It is fair to say that for the most part, the new Federal Data Protection Act (nDPA) does not go beyond the requirements of the European Union (EU) General Data Protection Regulation (GDPR), but the devil lies in the detail. The examples set out below illustrate where the nDPA and the GDPR differ.
General principle: The major difference between the nDPA and the GDPR lies in its approach: While under the GDPR, processing of personal data is unlawful unless there is a legal ground for such processing (Article 6 GDPR); the processing of personal data under the nDPA does not require reliance on such a legal ground and is lawful provided it is done in compliance with the principles stipulated in the law (Article 31 nDPA). Only where this is not possible, would the controller be required to identify a legal ground to justify such processing and these legal grounds are largely comparable with the grounds mentioned under Article 6 GDPR. In practice, this arguably more pragmatic approach is less burdensome for data controllers.
Scope of application: Although the GDPR has a very broad extra territorial scope, the nDPA’s is broader as it applies to all processing of personal data that has “an effect in Switzerland” even if such processing takes place outside of Switzerland – for example, the processing of personal data of Swiss citizens by an entity located in the US. It should also be noted, that processing of personal data as part of Swiss court and arbitration proceedings will not be subject to the nDPA, as this is governed by the applicable Swiss procedural rules. This demonstrates once more the pragmatic approach the Swiss legislature has taken with regard to data protection.
Sensitive data: Unlike the GDPR, the definition of sensitive personal data includes data from administrative proceedings and social security measures, e.g. any measures taken by an authority for the protection of children and adults or a social security authority. This could be of importance when the salary of an employee is partially paid by invalidity insurance and the employer collects data on this arrangement. The nDPA also uses the term “data on the intimate sphere” which is arguably broader than its GDPR equivalent i.e., data concerning “a natural person’s sex life or sexual orientation.”
Personal data on children: The GDPR provides for specific rules on the processing of data of children i.e., in the context of offering them information society services. The nDPA does not have a directly comparable provision and it is necessary to check the more general requirements in Swiss law on consent and legal age.
Right of access: Under both legislations, any person may request information from the data controller as to whether personal data concerning him or her is being processed i.e., the right of access. However, under the GDPR the data controller is obligated, in response to a request for access to personal data, to provide additional transparency information. The equivalent obligation does not exist under the nDPA. Further, under the nDPA, in order to restrict, refuse, or defer access to personal data, the controller must not have previously disclosed the relevant personal data to a third party. As such, to the extent a company has previously disclosed the personal data to e.g., an authority such as, Swissmedic, the company would not be able to rely on the exemption from complying with a request for access to personal data.
Professional Confidentiality Obligation (Article 62 nDPA): Under the nDPA there are specific criminal sanctions imposed on professionals that are willfully disclosing confidential personal data of which they have gained knowledge as part of their profession. Compared to Article 321a (4) of the Swiss Code of Obligations, which obliges employees not to disclose the employer’s manufacturing or trade secrets, Article 62 nDPA protects the personal data of the customers. The provision is comparable with Article 321 of the Swiss Criminal Code sanctioning the violation of the professional secret, but applies to any professional processing personal data as part of its professional activity and not only to professionals bound by a professional secret, such as attorneys or doctors. This provision is extremely broad and would be something addressed at a national level under the GDPR.
Criminal sanctions: The nDPA differs from the GDPR by specifically providing for criminal sanctions instead of administrative sanctions. Criminal sanctions are imposed on the liable private individual (for example, the employee) and not the legal entity, and they are enforced by cantonal enforcement authorities and not the Federal Data Protection and Information Commissioner (FDPIC). By not vesting the FDPIC with the power to issue administrative sanctions against the concerned data controller, e.g., the company, the Swiss legislator has chosen a more complicated system by involving more authorities and parties in the process.
Outsourcing: The GDPR goes further in setting out the content of controller-processor (or processor-processor) agreements in more detail and requires that these agreements must be in writing. The nDPA does not have a form requirement for these so-called outsourcing agreements and requires less on the content. On the other hand, under the nDPA, outsourcing of the processing activities must not be prohibited by contractual or statutory confidentiality obligations. For example where a particular professional is bound to professional secrecy, this could prevent outsourcing of certain processing activities. Whether this exception applies must be analyzed on a case by case basis.
Data protection officer: Compared to the GDPR, appointment of a data protection officer remains optional for private controllers.
WHAT ACTION SHOULD COMPANIES TAKE?
The Federal Council has not yet set a date for the entry into force of the nDPA as this depends on how fast the Federal Council can issue the ordinance to the nDPA (regulating certain provisions in more detail). Although, it is expected the nDPA will apply as of the beginning of 2022. However, experience with the GDPR has shown that implementation of the new obligations under the nDPA will take time and resources. Therefore, companies are well advised to consider the following actions:
This website uses cookies. Analytical cookies help us improve our website by providing insight on how visitors interact with our site, and necessary cookies which the website needs to function properly.
Necessary Cookies
The website cannot function properly without these necessary cookies, and they can only be disabled by changing your browser preferences. To learn more about these cookies, how we use them on our website, and how to revise your cookie settings, please view our cookie policy.
You have successfully set your edition to United States. Would you like to make this selection your default edition?
*Selecting a default edition will set a cookie.
This website uses cookies. Analytical cookies help us improve our website by providing insight on how visitors interact with our site, and necessary cookies which the website needs to function properly.
Necessary Cookies
The website cannot function properly without these necessary cookies, and they can only be disabled by changing your browser preferences. To learn more about these cookies, how we use them on our website, and how to revise your cookie settings, please view our cookie policy.