Privacy & DSGVO
GDPR, Swiss DSG, data transfers, processor agreements, breach playbooks.
Do you need a DPO? The SME decision in Switzerland and Germany
When appointing a Data Protection Officer is legally required, when it's recommended, and the cost calculus for DACH SMEs.
Data transfers between Switzerland, the EU, and beyond
Adequacy decisions, Standard Contractual Clauses, the Swiss-US framework. How to legally move data across borders as a DACH SaaS.
Processor agreements for SaaS: The DPA checklist
Data Processing Agreement requirements under GDPR Article 28, with a concrete checklist for SaaS processor contracts.
The data breach notification playbook
The 72-hour clock, what to document, who to tell, and how to avoid making a small breach into a regulatory escalation.
Cookie consent in 2026: What actually works
Post-TTDSG, post-ePrivacy patchwork, with CNIL and DSK enforcement active. The cookie consent patterns that hold up to audit.
Data subject request workflows for SMEs
Access, deletion, portability — how to handle DSRs without dedicated privacy engineering resources.
GDPR records of processing: The Article 30 guide
What goes in your RoPA, who's exempt, and the maintenance discipline that separates paper compliance from operational compliance.
When do you need a DPIA, and how do you run one?
DPIA triggers, methodology, and the common AI-era scenarios that turn standard processing into high-risk under Article 35.
Breach notification: GDPR vs Swiss nFADP
The 72-hour GDPR clock vs the "as soon as possible" Swiss rule. How cross-border DACH SaaS handles dual-regime breach response.
GDPR vs Swiss DSG: Where they diverge
The revised Swiss FADP looks like GDPR but differs in important practical ways. A comparison for DACH-focused businesses.