The New Swiss Data Protection law: are you ready for September 1, 2023? - Tax and Legal blog

Sustainability_8_lo

During its autumn 2020 session the Swiss Parliament adopted the new Act on Federal Data Protection (hereafter "nFADP"). It represents a complete overhaul of data protection legislation, necessary because there has been significant technological change in recent decades. It was also necessary to align with European legislation.

The nFADP and its ordinances (Ordinance on Data protection (hereafter "OPDo") and Data Protection Certifications (hereafter "OCPD")), will come into force on 1st September 2023 and will replace the current FADP of 1992.

I - What do companies need to know about the nFADP?

We have summarised below the main changes and new obligations introduced by the nFADP:

  1. Only data of natural persons are affected by the nFADP (Art. 2 par. 1 let. a nFADP).
  2. Genetic and biometric data fall under the definition of sensitive data (Art. 5 let. c fig. 3 and 4 nFADP)
  3. Obligation to implement nFADP treatment principles since the design of projects (Principles of "Privacy by Design" and "Privacy by Default") (Art. 7 nFADP).
  4. It is now mandatory to keep a register of processing activities. However, the ordinance allows exemptions for SMEs whose data processing presents limited risk of harm to the data subject (Art. 15 par. 1 nFADP).
  5. An impact assessment ("DPIA") must be conducted if there is high risk to the privacy or fundamental rights of data subjects (Art. 22 nFADP).
  6. The duty to provide information has been extended: the collection of all personal data – and no longer of only so-called sensitive data – will require prior notification of the person concerned (Art. 24 par. 4 nFADP).
  7. Companies must provide prompt notification to the Federal Data Protection and Information Commissioner (“FDPIC”) in the event of a data security breach (Art. 24 par. 1 nFADP).
  8. The concept of profiling (i.e., the automated processing of personal data) is now part of the law (art. 5 let. f nFADP).

We would also like to emphasise that the nFADP grants to consumers, among other things, the right to access their information and to delete or transfer their data. To guarantee these rights, companies will be obliged to answer clients’ requests, notify them of security breaches and, in some cases, lead an impact analysis or hold registers. The more a company processes sensitive personal data, the stricter the application of the law.

II - What should companies do to comply with the nFADP before September 1, 2023?

It’s necessary to act in advance. We recommend above all to:

  1. Analyse the appropriateness of:
    a. appointing a data protection advisor;
    b. appointing a Swiss representative (for foreign companies).

  2. Prepare:
    a. records of processing activities, bearing in mind that exceptions are provided for companies with fewer than 250 employees;
    b. privacy policies and similar information documents to inform data subjects about the processing of their personal data;
    c. data protection impact assessments (“DPIA") process and template.

  3. Review:
    a. data processing agreements with third parties and update them accordingly;
    b. review and / or map cross-border data transfers to ensure the use of the proper legal mechanism.

  4. Define:
    a. Internal process to comply with data breach notification obligations.

Finally, companies should be aware that the powers of the FDPIC to enforce the nFADP have been extended and that the revised law introduces sanctions (under Chapter 8 “Criminal provisions”), in the event of a:

  1. Breach of obligations to provide access and information or to cooperate (Art. 60 nFADP)
  2. Violation of duties of diligence
  3. Disregard of decisions (Art. 63 nFADP)
  4. Violations committed with undertakings (art. 64 nFADP).

In the event of intentional breaches of the revised FADP, private individuals may be fined up to CHF 250,000.

Although the nFADP has “Swiss specificities”, this revision brings FADP provisions near to the EU’s GDPR ones. Companies which have complied with GDPR provisions will already have implemented adequate processes, knowing that the nFADP will enter into force on September 1, 2023 and that the nFADP does not include any transition period.

In view of the above, we encourage you to assess your current compliance with data protection law (GDPR and nFADP) and to define measures to be put in place to be compliant on September 1st, 2023.

If you would like to discuss this topic, please reach out to our key contacts below.

Would you like to receive more blogs related to LEGAL topics? Sign up here and select "Legal".

Deloitte-ch-profile-paul-de-blasi

Paul de Blasi - Partner, Deloitte Legal

Paul is a Swiss qualified Attorney-at-Law with over 15 years of professional experience. Since 2017 he has been leading the legal practice of Deloitte in the French-speaking part of Switzerland. His practice focuses on domestic and international merger and acquisition transactions and all aspects of general corporate and commercial law, including assistance to management and boards of directors, assistance to shareholders, family members and private clients. Paul is a member of the board of directors of his own family business and a member of the Family Business Network Switzerland and International (FBN).

Email

Download (110)

Lise Morin - Senior Consultant, Deloitte Legal

Lise is senior consultant in the legal team in Geneva, with a focus on data protection (Swiss law and GDPR) and digital law (cloud and e-signature legal validity assessment and other data and regulatory related topics) for national and international clients in various industry.

Email

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.