Data protection officer (DPO)

The General Data Protection Regulation (GDPR) adopted on 27 April 2016 (Reg. 2016/679) came into force on 25 May 2018. It represents a major reform in the field of personal data protection, and directly applies to any organisation that regularly processes data on European citizens, which is the case of the Institute.

In order to be GDPR-compliant in all our activities, the Institute has appointed two employees as data protection officers (DPO), on secondment from their departments: Marielle Schneider and Céline Vilmen.

Position (GDPR art. 38)

To avoid conflicts of interest, the DPO is a completely independent function within the Institute. He/she is under the responsibility of Executive Management, reporting to them directly.

The DPO does not process data. Rather, he/she must be informed of all data protection issues and of all new data processes and projects being implemented. He/she has easy access to all data and processes.

Tasks (GDPR art. 39)

The DPO coordinates our data protection compliance. He/she is responsible for:

  • ensuring compliance with GDPR
  • informing and advising data processors
  • advice and follow-up on performing impact assessments about processing risks
  • establishing procedures for responding to requests and flagging up alerts
  • ensuring that data security is properly taken into account
  • maintaining documentation relating to data processing (Register)
  • cooperating with, and being the contact point for, supervisory authorities

In addition, and as a matter of priority, the DPO is responsible for ensuring compliance with Swiss data protection regulations (LPD).


The DPO is not accountable for any non-compliance with GDPR within the organisation. Respect for data protection is the responsibility of the Data Controller (DC) or Data Processor (DP). The DC or DP are required to ensure that processing is carried out in accordance with GDPR and they must be able to demonstrate this by keeping an updated Register.

Project organisation

Implementing compliance at the Institute will take two years. The DPO will begin by assessing the status of personal data protection by mapping Institute data and processes. Based on identified risks and needs, he/she will prioritise actions to be taken. In parallel, he/she will put in place internal processes, train and advise Data Controllers, and establish forms and procedures.

For all questions: single point of contact

  • Marielle Schneider: present Monday-Thursday (Wednesday telecommuting)
  • Céline Vilmen: present Tuesday-Friday

DPO - Contact email   |   MSC - 29.10.2018