The new Data Protection Act (DPA) of Switzerland has been passed in the Swiss Federal Parliament on the 25th of September 2020 and is expected to step in to force this year in the summer.
What will the new Swiss law on data protection bring and how will it apply with the GDPR?
More regulation?
One of the main changes with the new law is new obligations to maintain:
- Records of the processing activities of personal data;
- Reporting losses of data and other security breaches to the “FDPIC” – Federal Data Protection and Information Commissioner;
- “DPIA” – Data Protection Impact Assessments;
The above-mentioned was basically copied from the GDPR and will result in heavier loads of work for the companies in Switzerland who will have to adapt to these new changes.
However, the basics of data processing have not been changed all that much. Private companies in general, will not have to do many changes in the way they process personal data. The Swiss principle (legal grounds) by which the processing of personal data is permissible and justification remains the same.
This means the Swiss Data Processing act although is made to comply with GDPR, in a way it is still different.
When it comes to providing consent Swiss DPA is less restrictive than GDPR
Unlike GDPR, Swiss DPA does not oblige the Data Processor to inform the subjects about the possibility to withdraw their consent about the processing of their personal data. Also, a combination of multiple consents is possible according to the DPA. The reasons for justifying the activities of data processing, in general, have remained the same.
The new principle “Privacy by Design” which was explicitly included in the new Swiss DPA is not actually new, it has always existed in the Swiss data protection law. As a matter of fact, “Privacy by Default” is the single new provision in the new Swiss DPA which refers to cases where an online service provides, is obliged to provide settings for data protection as an integral part of the services.
New Swiss DPA does not require data protection officers (DPOs)
Even though the new Swiss law on data mentions “Data protection advisors” which basically are Data Protection Officers (DPOs), Swiss companies have no obligation to employ one, unlike EU states.
In reality, if larger companies wish to remain compliant and implement the new laws in a proper manner, they will have to appoint DPOs as this field requires a lot of expertise and knowledge of data protection regulations. Some large corporations have implemented whole new sectors to address this issue and to be able to comply and avoid being fined for failing to do so.
There is a restriction on the Right to information
The rights of the subjects under this new law have also been defined more clearly and a bit extended.
“The right to be forgotten” which comes from GDPR has already been implemented in the old DPA and will remain in the new one as well. Also, the principle for data processing to be allowed as long as necessary remains in force.
“The right to data portability” however, is quite a new concept introduced in the new Swiss DPA that entails the option for subjects to be able to request their personal data stored with providers of online or other services to be transferred.
Agreements for data processing
Companies will have to draft contracts with third parties who will have access to the personal data they possess of their employees, clients, subcontractors, and others.
Privacy policy declarations are now mandatory
With the new DPA, companies will be obliged to provide mandatory information on connection to the personal data they process. Such information mainly is provided on their websites which should appear when a person opens the link to the site. As an example, these policies will have to provide information of which data is collected from the subjects, legal grounds of collecting such data, the contact information of the Data protection officer (if appointed), exports of personal data, and reasons to do so.
The new DPA will bring more severe fines, but with the exception
Previously the FDPIC could only issue recommendations to data controllers and processors who did not comply with DPA. However, with the new DPA, this governing body will be able to issue direct orders, so instead of an advisory role, the FDPIC will have the role of an enforcement body.
Also, the new DPA provides fines for the controllers and processors who will fail in compliance up to CHF 250.000 which in comparison to the fine amounts provided under GDPR is insignificant. The body responsible for issuing fines is awarded to the Cantonal law enforcement authorities, who do not have expertise in data protection.
What should companies do to comply with the new regulation?
First, they need to revise their statements on data processing and protection and check if they comply with the new law, make the required changes or create new ones where they didn’t exist in the first place.
Next, they should identify their data processors, i.e. to whom they allow access to their own personal data, and bring contracts for data processing in place. Where these contracts already exist, they should be checked if they comply with the new regulation.
Hire Data protection advisors who have expertise in this field. Even though Swiss companies are not obliged by law to do so, this step can significantly make the complicated process of implementing the new law easier and faster.
Introducing their employees to the new regulations, especially those who will have access to personal data is probably the most important step to strengthening their data processing practices.
Finally, all companies should implement a process for identification, analysis, reporting, and handling of possible security breaches.