The entry into force of the revised Data Protection Act (revDSG) on September 1, 2023, will result in new requirements for Swiss companies and their data protection measures. The updated DPA has been adapted in particular to technical progress and is intended to improve the protection of personal data in the future. The new law strengthens self-determination and increases transparency in the procurement of personal data. The revised law tightens the regulations for companies and forces them to adapt their existing data protection guidelines and concepts. We have summarized the most important changes here.
The revised DPA only applies to data of natural persons; legal entities are no longer protected by the DPA. Swiss companies and international organizations that process the personal data of Swiss residents and conduct cross-border transactions must apply the revised DPA. In this respect, the scope of application of the revised DPA is the same as that of the GDPR, which also focuses only on the protection of the privacy of natural persons with respect to their personal data. Data protection officer
Private companies have the option of appointing a data protection officer, who can either be an employee or an external party to the company. Unlike the European General Data Protection Regulation, private companies are not legally required to appoint advisors, and only federal agencies are required to do so. The data protection officer must provide independent advice on data protection issues and avoid any influence from other company activities. It is recommended that privacy advice be kept separate from other legal advice and representation. In situations where disagreements arise, the data protection officer should have the opportunity to raise his or her concerns with company management.
The revised DPA also extends the obligation to provide information. In this case, the data subject is informed in advance whenever personal data is collected. The old law provided for a duty to inform only if particularly sensitive personal data was collected. At a minimum, the identity and contact details of the controller, the purpose of the processing, and the categories of recipients must be provided. If data flows abroad, this fact must be communicated, as well as other information such as this data protection regulation.
An important change concerns the list of so-called sensitive data, which in the future will include genetic and biometric data. Genetic data, which can be obtained from biological samples, provide information about a person’s genetic characteristics, such as their health. Examples include DNA analysis and similar tests. Biometric data enable people to be uniquely identified. Examples include facial images or fingerprints.
The term profiling, i.e. the automated evaluation of personal data, was also newly included in the law. If unique characteristics of a person can be identified in a profile, this is high-risk profiling. The express consent of the data subject must always be obtained in advance for this.
As far as documentation requirements are concerned, a comprehensive register of processing activities is now also mandatory, with the exception of small and medium-sized enterprises with fewer than 250 employees. Another exception applies to companies whose data processing poses a low risk of personal data breaches. The register is an inventory of all data processing activities, which contributes to transparency and helps determine whether data processing was lawful. The nature and scope of the personal data processed and their recipients must also be indicated.
Another important addition is the data protection impact assessment. This becomes relevant as soon as there is a high risk to the personality or fundamental rights of the data subjects. A data protection impact assessment involves an evaluation of the potential damage that could result from a lack of data security. The aim is to provide those processes that are at high risk with additional protective measures to reduce the potential damage.
The new DPA encourages professional, trade, and business associations to formulate their own codes of conduct and submit them to the Federal Data Protection and Information Commissioner (FDPIC) for review. The opinions of the FDPIC on these codes are then published and may include objections or recommendations for amendments or clarifications. Organizations that receive a favorable opinion from the FDPIC may assume that the conduct set forth in their code complies with data protection law. However, codes that are too general do not absolve organizations from any risks that are not described in detail. By adhering to a code of conduct, association members can avoid developing their own assistance and guidelines for compliance with the new DPA. Such self-regulation has the advantage that data controllers do not have to conduct their own data protection impact assessment if they adhere to a code of conduct that is based on a previous data protection impact assessment, remains valid, contains measures to protect privacy and fundamental rights, and has been approved by the FDPIC.
The new DPA now permits certification not only of management systems and products but also of services and processes. This certification serves as proof to companies that they comply with the privacy-by-default principle and have an appropriate data protection management system in place. By using a certified system, product, or service, data controllers are exempted from having to prepare a data protection impact assessment. The Federal Council has introduced additional regulations on the certification process and seals of approval with an ordinance known as the Data Protection Certification Ordinance.
Another important innovation is the right to request information about the personal data processed. The new amendment contains a minimum list of information that the data controller must provide, e.g. how long the personal data is stored. In general, data subjects must receive the information as transparently and comprehensively as possible in order to exercise their rights. As before, the data controller has the right to refuse, restrict or withhold information in certain circumstances. This may be the case, for example, if the request is manifestly unfounded and excessive. However, the reasons for a refusal must then also be communicated.
Data subjects now have the right to request their personal data from a private controller in a commonly used and machine-readable format or to transfer it to a third party. The controller must process the data in an automated form and with the consent of the data subject or if this is directly related to a contract. This right is free of charge unless disclosure or transfer requires a disproportionate effort or cost. An example of this could be communications data where triage is required to separate the data subject’s statements from those of third parties, which can be time-consuming.
Recently, immediate notification to the Federal Data Protection and Information Commissioner (FDPIC) is also required in the event of a data breach. The notification requirement applies to any data breach and requires not only notification to the Data Protection Commissioner but also to the affected individuals whose data is no longer secure. However, data subjects must only be notified if their personal or fundamental rights are affected as a result of the data breach. Expansion of preventive protection requirements
Of particular relevance to companies operating abroad is another article in the revised FADP, which provides that data may only be disclosed abroad if the Federal Council confirms that the legislation of the foreign state ensures adequate protection. The previous list published by the FDPIC is publicly available on the FDPIC’s website. If the destination country is not on the Federal Council’s list, the data may be transferred there as under previous law, provided that adequate protection is guaranteed by other means. Examples of such means are international treaties, data protection clauses notified to the FDPIC, or binding corporate rules. Standard contractual clauses approved by the European Commission under GDPR are also recognized by the FDPIC.
The DPA goes further than the GDPR by requiring that data subjects be informed about the countries involved in the cross-border transfer of personal data, including storage on foreign systems (cloud), regardless of whether they provide adequate data protection. In addition, the disclosure must indicate which data protection guarantees (e.g., EU standard contractual clauses) or exemptions, if any, the controller makes use of. Here, too, the revDSG goes a step further than the EU General Data Protection Regulation.
In addition, the principles of privacy by design and privacy by default apply, requiring developers to build privacy into the structure of products and services from the outset. The principle of “privacy by design” ensures that the highest level of security is already in place when a product or service is launched. Software, hardware, and services must therefore be configured to protect data and safeguard user privacy.
Finally, the revised Data Protection Act provides for the adjustment of fines for natural persons responsible for processing activities. Specifically, this involves fines of up to 250,000 Swiss francs per violation if the duties to provide information and disclosure, as well as certain duties of care, are intentionally violated. The cantonal prosecution authorities are responsible for enforcing the criminal sanctions. Civil actions for removal, injunction, or damages are also possible.
In addition to the already known adjustments as of September 1, 2023, it is already foreseeable that the DPA will continue to converge with the General Data Protection Regulation in the future. On the one hand, to strengthen the rights of Swiss citizens, on the other hand, to simplify the economic exchange with the EU. In order to meet the medium and long-term requirements, it makes sense to team up with a strong digital data protection partner. Such a partner knows how to implement and digitize the processes from the new law, but also creates awareness of future regulatory changes and gives you the chance to complete corresponding projects early and in a legally secure manner.