In Switzerland, a new data protection law will come into force on September 1, 2023. This is primarily intended to adapt the data protection conditions in Switzerland to the GDPR.
You can find out everything you need to know about the legal changes here.
Why a new Swiss data protection law?
Strictly speaking, there are three sets of regulations that Switzerland has drawn up: The new Swiss Federal Data Protection Act (FADP), the new Data Protection Ordinance (DPA) and the new Data Protection Certification Ordinance (DPC). All three will come into force on September 1, 2023.
The currently applicable version of the Swiss Federal Data Protection Act dates back to 1993, which no longer offers equivalence with the GDPR applicable in the EU. The EU Commission's adequacy decision from 2000 is therefore beginning to falter. If this situation continues to worsen, Switzerland could be considered a third country under data protection law in the sense of the GDPR, which would cause economic problems for Switzerland. Safeguards would then have to be put in place, for example via standard contractual clauses (Art. 46 GDPR).
However, Switzerland is now giving in to the pressure to move since the introduction of the GDPR and is aligning its own data protection law with the GDPR.
What does the new Swiss data protection law regulate?
Here you will find an overview of the most important regulations of the new Swiss Data Protection Act:
The material scope of the FADP is expanded. It covers all data processing that has an effect in Switzerland, even if it is initiated abroad.
In the personal scope of application, only natural persons are protected, legal entities are not.
Extended information requirements for responsible parties
The information requirements for data controllers in the DPA are also expanded. They now extend to the processing of any personal data. They are comparable to Art. 13 and 14 GDPR.
Data subject rights
The new DSG stipulates that data subjects have the right to comprehensive information, data portability and surrender of data. All of these rights must be free of charge.
The principles of privacy by design and privacy by default can be found in the new DPA in the same way as in the GDPR.
Under the new DSG, data controllers and processors are required to document every data processing operation. However, this data collection no longer has to be registered. The new DSG lists what information the directory must have.
Automated decision making and profiling
If a controller uses automated decision-making, it must inform the data subject about this. The data subject may request that this decision be reviewed by a human being.
Furthermore, profiling generally does not require consent, unless it is so-called "high-risk profiling", which involves linking data that enables an assessment of personality.
The new DSG introduces the term "commissioned processor", which corresponds to the "processor" in the DSGVO. The handover of data processing operations to this processor is possible if they are carried out in the same way as the controller would have had to carry them out. In addition, if there is a confidentiality obligation, no commissioned processing may take place. The controller must ensure that the order processor meets the relevant requirements. If the processor wishes to pass on the data processing, he must obtain the consent of the controller.
Privacy Impact Assessment
The new DPA introduces a data protection impact assessment that largely corresponds to the one in the GDPR.
The new DPA also requires the controller and processor to implement appropriate technical and organizational measures (TOM) to ensure data security. Here, the new DSG, like the DSGVO, uses the concept of risk. More detailed provisions from the Federal Council are required on the minimum requirements.
Data breaches must also be reported, as in the GDPR. However, only those that pose a high risk to the data subjects. The order processor must direct the notification of such incidents to the controller and the controller in turn to the Federal Data Protection and Information Commissioner (FDPIC).
Representative for foreign processors
Controllers that process data in Switzerland but are not established there must have a representative in Switzerland in three cases. These cases denote offering goods and services in Switzerland or monitoring the behavior of people in Switzerland, extensive and regular processing, or high risks to the privacy of data subjects. The regulation is thus similar to that of the EU representative in the GDPR.
Data protection authorities and sanctions
The new DPA gives the Swiss data protection authority (FDPIC) expanded tasks and competencies. It is thus similar to the European data protection authorities, but cannot impose fines.
Possible sanctions are significantly higher in the new DPA than the fines of the GDPR. The cantonal public prosecutor's offices are responsible. The focus is on private individuals and not companies as under the GDPR. However, not all breaches of duty are listed in the list of fines.
What do we need to consider now?
Swiss data protection law is now coming very close to the GDPR.
Data controllers with a connection to Switzerland should take stock of their data processing operations in order to identify any need for action. Appropriate processes must be defined, notification processes must be set up, a directory must be created, processors must be reviewed and, if necessary, a representative must be appointed.
Do you need support on the subject of data protection and data security? Our team of experts will be happy to help you. Contact us here.