Swiss Data Protection Act

The revised Data Protection Act (DPA)

Switzerland is getting a total revision for its outdated Data Protection Act (DPA). The reasons for this are, in addition to the adaptation to the standards of the EU’s General Data Protection Regulation (GDPR), also the adaptation of the current technological and social prerequisites, which have changed greatly over the years and urgently needed to be adapted. 

Such a change to the outdated DPA is urgently needed, as the existing adequacy decision with Switzerland is still valid, but the EU will no longer be able to attest Switzerland an equivalent level of data protection during the next regular review of the adequacy decision.

Swiss DSG

Recommendations for action for companies under the new revDPA

Companies based in Switzerland that act as controllers or processors within Switzerland, as well as companies involved in data transfers to and from Switzerland, should consider the following measures under the new revDPA

  • Duty to inform the persons concerned
    Data subjects should be adequately informed of current and future data transfers.
  • Inventory of processing procedures
    Companies should review all processing operations in which personal data are processed.
  • Guidelines for requests from affected persons
    Companies should create processes for affected person enquiries.
  • Identify and report data protection incidents
    Companies need to train their employees to recognise and report data protection incidents. Such a reporting process should be integrated in every company in order to meet reporting deadlines.
  • Data protection representative
    Companies from UK must check whether they need a data protection representative in Switzerland. In the same way, companies from Switzerland must check whether they need a data protection representative in UK.

Important innovations

Wir werden hier nicht alle Neuerungen aufführen. Die Auflistung der Neuerungen sind die in unseren Augen die Wichtigsten:

Under the revised Data Protection Act, data processing is no longer limited to data processing that takes place within Switzerland. The scope of application is extended to data processing that takes place in Switzerland, even if it was initiated abroad.

Another area of application is restricted. While the DPA still applies to data of both natural and legal persons, the revised DPA restricts the scope of application to natural persons only.

The information obligation has now been extended to all data processing, comparable to the information obligations in Art. 13 + 14 UK GDPR. The following information is the minimum information that must be provided to the data subject:

  • Identity and contact details of the controller,
  • Purpose of processing,
  • If applicable, recipients or categories of recipients to whom personal data are disclosed.

If the personal data is transferred abroad, the data subject must also be informed of the state or international body and, if applicable, the guarantees for the protection of the personal data if this involves a transfer to an unsafe third country.

The entry into force of the revised Data Protection Act expands the list of data that are considered to be particularly worthy of protection and are therefore linked to qualified legal consequences (e.g. consent of the data subject or disclosure to third parties).
legal consequences (e.g. consent of the data subject, data protection impact assessment or disclosure to third parties).

The term “profiling” means the evaluation of certain characteristics of a natural person on the basis of personal data processed by automated means, in particular to analyse or predict work performance, economic circumstances, health, behaviour, preferences, location or mobility. This was an attempt to cover any evaluation of personal data using computer-assisted analysis techniques.

High-risk profiling is when personal data is processed automatically and a combination of data allows the assessment of “essential aspects of the personality” of the data subject. A more precise interpretation of the legal definition of “high-risk profiling” is still to come, as it will not be easy to distinguish it from normal profiling in practice.

If high-risk profiling is now carried out, the company must ensure that all processing principles are adhered to or that there is another justification, such as consent by the data subject.

In the case of decision-making based solely on automated processing which produces legal effects for the data subject, the controller must inform the data subject. In the case of such automated decision-making, the data subject also has the right to have this decision additionally reviewed by a natural person.

If companies are not already UK GDPR compliant, this point will probably be the biggest hurdle here. As with the UK GDPR, all companies will have to maintain a data processing directory under the revised Data Protection Act.

We are happy to help with the creation of such a processing directory. We also take care of the identification of these processing procedures in your company or support the responsible persons in this task.

Here, the revised Data Protection Act has followed the EU GDPR very closely. Companies that are either based in Switzerland and operate in UK or in UK and operate in Switzerland and fulfil one of the following points need a data protection representative in the respective country.

  • A data processing operation is related to the offering of goods (e.g. online shop) or services in Switzerland or to the monitoring of people’s behaviour in Switzerland.
  • Data processing of personal data is extensive and takes place on a regular basis.
  • Data processing is likely to result in a high risk to the privacy of the data subject.

In both cases, we provide a representative office in the relevant country and are thus the point of contact for data subjects and authorities.

Compared to the UK GDPR, the revised Data Protection Act only provides for criminal sanctions against natural persons, and not against companies, as in the UK GDPR. And here, the focus is mainly on persons in management positions. However, it is not entirely excluded that there may be sanctions against persons without a management function. If the effort to identify the person who committed the offence is too disproportionate, then the company can also be ordered to pay the sanction.

With the revised Data Protection Act, the Federal Council has done the same as the EU GDPR and has made it the duty of the controller and the commissioned processors to ensure data security appropriate to the risk. A more precise definition of the “risk” or the minimum requirement will certainly follow. The data security measures are to be listed by the company in a technical and organisational measure (TOM).

In the event of a data protection breach (e.g. loss of data or accidental sending of mails to the wrong addressee), which allegedly leads to a high risk to the personality or fundamental rights of the data subject, the FDPIC and, if necessary, the data subject must be notified immediately.

Conclusion on the revised Data Protection Act

There are many positive things to see in the amendment of the old DPA. On the one hand, it is now clearer which regulations companies must fulfil in order to comply with data protection. But it is also clear here that the drafting of the bill is not fully developed and still needs to be reworked.

The responsibilities have changed, especially with regard to the decision on the appropriate level of data protection in third countries. The Federal Council is now responsible here and no longer the FDPIC.

It is still unclear exactly when the Federal Council will now bring the revised Data Protection Act into force. What is much more important is that no transitional periods are foreseen and companies would do well to already intensively deal with the implementation of the innovations in the revised Data Protection Act.

 

Link to the current text of the law: https://www.fedlex.admin.ch/eli/fga/2020/1998/de (German)

Data protection representative office in Switzerland pursuant to Art. 14 revDSG

The revision of the DPA has resulted in an additional obligation for companies that offer goods or services for sale to persons in Switzerland or conduct profiling of persons in Switzerland. These companies, regardless of whether they already have a data protection officer, must now appoint an additional representative in Switzerland in accordance with Art. 14 revDSG.

Based on this provision, dib global has established a representative office in Switzerland and can offer you as a company a representative office in Switzerland. Please make an appointment with us, we will be happy to advise you on the subject.