If you run a Swiss SME, you have probably heard of the record of processing activities β but you may be unsure whether it applies to you or where to start. This guide answers both questions and gives you a practical template you can adapt straight away.
What Is a Record of Processing Activities?
A record of processing activities is an internal document that lists every operation through which your organisation collects, uses, stores, transmits, or deletes personal data. Under Swiss law, the obligation is set out in Article 12 of the new Federal Act on Data Protection (nFADP, fedlex.admin.ch) β known in German as nDSG and in French as nLPD β and is further detailed by Article 24 of the Data Protection Ordinance (DPO).
In practice, each row in the register corresponds to a distinct processing activity: for example, managing your mailing list, processing employee records, or analysing website traffic.
The register is not a public document β it stays internal β but it must be made available to the Federal Data Protection and Information Commissioner (FDPIC) upon request in the event of an inquiry or investigation.
Legal Basis: Who Must Maintain This Register?
Art. 12 para. 5 nFADP provides a formal exemption for organisations with fewer than 250 employees whose processing activities do not carry a high risk for data subjects. In practice:
- Mandatory for any organisation with 250 or more employees.
- Mandatory for any organisation β regardless of size β whose processing activities carry a high risk: extensive profiling, large-scale processing of sensitive data (health, political opinions, biometric data), systematic monitoring of publicly accessible areas, and so on.
- Strongly recommended for all other SMEs, even below the threshold.
That last point deserves attention.
Why Smaller SMEs Should Still Keep a Register
The legal exemption does not mean a register is useless for small organisations. The vast majority of Swiss compliance advisors recommend maintaining one regardless β and for good reason.
1. The FDPIC can investigate any organisation. If an employee, customer, or competitor files a complaint, the FDPIC can open proceedings regardless of your company size. A well-maintained register is tangible evidence of good faith that can positively influence the outcome of an inquiry.
2. The register structures your thinking. As you list your processing activities, you naturally identify data you collect without genuine need, retention periods that are longer than necessary, or third-party processors you have never considered from a data protection angle.
3. It feeds your privacy policy. A complete register is the single source of truth from which you populate your public-facing privacy policy β you know exactly what to include, with no risk of overlooking a processing activity.
4. It prepares you for access requests. The nFADP strengthens data subjects' right of access (Art. 25). With a register in place, you can establish within minutes what data you hold about a given individual and where it is stored.
Required Fields Under Art. 12 nFADP
Article 12 nFADP lists the minimum information each register entry must contain. Art. 24 DPO adds further requirements for processors. The controller (your organisation, in most cases) must document the following:
| Required field | Description |
|---|---|
| Identity of the controller | Company name, address, contact details of the data protection officer if one has been appointed |
| Purpose of processing | Specific purpose for which the data is collected and used |
| Categories of data subjects | Customers, employees, prospects, website visitors, etc. |
| Categories of personal data | Contact details, financial data, health data, browsing data, etc. |
| Categories of recipients | Internal or external parties receiving the data (processors, partners, authorities) |
| Retention periods | How long each category of data is kept before deletion or anonymisation |
| Data transfers abroad | Destination country, legal basis for transfer (adequacy decision, standard contractual clauses, etc.) |
| Security measures | Main technical and organisational measures in place (encryption, access controls, etc.) |
For processors β service providers that process personal data on your behalf β Art. 24 DPO requires similar entries, notably the identity of the controller on whose behalf they act.
Step-by-Step Guide: Building Your Register From Scratch
Step 1 β Inventory your processing activities
Before filling in a single field, take a comprehensive look at every situation in which your organisation collects or uses personal data. Work through this department by department:
- Marketing: newsletter, online advertising, contact forms, website analytics?
- Sales: CRM, quote and invoice management, purchase history?
- HR: recruitment, personnel files, payroll, performance reviews?
- IT: connection logs, system access, backups?
- Finance: payments, accounting, bank statements?
Write everything down β including what seems obvious. You can refine the list afterwards.
Step 2 β Group by coherent activity
Each distinct processing activity needs its own entry. The practical rule: if the purpose or the categories of data differ significantly, create a new entry. "Sending commercial newsletters" and "statistical website analysis" are two separate activities even if both involve email addresses.
Step 3 β Identify the legal basis for each activity
The nFADP does not require you to formally document the legal basis in the register (unlike the GDPR), but it is best practice. Possible bases include: consent, performance of a contract, legal obligation, overriding legitimate interest, or protection of vital interests.
Step 4 β Set retention periods
This is often the most difficult column to complete. Start from statutory obligations (Code of Obligations: 10 years for accounting records; employment law: varying periods depending on the document) and supplement with your own business rules. Where no specific obligation applies, apply the principle of proportionality: retain data only as long as necessary for the declared purpose.
Step 5 β List processors and international transfers
For each processing activity, identify every third-party provider that accesses the data: hosting providers, SaaS tools, agencies, consultants. Note their location. If data is transferred to countries not recognised as adequate by the FDPIC, you must put appropriate safeguards in place (standard contractual clauses, binding corporate rules, etc.).
Step 6 β Describe your main security measures
No exhaustive IT infrastructure catalogue is needed. Note the essential measures: encryption of data at rest and in transit, role-based access control, two-factor authentication, backup policy, incident response procedure.
Step 7 β Keep the register up to date
The register is not a one-off document. Every time you launch a new service, adopt a new SaaS tool, or materially change an existing processing activity, update it. Plan for at least an annual review.
Template: A Ready-to-Use Table
The table below is a simplified template you can adapt in a spreadsheet or document management system. The four examples cover the most common processing activities in an SME.
| Processing activity | Purpose | Categories of data subjects | Data categories | Recipients | Retention period | International transfers | Security measures |
|---|---|---|---|---|---|---|---|
| Website analytics | Audience measurement, site improvement | Website visitors | IP address (anonymised), pages visited, session duration, device type | Google LLC (Google Analytics) | 14 months (configured in GA4) | United States β EU standard contractual clauses | IP anonymisation enabled, prior consent via CMP |
| Marketing newsletter | Commercial communication, customer retention | Subscribers (customers and prospects) | First name, email address, open history | Brevo (Sendinblue) SA | Until unsubscription + 3 years | France (EU) β adequacy recognised | Double opt-in, unsubscribe link in every send |
| Customer CRM | Customer relationship management, sales tracking | Customers, prospects | Name, first name, email, phone, purchase history, correspondence | Internal sales team, HubSpot Inc. | Duration of relationship + 10 years (CO) | United States β EU standard contractual clauses | Role-based access, TLS encryption, 2FA |
| Employee data | HR management, payroll, legal obligations | Employees | Identity data, contact details, salary, contract, performance reviews, absences | Management, accounting, pension fund, tax authorities | Duration of employment + 10 years (CO) | None | Restricted HR/management access, encrypted storage, servers in Switzerland |
This table is a starting point. Adapt the columns to your actual tools and the complexity of your processing activities.
What PrivaGuard Business Does for You
Managing this register in a spreadsheet is a reasonable start β but it becomes unwieldy as your processing activities grow. The Processing Register module in PrivaGuard Business lets you:
- Create and manage each processing activity in a structured interface
- Automatically generate a PDF document compliant with Art. 12 nFADP, ready to present to the FDPIC
- Receive update reminders when a new site or scanner is added
- Centralise your processing register, privacy policy, and consent banner in a single tool
It is the solution designed for Swiss SMEs that want solid compliance without hiring a full-time data protection officer.
Frequently Asked Questions
Do I have to use a specific format? No. The nFADP does not prescribe a particular format. A well-structured spreadsheet, a Word document, or a dedicated tool like PrivaGuard all work β provided they cover the fields required by Art. 12.
Does the register need to be in English? Not necessarily β it should be in the working language of your organisation. In the event of an FDPIC inquiry, you must be able to present it in an understandable form.
What are the risks of not having a register? The nFADP provides for criminal sanctions for certain violations (up to CHF 250,000 for the responsible individual), but the absence of a register is not automatically punishable by a fine. The real risk is reputational and operational: in the event of a security incident or a complaint, the absence of a register significantly weakens your position before the FDPIC.
Does a processor also need to keep a register? Yes. If you process personal data on behalf of clients as a service provider (hosting, outsourced accounting, etc.), Art. 24 DPO requires you to maintain a separate register of the processing activities carried out in that capacity.
The first step towards solid nFADP compliance starts with knowing what you actually collect. Scan your website for free with PrivaScan: in a few minutes you get a full list of every active cookie and tracker, categorised by type, with non-compliant elements clearly flagged.