Enterprise Mobility Management
In order to warrant an appropriate level of personal data protection, an employer must implement Technical and Organisational Measures (TOMs) as set out in article 7 of the Federal Act on Data Protection (FADP) and articles 8 to 12 of the Ordinance to the Federal Act on Data Protection (OFADP). Said TOMs have to be adapted to the specific case and to the expected risks in connection with the use of particular devices, applications and technologies. In this context, special attention must be given to the use of mobile devices, such as smartphones, tablets, or laptops, particularly if such devices are not only used for business but privately and, therefore, there is a risk of mixing the personnel’s business and private data. This could pose a problem, particularly in case of remote deletion of data when a device is lost or stolen or in order to abide by obligations to retain records. Consequently, depending on whether the company follows a “Bring Your Own Device” (BYOD), “Choose Your Own Device” (CYOD) or “Corparate-Owned, Privately Enabled” (COPE) strategy, different legal implications arise concerning integration, administration and security of the mobile devices. It is therefore advisable to minimise the risks as a whole through a so-called Enterprise Mobility Management (EMM). Such EMM must of course always comply with all legal data protection requirements, especially, when cloud-based technologies through which transborder data flows may take place are to be used, such as for instance a virtual mobile infrastructure (VMI).