New Data Protection Act (revDPA) in Switzerland
What is new?
As of 01.09.2023, the fundamentally revised data protection law will apply in Switzerland. The following information is not intended as legal advice. Below you will find an overview of the most important changes around the new data protection law (nDPA or revDPA) in Switzerland - simple and compact. Implement the changes directly, avoid fines and take this opportunity to take a look at the data quality of your customer data.
Who does the new Data Protection Act (revDPA) affect?
The new Data Protection Act (revDPA) initially affects all companies based in Switzerland. However, it also applies to foreign companies that operate in Switzerland or whose data processing has an impact on Switzerland. In Swiss data protection law, the market location principle will apply from September (Art. 3 (1) revDPA). This means that Swiss law is also applicable to matters that have an impact in Switzerland, even if they were initiated abroad. Thus, the domicile of the company is not relevant. For Swiss data protection law to apply, it is sufficient if, for example, goods or services are offered to customers in Switzerland.
The new Swiss law is based on the European General Data Protection Regulation (GDPR). It can therefore be assumed that there is an increased need for action if work is not yet GDPR-compliant.
The most important changes at a glance
Scope and extent:
The revDPA is limited to the data protection of natural persons, comparable to the GDPR of the European Union. Previously, data protection law in Switzerland also covered legal entities. In addition, genetic and biometric data are particularly sensitive data and are considered to be worthy of special protection.
Privacy Impact Assessment
With the revDPA, companies are also required to conduct a documented data protection impact assessment if the data processing entails a high risk to the personality or fundamental rights of the data subjects.
Improved transparency:
The information obligations of companies are significantly more extensive than before. Under the new law, individuals must be adequately informed about any data collection, even if the data is not collected from the data subject himself. Previously, this only applied to data requiring special protection. In the interests of transparency, a person responsible for data processing, the purpose of processing, the recipient and, in the case of data export abroad, the recipient country must be named.
Profiling:
The revDPA does not provide for a general obligation to obtain consent. However, consent must be obtained if automated data processing takes place that enables an assessment of essential aspects of the personality of a natural person (Art. 5 (g) revDPA). This is the case when data is evaluated that relates to personal aspects of a person, such as health, behavior, interests, location, etc. This is a high profiling risk.
Quick notification to the FDPIC:
Also new and comparable to the GDPR is the obligation to report breaches of data security. The FDPIC must be notified as soon as possible if data has been accidentally or unlawfully lost, destroyed, deleted or altered, or if personal data has been made accessible to unauthorized persons and this is likely to result in a high risk for the data subjects. As a rule, the controller must also inform the data subjects if the FDPIC so requires or if it is necessary for the protection of the data subjects.
Privacy by Design an Privacy by Default
(Data protection through technology and data protection-friendly default settings):
Data protection must be taken into account as early as the planning and design stages. For example, user consents that go beyond absolutely necessary data processing must be explicitly obtained. Corresponding default settings are not permitted.
What else do I need to consider in order to comply with the data protection provisions of the revDPA?
In the future, a directory must be kept on the processing of personal data in the company. All companies with their registered office in Switzerland and/or companies involved in data transfers to or from Switzerland must keep such a register. It must document which personal data is collected, how it is collected and for what purpose.
Personal data is defined as "all information relating to an identified or identifiable natural person" (Art. 5 let. a revDPA). A risk assessment can be used to check the requirements for data protection compliance. The necessary steps can then be identified as part of a gap analysis.
Comparable to the GDPR is also the requirement that a corresponding contract must be concluded with each third-party provider. As with the GDPR, there is a standardized order processing agreement (OPA) or a data processing agreement (DPA) for this purpose.
Bottom line:
Without a uniform view of the data, it is fundamentally difficult for companies to meet the requirements of the revDPA. In particular, the aspect of transparency and the associated reporting to the FDPIC - if the data must first be painstakingly compiled, there is always the risk that not everything is recorded. This means that there is always a residual risk of violating the requirements - with financial and image consequences. It is therefore essential that customer data is of high quality, up-to-date and free of duplicates. In addition, customer master data often exists in different systems and/or is held in silos. A Golden Profile could then provide a true 360-degree view of the customer. This ultimately creates the necessary legal certainty with regard to national and international data protection.
You might also be interested in:
