The New Swiss Data Protection law: are you ready for September 1, 2023?
During its autumn 2020 session the Swiss Parliament adopted the new Act on Federal Data Protection (hereafter "nFADP"). It represents a complete overhaul of data protection legislation, necessary because there has been significant technological change in recent decades. It was also necessary to align with European legislation.
The nFADP and its ordinances (Ordinance on Data protection (hereafter "OPDo") and Data Protection Certifications (hereafter "OCPD")), will come into force on 1st September 2023 and will replace the current FADP of 1992.
We have summarised below the main changes and new obligations introduced by the nFADP:
- Only data of natural persons are affected by the nFADP (Art. 2 par. 1 let. a nFADP).
- Genetic and biometric data fall under the definition of sensitive data (Art. 5 let. c fig. 3 and 4 nFADP)
- Obligation to implement nFADP treatment principles since the design of projects (Principles of "Privacy by Design" and "Privacy by Default") (Art. 7 nFADP).
- It is now mandatory to keep a register of processing activities. However, the ordinance allows exemptions for SMEs whose data processing presents limited risk of harm to the data subject (Art. 15 par. 1 nFADP).
- An impact assessment ("DPIA") must be conducted if there is high risk to the privacy or fundamental rights of data subjects (Art. 22 nFADP).
- The duty to provide information has been extended: the collection of all personal data – and no longer of only so-called sensitive data – will require prior notification of the person concerned (Art. 24 par. 4 nFADP).
- Companies must provide prompt notification to the Federal Data Protection and Information Commissioner (“FDPIC”) in the event of a data security breach (Art. 24 par. 1 nFADP).
- The concept of profiling (i.e., the automated processing of personal data) is now part of the law (art. 5 let. f nFADP).
We would also like to emphasise that the nFADP grants to consumers, among other things, the right to access their information and to delete or transfer their data. To guarantee these rights, companies will be obliged to answer clients’ requests, notify them of security breaches and, in some cases, lead an impact analysis or hold registers. The more a company processes sensitive personal data, the stricter the application of the law.
II - What should companies do to comply with the nFADP before September 1, 2023?
It’s necessary to act in advance. We recommend above all to:
- Analyse the appropriateness of:
a. appointing a data protection advisor;
b. appointing a Swiss representative (for foreign companies). - Prepare:
a. records of processing activities, bearing in mind that exceptions are provided for companies with fewer than 250 employees;
b. privacy policies and similar information documents to inform data subjects about the processing of their personal data;
c. data protection impact assessments (“DPIA") process and template. - Review:
a. data processing agreements with third parties and update them accordingly;
b. review and / or map cross-border data transfers to ensure the use of the proper legal mechanism. - Define:
a. Internal process to comply with data breach notification obligations.
Finally, companies should be aware that the powers of the FDPIC to enforce the nFADP have been extended and that the revised law introduces sanctions (under Chapter 8 “Criminal provisions”), in the event of a:
- Breach of obligations to provide access and information or to cooperate (Art. 60 nFADP)
- Violation of duties of diligence
- Disregard of decisions (Art. 63 nFADP)
- Violations committed with undertakings (art. 64 nFADP).
In the event of intentional breaches of the revised FADP, private individuals may be fined up to CHF 250,000.
Although the nFADP has “Swiss specificities”, this revision brings FADP provisions near to the EU’s GDPR ones. Companies which have complied with GDPR provisions will already have implemented adequate processes, knowing that the nFADP will enter into force on September 1, 2023 and that the nFADP does not include any transition period.
In view of the above, we encourage you to assess your current compliance with data protection law (GDPR and nFADP) and to define measures to be put in place to be compliant on September 1st, 2023.
If you would like to discuss this topic, please reach out to our key contacts below.
Would you like to receive more blogs related to LEGAL topics? Sign up here and select "Legal".
Comments
You can follow this conversation by subscribing to the comment feed for this post.
Verify your Comment
Previewing your Comment
This is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
Posted by: |