The Swiss Parliament approved the Federal Data Protection Act (The Swiss Parliament Agrees on the Draft Bill of a New Data Protection Act) in fall 2020. The Federal Office of Justice recently communicated that the new law will enter into force on September 1, 2023.
While some stakeholders have voiced disappointment that the date got further pushed back, there is also a positive note to the delay. The nDPA does not provide for a statutory transition period, which means that organizations subject to the nDPA have just over one year to implement the revised law. Experience from the General Data Protection Regulation (GDPR) has shown that the implementation process is time-consuming and companies should take advantage of the informal transition period and start the process now.
In addition, given the harsh criticism the draft Ordinance to the Data Protection Act (nDPAO) has elicited, hopes are high that the additional time will allow the Federal Council to put significant effort toward drafting a final version of the nDPAO that takes into consideration these comments.
Our company is already GDPR compliant; is there anything left to do?
Companies that are already compliant with the GDPR will certainly have an advantage as the nDPA adopts many of the principles and obligations known under the GDPR. For further information we refer to our recent publication (Part 2: Revised to Match the EU General Data Protection Regulation — or Almost). In this case companies can build on the work done for compliance with the GDPR, start reviewing their existing GDPR documentation, and adapt it to Swiss law where necessary. In addition, where the GDPR goes beyond Swiss data protection law, companies will have to decide on whether they want to follow the stricter GDPR approach throughout or whether they want to adopt a more pragmatic and softer approach provided under Swiss law for their entities that are subject only to the nDPA.
Our company is not GDPR compliant. What now?
For companies not yet compliant with the GDPR, we suggest the following approach:
It’s a lot. Where should we start?
In terms of priority, we recommend to focus on the obligations that are subject to criminal sanctions under the nDPA. Hence, a company should start by implementing the following:
We are an organization outside Switzerland. Why should we care?
The nDPA has a far-reaching scope of application as it applies to all processing of personal data that has an effect in Switzerland, even if it occurred abroad, for example, the processing of personal data of Swiss citizens by an entity with its seat abroad. Hence, a company that has Swiss employees or conducts clinical trials with Swiss study subjects is likely subject to the nDPA and may even need to appoint a representative in Switzerland.
This website uses cookies. Analytical cookies help us improve our website by providing insight on how visitors interact with our site, and necessary cookies which the website needs to function properly.
Necessary Cookies
The website cannot function properly without these necessary cookies, and they can only be disabled by changing your browser preferences. To learn more about these cookies, how we use them on our website, and how to revise your cookie settings, please view our cookie policy.
You have successfully set your edition to United States. Would you like to make this selection your default edition?
*Selecting a default edition will set a cookie.
This website uses cookies. Analytical cookies help us improve our website by providing insight on how visitors interact with our site, and necessary cookies which the website needs to function properly.
Necessary Cookies
The website cannot function properly without these necessary cookies, and they can only be disabled by changing your browser preferences. To learn more about these cookies, how we use them on our website, and how to revise your cookie settings, please view our cookie policy.