New Swiss Data Protection Act ' The Most Important Changes For Companies

• Law Firm: FABIAN PRIVACY LEGAL GmbH
• Subject Matter: Corporate/Commercial Law, Privacy, Corporate and Company Law, Data Protection, Privacy Protection
• Author: Ms Daniela Fabian
• Published date: 13 March 2023

New Swiss Data Protection Act - the most important changes for companies¹

Introduction

The Swiss Parliament passed the revised Data Protection Act (nFADP) on 25 September 2020.² The nFADP as well as the new Data Protection Ordinance (DPO) and the new Ordinance on Data Protection Certification (DPCO) will enter into force on 1 September 2023.

The aim of the revision was, on the one hand, to strengthen data protection by improving the transparency of data processing and the control options of data subjects over their data and, at the same time, to increase the sense of responsibility of those responsible.³ Another important goal was to maintain Switzerland's competitiveness and to enable Switzerland to ratify the Council of Europe's revised data protection convention ETS 108, to align with the EU's General Data Protection Regulation (GDPR) and thus to continue to be recognized as a third country with an adequate level of data protection.

At a Glance

• The basic concept of "permission of data processing subject to prohibition" (i.e. prohibition if the data processing leads to an "unlawful violation of the personality of a person") remains unchanged. Consent to the processing of personal data is still generally not required, even for profiling and the processing of sensitive personal data. The principles of data processing also remain largely unchanged.
• Legal entities are no longer protected; only natural persons are protected under the nFADP.
• The scope of the nFADP covers actions that have an effect in Switzerland, even if they are initiated abroad.
• The definitions of "controller of the data file", "personality profile" and "data file" have been deleted; the definitions of "profiling", "high-risk profiling" and "data security breach" have been introduced. Genetic and biometric data as well as data on ethnic origin, are considered to be sensitive personal data under the nFADP.
• The concepts of "privacy by design" and "privacy by default" are now enshrined in the law as is already the case in the EU General Data Protection Regulation (GDPR).
• Data security is the responsibility of the controller as well as the processor. A risk-based approach is introduced.
• Data processing by processors remains largely unchanged Under the nFADP, the processor may only assign the processing to a sub-processor with prior authorisation by the controller.
• The appointment of a data protection advisor remains voluntary. It can be an advantage when it comes to performing a data protection impact assessment.
• Under the nFADP, both the controller and the processor must keep an inventory of their processing activities. This inventory does not have to be declared to the Federal Data Protection and Information Commissioner (FDPIC) (up to now, the controller generally needed to declare data files to the FDPIC).
• Companies based outside Switzerland who process personal data of persons in Switzerland will have to designate a representative in Switzerland.
• The requirements for cross-border disclosure of personal data remain largely unchanged. Under the nFADP, the Federal Council bindingly determines whether the legislation of a state or an international body guarantees an adequate level of protection.
• The duty of information has been extended to the collection of all kinds of personal data (until now it was only applicable to the collection of sensitive personal data and personality profiles) and also includes automated individual decision-making.
• Under the nFADP, the controller must carry out a data protection impact assessment if the intended data processing may lead to a high risk for the data subject.
• In the future, the controller must notify the FDPIC of data security breaches.
• Under the nFADP, data subjects have the right to data portability.
• The powers of the FDPIC are extended. In the future, the FDPIC can order a number of administrative measures.
• The criminal provisions have been significantly tightened, with fines of up to 250 000 Swiss francs for private persons (i.e. not companies!), but only for violations in certain areas, in particular for the breach of obligations to provide access and information and to cooperate, for the violation of duties of diligence with respect to the requirements for cross-border disclosure of personal data, the appointment of a processor and for failure to comply with the minimum data security requirements. Fines are only applicable to violations that result from a wilful act and are in most cases, only imposed upon the filing of a complaint.

The most significant changes

1. Purpose and scope⁴

The nFADP aims to protect personal privacy and the fundamental rights of natural persons whose personal data is processed. Under the current law, legal entities are also protected. By cancelling the protection of legal entities, the nFADP aligns with the GDPR, that also protects only natural persons.

The nFADP also regulates the territorial scope. According to art. 3, the law applies to actions that have an effect in Switzerland, even if they are initiated abroad.

2. Definitions⁵

Various definitions are now aligned with the GDPR.

The term "personal data" is limited to all information that relates to an identified or identifiable natural person. In future, only natural persons about whom personal data is processed will be considered 'data subjects".

Concerning the identifiability, the "relative approach" is maintained. According to the Federal Council Dispatch on the Federal Act on the complete revision of the Federal Act on Data Protection and the modification of other federal enactments⁶, the mere theoretical possibility to identify a person is, as under current law, not sufficient to presume that a person is identifiable. The Federal Council already stipulated in its Dispatch to the FADP of 1988⁷ that no identifiability is given if "the effort necessary to identify a data subject is so great that, according to general life experience, it cannot be expected that any interested person should undertake such effort". "It must rather be considered what means can be reasonably employed to identify a person and be determined whether the employment of such means is reasonable under the given circumstances, for instance in terms of time and cost. In doing so, the technologies available at the time of processing and their further development must be taken into account. The law does not apply to anonymised data, if a re-identification...