Frequently asked questions about our certification.
Yes, we know the big challenges with deletions even in regulated industries, e.g. banks.
NO, because the regularity requirements demand correct data. Non-deletable archives always contain erroneous data that should be deleted. However, the topic only became really explosive with the GDPR, because the ability to delete is a key competence in data protection.
Data protection compliance is a broad field. We specialize in the “difficult” issues surrounding data protection. These typically include the issue of integrity protection and application erasability, as well as privacy by design and privacy by default capabilities. These issues will be addressed during the pre-clearance process. The customer decides whether a data protection audit should take place.
With the GeBüV (Business Records Ordinance) certification, you receive a certificate that the examined digitization solution complies with the applicable legal standards.
The neutral certificate conveys confidence and provides assurance that the solution complies with the legal requirements. It increases the probative value of electronic evidence, as the procedures are sufficiently documented and meet the regularity requirements. It reduces the effort required in the event of an audit by the auditors. It can be really expensive if you want to deduct electronic invoices from input tax and have not secured them with evidence.
In addition to the GeBüV, other relevant sources are included as well as the KRM’s wealth of experience. These fundamentals are recorded in the KRM BOK (Body of Knowledge) and serve as a reference for testing and certification.
No, we agree with the customer which system or process should be investigated and tested. The certificate mentions the scope of the investigation and the basis of the assessment.
Switzerland has no official certification in this area. This is due to the fact that in a legal case the judge acts according to the principles of free evaluation of evidence. However, a party’s credibility and diligence increase substantially when an independent review by a neutral reviewer is provided. The KRM has the most experience in assessing digitization solutions due to its experience and involvement in legislation.
KRM’s experts have been dealing with the topics of electronic data storage, retention, information security, data protection and contract law for more than 25 years. KRM experts were involved in drafting the GeBüV as industry experts and have been writing expert opinions on the GeBüV and related procedures for years.
The KRM has no ties to providers or to parties that would affect our neutrality. The KRM offers only product-neutral consultations and KRM experts are also used as neutral evaluators.
Yes, of course we test the systems presented to us to the best of our knowledge and belief. In case of falling below the minimum due diligence level, we refuse to issue a certificate.
We offer a retest, which should normally be done within 2 years of the initial test. As a rule, certificates are valid for two years, although of course this always depends on whether the tested system has been significantly modified.
During initial certification, all necessary parameters are recorded and documented. We keep the reviewed system in a database together with the used BOK (Body of Knowledge). This allows us to efficiently re-certify and also provide information on what has been audited at any time.
The price depends on three main factors: 1. the complexity of the system under study, 2. the number of external partners (systems/contracts) 3. the laws and standards to be examined (e.g. only national, international, industry standards) In addition, the special risk situation must be taken into account. This is usually expressed in the laws and standards to be followed, but can also be deliberately adjusted upwards once (increase of care) We will be happy to provide an individual quote for the preparation.
No, of course we use in our BOK (Body of Knowledge) all relevant legal texts and other specifications that are relevant. In the context of digitization, these are primarily data protection regulations, commercial law requirements, and special legal requirements (e.g., tax law) or special legal storage regulations (e.g., plant engineering, pharmaceuticals, financial industry).
No, because this term does not exist in Switzerland! No consultant, no auditor and no certification body can make such a statement or give such an assurance (e.g. via contractual penalty). No manufacturer would sign such a guarantee. In Switzerland, the standard is the so-called “regularity”, i.e. the care required for the specific matter to be audited and the associated procedures and techniques. This regularity develops and contains, in addition to the mandatory legal provisions, the lived practice or the level of requirements. A bank must meet much higher requirements than the small craft business, so the same standard is not applied in the review. We know the requirements and will inform you if the care you choose does not meet the industry standard. In such cases, we do not issue a certificate.
You will receive a certificate in which the scope of the test and the test result are recorded. In addition, you will be issued a personalized certificate, which they can attach to products or documents, websites, etc.. This certification is based on a comprehensive report documenting the results of the investigation. It is also recorded here if, for example, certain parts of the process could not be certified (gap – analysis). This could then be made up at a later date (→ re-certification).
Of course, we also audit third parties that provide services (e.g. cloud providers, data centers, external service providers), provided we have access to their services and are thus able to conduct an objective audit.
The normal period of validity is two years. Depending on the scope and complexity of the test or change intervals, the validity may also be reduced. For systems or products, the certifications apply to the respective tested system status (release).
Electronic invoices are accepted by the authorities only if the evidential value is correct. I.e. the invoice recipient must prove that it meets the VAT requirements. He can ensure this with various processes. As the invoice recipient, you can demonstrate that you meet these requirements with verification.
Call: +41 44 888 10 11
or by mail to firstname.lastname@example.org