be notified and whether it is considered to pose a high risk to the rights and freedoms of individuals.

In the event of a notifiable breach, the company shall notify the Swiss Federal Data Protection and Transparency Officer (PFPDT) without undue delay and no later than 72 hours after it becomes aware of the breach. If the notification is made beyond that period, the company shall provide the reasons to the PFPDT.

If it has not been possible to conduct a full investigation into the breach in order to give full details to the PFPDT within 72 hours, an initial notification of the breach will be made within 72 hours, giving as much detail as possible, as well as the reasons for incomplete notification and an estimated time limit for full notification. The initial notification will be followed by another communication to the PFPDT to provide the remaining information.

The following information shall be provided when a breach is notified:

  • A description of the nature of the personal data breach, including, where possible:
    • The categories and approximate number of data subjects and;
    • The categories and approximate number of personal data records concerned.
  • The name and contact details of the Data Protection Officer from whom additional information may be obtained;
  • A description of the likely consequences of the personal data breach and;
  • A description of the measures taken, or that it is proposed to take, to deal with the personal data breach, including, where appropriate, measures taken to mitigate any possible adverse effects.


4 - Notification to the data subjects

In the event of a notifiable breach which poses a high risk to the rights and freedoms of individuals, the company shall notify the data subjects themselves, i.e. the persons whose data are affected by the breach, as well as the supervisory authority. Such notification shall be made without undue delay and may, depending on the circumstances, be made before the supervisory authority is notified.

A high risk may be, for example, when there is an immediate threat of identity theft, or if special categories of data are disclosed online.

  • The following information shall be provided when a breach is notified to the data subjects:
    • A description of the nature of the breach;
    • The name and contact details of the Data Protection Officer from whom additional information may be obtained;
    • A description of the likely consequences of the personal data breach and;
    • A description of the measures taken, or that it is proposed to take, to deal with the personal data breach, including, where appropriate, measures taken to mitigate any possible adverse effects.
  • The Company records all personal data breaches, whether notifiable or not, as part of its general liability obligation under the GDPR. It records the facts of the breach, its effects and the corrective measures taken.