Switzerland has fundamentally revised its data protection law. The new Swiss Federal Data Protection Act (DPA) will adapt to the General Data Protection Regulation (GDPR), primarily with the aim of again obtaining a positive adequacy decision from the EU Commission. We highlight what companies must pay attention to if they process personal data in Switzerland, offer products or services in Switzerland or cooperate with Swiss companies.
Update 31 August 2022: The Swiss Federal Council has announced that the DPA, as well as the new Data Protection Ordinance (nDPO) and the new Ordinance on Data Protection Certifications (nODPC), will enter into force on 1 September 2023.
Relevance of the new Swiss data protection law
The current version of the Swiss Federal Data Protection Act dates back to 1993. The introduction of the General Data Protection Regulation in the surrounding EU/EEA states in particular forced Switzerland to revise its national data protection law. The equivalence of the current Swiss law with the corresponding EU regulation is no longer a given.
The EU Commission’s adequacy decision from 2000 is thus on the line. For European companies operating in Switzerland, a lack of recognition by the EU could become a major problem, as Switzerland would then be classified as a third country. Without an existing adequacy decision, data traffic between Switzerland and the EU/EEA would have to be secured with “appropriate safeguards” on a case-by-case basis, in particular with standard contractual clauses (Art. 46 GDPR).
It is therefore not surprising that the current version of the DPA has been comprehensively revised with the aim of taking into account technological developments and EU requirements. The new draft was adopted by the Swiss Parliament on 25 September 2020. The Swiss Federal Council (Bundesrat) will decide on its entry into force after the 100-day referendum period has expired.
The most important regulations of the new Swiss data protection law
Scope
The scope of application is expanded under the new DPA and now also extends to data processing that has an effect in Switzerland although it was initiated abroad.
No more protection for legal persons
Only natural persons are now subject to the protection of the new DPA. This is in line with the provisions of the GDPR and most national data protection laws of the EU member states.
Extension of the information obligations for responsible persons
The duty to inform has now been extended to the processing of any personal data. Previously, the obligation only existed for the processing of data requiring special protection and the creation of personality profiles. The new information obligations in the DPA are comparable to the obligations in Art. 13 and 14 of the GDPR.
Automated decision making and profiling
In principle, the controller must inform the data subject if a decision is based solely on automated processing and if it produces legal effects for the data subject. In addition, the data subject may request that the automated individual decision be reviewed by a natural person.
Consent for the processing of personal data is still not required in principle for profiling. However, the new DPA introduces the term “high-risk profiling”. This refers to the type of profiling that involves the linking of data that allows an assessment of essential aspects of the personality of a natural person. For this type of profiling, the explicit consent of the data subject must be obtained.
Data subjects' rights
The new DPA gives data subjects the possibility to obtain any information they need. Accordingly, the information is no longer limited to conclusively defined minimum information. With the right to data portability, data subjects are also given a new right and can demand that the controller hand over their personal data or transfer it to another controller in machine-readable form free of charge.
Documentation of each data processing
The new DPA requires data controllers and processors to document every data processing operation. This obligation is equivalent to keeping a register of all processing activities in the GDPR. However, the previous obligation to register with the Federal Data Protection and Information Commissioner (Eidgenössischen Datenschutz- und Öffentlichkeitsbeauftragten (EDÖB)) no longer applies (until now, the owner of data collections had to register their collections with the FDPIC). The new DPA contains a list of the information that this register must contain.
Data processing
The new DPA replaces the term “third party” with “processor”, which corresponds to the function of a processor in the GDPR. It is still possible to outsource the processing of personal data to a processor, provided that the data is processed in the same way as the controller would be allowed to do it himself and the transfer to the processor is not prevented by a legal or contractual obligation of secrecy.
A contract for data processing is still not mandatory, but the controller must ensure in advance that the data processor is able to guarantee data security. What is new is that the processor must obtain the consent of the controller before using a sub-processor.
Data Protection Impact Assessment (DPIA)
Following the GDPR, the controller must carry out a DPIA before processing personal data if the processing is likely to result in a high risk for the data subject. The requirements when and how such a DIA must be carried out are largely similar to those of the GDPR.
Privacy by Design and Privacy by Default
As in the GDPR, the concepts of Privacy by Design and Privacy by Default are anchored in the new GDPR. Accordingly, the controller must not only design its data processing in such a way that the data protection regulations and the principles of data processing are complied with, but also that the processing of personal data is reduced to a minimum by means of suitable technical default settings.
Data security
Under the new DPA, data controllers and processors are obliged to ensure data security appropriate to the risk by taking appropriate technical and organisational measures (TOM). The concept of risk is newly introduced, reflecting the concept in the GDPR.
It is expected that the Swiss Federal Council will issue provisions on the minimum data security requirements.
Data protection incident reporting
As under the GDPR, data breaches must be reported in the future according to the new DPA. However, the approach differs from that of the GDPR. Accordingly, in Switzerland, only incidents that pose a high risk to the data subject must be reported to the Federal Data Protection and Information Commissioner (FDPIC). The deciding factor here is, among other things, the extent of the risk to the data subject.
There is no time limit for reporting, but a reportable incident must be reported “as soon as possible” after it comes to light. Even under the new DPA, the processor is not subject to the reporting obligation, but must inform the controller of the incident as soon as possible.
Representative in Switzerland
Controllers who are not established in Switzerland, but who process personal data of data subjects who are in Switzerland, must appoint a representative in Switzerland if one of the following three situations applies:
- The processing is related to the offering of goods or services in Switzerland or to the monitoring of the behaviour of people in Switzerland.
- The processing of personal data is extensive and takes place on a regular basis.
- The processing is likely to result in a high risk to the privacy of the data subject.
The new obligations are comparable to the obligation to appoint an EU representative under the GDPR and also serves as a contact point for data subjects and the Swiss supervisory authority. The controller must publish the name and address of the representative.
Role of the FDPIC
The FDPIC, the Swiss data protection authority, has more tasks and competences under the new DPA. Accordingly, it can not only recommend measures, but under the new DPA it also has administrative measures at its disposal, e.g. ordering a suspension of the transfer of data to a recipient in a third country. Compared to data protection authorities in the EU/EEA, however, the FDPIC cannot impose fines.
Higher sanctions
The penal provisions have been strengthened immensely, although they are hardly comparable to the fines possible under the GDPR. The responsibility lies with the cantonal public prosecutors’ offices. The focus is on private individuals (not companies as under the GDPR).
Accordingly, natural persons can be punished with fines of up to 250,000 Swiss francs if they violate the duties to inform or provide information or breach their duties of due diligence, e.g. transfer data abroad without complying with the legal requirements. Persons who deliberately refuse to cooperate with the FDPIC in the course of an investigation are also liable to be prosecuted.
Failure to comply with orders issued by the FDPIC or an appellate body may result in fines of up to 250,000 Swiss francs.
However, violations of central obligations newly anchored in the law, such as keeping a register of processing activities or reporting data protection violations, are not listed in the catalogue of fines.
The most important findings from the new Swiss Data Protection Act
The amendments of the new DPA bring Swiss data protection law closer to the GDPR. The most important innovation is the increased transparency (information on data processing) and strengthening of the rights of data subjects. However, the strengthening of the data protection authority and the expansion of the penal provisions are also among the central aspects of the revision.
In connection with cross-border data transfers, existing regulations remain largely unaffected. The Swiss Federal Council (and no longer the FDPIC as under the old DPA) decides whether a jurisdiction offers an adequate level of data protection or not. Cross-border transfers to any jurisdiction with a positive adequacy decision are then permitted.
With regard to data transfers to the U.S., the situation is similar to that in the EU. After the FDPIC denied the Swiss-U.S. Privacy Shield regime recognition as a basis for adequate data protection for data transfers from Switzerland to the U.S., data processing must be placed on a new basis. The EU Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) can be used for this purpose.
Recommendations for action for companies in and outside Switzerland
Controllers and processors established in Switzerland or those involved in data transfers to and from Switzerland should implement the following measures:
- Carry out an inventory of your data processing in order to subsequently determine the need for action under data protection law within the framework of a gap analysis.
- Ensure that those affected are adequately informed.
- Establish processes for responding to requests from data subjects.
- Ensure that you can respond to data protection incidents and that a reporting process is in place.
- Create and maintain an up-to-date register of processing activities.
- Review any data processing by processors.
- Assess whether a representative in Switzerland is necessary.
Companies that have already introduced data protection management in accordance with the requirements of the GDPR will have less need for action than companies that have not yet taken such measures.