Today 1 September 2023, the revised Data Protection Act (“revDPA”) and its implementing Ordinance (“revDPO”) entered into force, concluding a six-year long legislative process. The revision responds to technological advancements, aligns Swiss data protection law with today’s international data protection standards, including the GDPR, and shall allow Switzerland to uphold its status as a country adequately protecting personal data from an EU perspective.
Key aspects of revDPA for the private sector:
No more protection of legal entities’ data: Under the revDPA, legal entities’ personal data is no longer protected (in line with main international data protection standards, including the GDPR).
Strengthened individual rights:
- Data subjects benefit from enhanced information rights. In particular, controllers must inform data subjects of personal data collection and provide certain minimum information (e.g., identity and contact details of controller, purpose of processing, categories of recipients, data exports, etc.), with limited exemptions.
- Data subjects have a right to data portability (i.e., a right to receive their own personal data in a commonly used electronic format, subject to certain prerequisites).
- In case of automated decision-making, affected data subjects can generally require that the automated decision be reviewed by a natural person.
Extended governance & documentation rules:
- Controllers and processors must keep records of processing activities (whereby SMEs with less than 250 employees and low risk processing activities – as defined in the revDPO – may benefit from an exemption).
- Controllers must perform a Data Protection Impact Assessment (“DPIA”) w/r/t contemplated high-risk data processing activities and, in some cases, notify the Federal Data Protection and Information Commissioner (“FDPIC”).
- Data breaches must be notified (i) to the FDPIC when they are likely to create high risks for data subjects, and (ii) to the data subjects when necessary for their protection (or when the FDPIC so requests).
- Controllers domiciled abroad that offer goods and services in Switzerland or monitor the behavior of data subjects in Switzerland must appoint a representative in Switzerland, if they process data regularly and on a large scale and the processing entails high risks for the data subjects.
Expanded powers of the FDPIC: The FDPIC has the competence to issue binding administrative decisions (including requiring controllers or processors to modify, suspend or terminate their processing activities or to delete or destroy personal data). Contrary to his EU counterparts, the FDPIC (still) does not have the competence to issue fines.
Severe fines: Willful breaches of certain provisions of the revDPA are now sanctioned with a fine of up to CHF 250,000. Only cantonal law enforcement authorities (rather than the FDPIC) are competent to prosecute such breaches. In principle, fines are imposed on the responsible individual, not on the legal entity acting as controller or processor.
Key aspects of revDPO for the private sector:
Data security: Controllers and processors must determine the necessary level of protection and implement suitable technical and organizational measures (to be reviewed and adapted, as required) in a risk-based approach, whereby they must consider (i) types of processed data, (ii) purpose, type, extent and circumstances of processing, (iii) risks to data subjects, (iv) current state of the art and (v) implementation costs.
Processing Regulations and Data Logging: When processing sensitive data on a large scale or carrying out high-risk profiling, controllers and processors must (i) issue (and regularly update) processing regulations (with information on internal organization, data processing and control procedures and measures to ensure data security) and (ii) if preventive measures cannot ensure data protection, keep processing logs (and retain them for 1 year).
Sub-processing: The controller’s authorization of sub-processing (required pursuant to the revDPA) may be specific or general. In case of a general authorization, the processor must inform the controller of contemplated changes in its sub-processors and the controller may object thereto.
Data exports: The revDPO now appends the list of countries providing for adequate data protection legislation for cross-border transfer purposes (and the FDPIC may no longer determine the same but will be consulted).
Next steps for the private sector:
Controllers and processors subject to the revDPA (and revDPO) should, in particular:
- Regularly review and keep records of processing activities up to date, as they are key to understand and comply with all data protection related duties;
- Regularly review and keep privacy notices and policies up to date, as they are the most effective means to comply with the extended information duties;
- Ensure all appropriate data protection clauses and/or data processing agreements are implemented in all new customer/supplier relationships;
- Regularly review and update the processes to address data subjects’ requests, to carry out DPIAs (if required) and to respond to (and promptly notify) data breaches;
- Continuously train all personnel on data protection related matters.