Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
Key takeaways
1. Revised FADP is a done deal
After a legislative process lasting more than four years, the deadline for calling a referendum against the revised Federal Act on Data Protection (reFADP) expired unused on 14 January 2021. The reFADP and the new data protection regime it introduces will therefore likely come into force by mid-2022 at the latest.
2. Comprehensive obligations for data controllers and processors
The good news first: the regulation concept of the reFADP remains the same. In contrast to the EU's General Data Protection Regulation (GDPR), the processing of personal data in the private sector still requires neither consent nor any other justification. A justification is only necessary if the processing principles are not complied with; the data subject has objected to the processing; or a third party is to be provided with sensitive personal data.
Nevertheless, with the reFADP, the legislator introduces various new obligations for both data controllers (controllers) and processors (processors). These new obligations and the reFADP in general may also apply to companies based abroad, in particular if they process personal data and this data processing has an impact in Switzerland.
The most important of the new obligations and the resulting need for action for controllers and processors are listed below:
Comprehensive obligations for data controllers and processors
Obligation
Need for action
Obligation to provide comprehensive information:
Obligation to keep records of processing activities:
Obligation to obtain prior consent for sub-processing:
Obligation to secure personal data:
Obligation to carry out a data processing impact assessment:
Obligation to notify data security breaches:
Obligation to appoint a representative:
3. Non-compliance may result in fines of up to CHF 250,000
The reFADP not only introduces new obligations but also provides for increased penalties in case of non-compliance. In future, the intentional infringements of certain data protection provisions,for example, non-compliance with the information obligations, will be punishable by fines of up to CHF 250,000.
In contrast to the GDPR, it is not the company that is penalised, but the person responsible for the data violation. This person does not necessarily have to be a manager. It can also be someone who is not a member of a corporate body, but who is in charge of the relevant proceedings, such as the company DPO or the external legal counsel who, for example, decides on the privacy policy.
4. No transition periods – immediate action required
As the FADP provides for hardly any transitional periods, companies subject to the reFADP will be obliged to comply fully with the newly introduced obligations as soon as it enters into force. Companies affected should therefore take a forward-looking approach and begin the process of implementing the new provisions today. The following steps are recommended:
In a first step, companies should establish their starting position under data protection law: Whose data do we process, which types of personal data, and for which purposes? What is the potential justification for our data processing? Do we disclose personal data to third parties? Do we disclose personal data cross-border to countries without an adequate level of data protection? On what guarantees do we base such cross-border data disclosures.
In a second step, companies should define the gaps between the actual and target status and the resulting need for action. The concrete need for action and the time needed for its implementation depend to a large degree on the extent to which the company concerned already complies with the GDPR provisions today.
As it is unlikely that the measures necessary to meet the need for action can be implemented simultaneously, it will be necessary in a third step to set priorities for the realisation of these measures. In this context, it might be useful for a company to implement measures that protect it from possible sanctions under the reFADP in advance. Priority should be given to the following actions: (i) adaptation of privacy policies and GTCs to meet the information obligation; (ii) adaptation of DPAs; (iii) review and, if necessary, adaptation of guarantees to ensure an adequate level of data protection in case of data transfers to third countries (keyword: Schrems II); (iv) creation of records of processing activities; (v) creation of standard templates for reporting data breaches; and (vi) creation of standard templates for responding to requests for information.
With our long-standing and proven professional expertise, Pestalozzi Attorneys at Law is at your disposal during both the evaluation and implementation process.
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR)
© Copyright 2006 – 2022 Law Business Research