After three years of discussions, the Swiss parliament has agreed on the final draft bill of a new and modernized Swiss Data Protection Act (nDPA).
The Swiss government entered the legislative process with two main objectives: to enhance the level of protection of personal data provided in the current Swiss Data Protection Act (DPA) (largely, to align with the EU General Data Protection Regulation (GDPR)) and to ensure that there is an “adequate” level of data protection to allow for the continued flow of personal data from the European Economic Area (EEA) to Switzerland. The outcome is a modernized version of the existing DPA responding better to the needs of a digitalized world but without changing the law at its core.
Although the Swiss government has not formally set a date, it is expected that the nDPA (and the corresponding ordinance, which is still in the drafting process) will enter into force at the beginning of 2022. As the revised law does not in general provide for a grace period, businesses will have to comply with the new law at its entry into force. Hence, it is now a good time to start the process and make your business fit for the new law.
This article focuses on the provisions applicable to private controllers (as opposed to federal authorities) and provides an overview of the new obligations that will be imposed on controllers and processors and analyzes some key revisions in more detail. The second part, to be published in January 2021, focuses on some differences that exist between the nDPA and the GDPR and will provide businesses with an action plan.
WHAT IS NEW?
Revised Scope of Application
To respond to the ongoing globalization and international business activities, the legislator decided to equip the law with a broader territorial scope of application: The nDPA will apply to all processing of personal data that has an effect in Switzerland, irrespective of where the processing takes place; for example, it would apply to the processing of personal data of Swiss citizens by an entity located in France. Also, a company based outside Switzerland may have an obligation to appoint a representative (Article 14 nDPA). With regard to the material scope, the nDPA no longer applies to company data, whereas the nDPA’s definition of “sensitive personal data” now also includes genetic data and biometric data. Finally, the nDPA differentiates between “profiling” and “high risk profiling,” the latter defined as “profiling which involves a high risk to the personality or fundamental rights of the data subject, as it creates a pairing between data that enables an assessment of essential aspects of the personality of a natural person.” The future will show where the regulator and courts will draw the line between “profiling” and “high risk profiling.”
New duties imposed on controllers and processors
The nDPA imposes a plethora of new duties on controllers and, in some cases, on processors. While most of them are already known under the GDPR, businesses that are not yet compliant with the GDPR will face new obligations, such as these:
WHAT HAS BEEN REVISED?
Besides these new obligations, the legislature has revised some of the existing concepts, hopefully bringing more clarity in the future. While the content of these provisions has not changed at its core, the legislature has streamlined the wording, refined the language, and in some cases imposed new obligations or restrictions.
HOW IS THE NEW LAW ENFORCED?
Finally, the nDPA strengthens the rules on enforcement in case of noncompliance with its provisions.
First, FDPIC, the Swiss regulator, is vested with more power and the threshold to initiate an investigation has been lowered. Instead of issuing simple recommendations, the FDPIC will be entitled to open investigations on its proper initiative or upon complaint, order provisional measures, and render a binding decision (Article 51 nDPA). This means that the burden to appeal against binding decisions of the FDPIC now lies with the concerned controller (or processor). Also, the concerned controller (or processor) that is subject to an investigation by the FDPIC has a duty to cooperate. If it does not cooperate, the Swiss regulator may order requests for information, searches, witness examinations, and expert reports.
Second, the nDPA provides for higher sanctions, which are viewed as criminal sanctions, with fines of up to CHF 250,000 and new provisions on the liability of undertakings (Articles 60 nDPA et seq.). It’s important to note that these criminal sanctions will be imposed on private individuals responsible for the breach and not the company as such. This will in most cases be the employee having effected the processing but can also be the management failing to set adequate internal safeguards against data breaches. Companies themselves may be subject to fines up to CHF 50,000 (Article 64 nDPA).
Third, the new law does not bring any substantial change with regard to private cause of action. Data subjects continue to have a right to rectification, a right to be forgotten, as well as a right to object to processing and may bring civil action in case of a violation of the rules set out under the nDPA.
This website uses cookies. Analytical cookies help us improve our website by providing insight on how visitors interact with our site, and necessary cookies which the website needs to function properly.
Necessary Cookies
The website cannot function properly without these necessary cookies, and they can only be disabled by changing your browser preferences. To learn more about these cookies, how we use them on our website, and how to revise your cookie settings, please view our cookie policy.
You have successfully set your edition to United States. Would you like to make this selection your default edition?
*Selecting a default edition will set a cookie.
This website uses cookies. Analytical cookies help us improve our website by providing insight on how visitors interact with our site, and necessary cookies which the website needs to function properly.
Necessary Cookies
The website cannot function properly without these necessary cookies, and they can only be disabled by changing your browser preferences. To learn more about these cookies, how we use them on our website, and how to revise your cookie settings, please view our cookie policy.