As of September 1st, 2023, the entry into force of the revised Swiss Data Protection Act (hereafter “nFADP”), requires Swiss companies to immediately be compliant and strengthen data protection obligations.

If you suspect your business is behind on its data protection compliance responsibilities, rest assured, it is not (yet!) too late. Whether your company is a beginner when it comes to data protection or already has a solid foundation in place, this high-level roadmap will help you conduct your business in compliance with the nFADP. In addition, if you would like to know more about the main changes introduced by the nFADP, please check our latest article on this subject.

Now let’s focus on the high-level roadmap we propose to you:

1. Prepare/update your privacy notice

With the extension of the duty to inform data subjects of the processing of their personal data (art. 19 and seq nFADP), it is now mandatory for the data controller to establish a privacy notice or update the one you already have.

In terms of content, a privacy notice needs to contain at least the company’s identity and contact details, the personal data processed and the reason for its collection, the recipient(s) of personal data and the countries to which it may be transferred, as well as the safeguards used to transfer this personal data to a third country.

Once your privacy notice is ready, make sure it appears on anything used to collect personal data, such as terms & conditions, apps, forms and websites, as this notice should be easily accessible to the data subjects.

2. Keep/update an inventory of your processing activities

Swiss companies are now required to keep an internal register of their data processing activities (art. 12 nFADP). Companies that have fewer than 250 employees and whose data processing poses a negligible risk of harm to the person of the data subjects are, however, exempted from this obligation.

In practical terms, the inventory can consist of a simple Excel or Word document, which contains at least the following information:

• Your identity as data controller (note, however, that if you are a data processor, you are subject to less content requirements, according to art. 12. para. 3 nFADP);
• Purpose of processing;
• Categories of data subjects (e.g., suppliers, employees, clients, etc.) and the categories of personal data (e.g., personal data, sensitive data, etc.);
• Categories of recipients (e.g., internal recipients, banks, IT services, etc.);
• Storage period;
• Security measures taken to guarantee data security;
• Recipient countries (and, depending on the country, grounds for exportation of data).

All the above is the hardest part but be sure to regularly update the inventory. For the sake of efficiency, we recommend, for instance, assigning the person in charge of each department responsibility for monitoring its data processing activity.

3. Define an internal process for handling data subjects’ requests

The nFADP grants data consumers the right to access, correct, delete or transfer their personal data (art. 25 and seq nFADP). Ensuring that these rights are guaranteed means implementing in advance an internal process (e.g., assigning a person in charge) to address these requests efficiently and swiftly. Your inventory (see above 2.) will be a valuable help in completing this task, as it should contain the information you will need in such cases.

4. Prepare a data protection impact assessments (“hereafter DPIA”) process and template

The nFADP now provides for a duty to conduct a DPIA before starting a data processing activity which presents a high risk to data subjects’ privacy or fundamental rights (art. 22 nFADP). The DPIA shall include a description of the processing activity and an evaluation of the risks and existing measures to prevent such risks. If a high risk remains despite these measures, the FDPIC must be consulted.

An effective way to comply with this requirement is to draft a DPIA template and to define an internal process (e.g., when is a DPIA required? who oversees the DPIA? etc.).

5. Define an internal process for notification of a data breach

The nFAPD provides for an obligation for companies to promptly notify the Federal Data Protection and Information Commissioner (hereafter “FDPIC”) of any data security breach (e.g., hacking, loss of data, wrong email recipient, etc.) that has a high risk of negative consequences for individuals (art. 24 nFADP). In some cases the revised law requires the affected data subject to be notified, particularly if such notification would ensure his/her protection.

To comply with this new obligation, companies shall have an internal process in place (e.g., a checklist), indicating the person responsible for notifying the FDPIC, the period of time within which the notification must be made and the criterion for determining if such notification is necessary.

Please note that a reporting portal is at your disposal on the Confederation’s website to notify the data breach.

6. Implement data security measures

According to art. 8 nFADP, data controllers and processors must ensure, through appropriate organisational (e.g., trainings, as detailed below under 8.) and technical measures (e.g., firewalls, MFA, encryption, etc.), adequate security of personal data. Such measures shall protect personal data against unauthorised access, loss or leak.

7. Review and update existing data processing agreements with third parties

nFADP compliance duties require you to review your company’s contracts with third parties (i.e., clients, suppliers, services providers and employees) and check whether they provide for complete data protection clauses which comply with the revised law. In addition, as the nFADP requires that the processing of personal data can only be assigned by a contract or by the law, you should ensure that a proper data processing agreement is in place with your data processor(s) (art. 9 nFADP). Contractual relationships with your cloud service providers, IT providers, marketing agencies and payroll providers, for example, should be verified.

8. Review and map your cross-border data transfers

The admissibility of cross-border transfers of personal data depends on the country to which the personal data is to be transferred (art. 16 and seq. nFADP). When the recipient country offers an adequate level of data protection (e.g., EU. See Annex 2 to the Ordinance to the FADP for the complete list), personal data may be transferred. However, if this is not the case, the data transfer can only be permitted on restrictive conditions (e.g., conclusion of EU “Standard Contractual Clauses”, “SCC”).

An intentional breach to cross-border transfers rules exposes your company to a fine of up to CHF 250,000. We therefore strongly suggest checking whether the countries concerned by your existing business relationships offer sufficient guarantees of protection, replacing any previous SCC and keeping a strong knowledge of where the personal data goes.

9. Consider appointing a data protection advisor

Under the nFADP, companies can decide to appoint a data protection advisor (hereafter “DPA”), to advise the company and act as intermediary for data subjects and data protection authorities (art. 10 nFADP). In particular, this possibility offers the advantage of exempting entities from their obligation, when applicable, to consult the FDPIC.

We therefore advise carefully assessing whether your business could benefit from the presence of a DPA. If so, your internal policies should clearly define each person’s responsibilities (i.e., employees’ duties vs. DPA’s duties).

Deloitte Legal would be pleased to propose its services to be appointed and act as your company’s DPA (see contact details below).

10. Train your employees

Lastly, bear in mind that all employees, regardless of their position, need to be made aware of their data protection compliance duties. This step is all the more important as the revised law now provides for criminal sanctions in case of non-compliance.

To raise awareness among your staff, consider, for example, implementing training sessions (e.g., e-learning courses), keeping them updated on data protection developments through newsletter emails, and drawing their attention to existing internal processes.

The nFADP marks an important step in the Swiss Confederation’s goal to increase personal data protection and ensure transparency in a world becoming more and more digital. More than compliance duties, the above rules are paramount for a business to maintain trust with its co-contractors and contribute to ensuring a transparent and safe environment for each data subject.

If you would like to discuss this topic or need assistance to assess your current compliance with the nFADP and prepare the relevant procedure and agreements, please do reach out to our key contacts below:

Key contacts

Paul de Blasi - Partner, Deloitte Legal

Paul is a Swiss qualified attorney-at-law with over 15 years of professional experience in business law assisting local and international organizations. Paul is a Partner specialized in local and international projects management in M&A and Corporate restructuring. He was the legal lead for a large carve-out from a large multinational in 30+ countries including employees and contracts transfer and received with his team the Global Deloitte Legal Winner Award 2019 for the category Global yet grounded achieving this project within a record time. He has also worked on multiple local and international projects related to legal gap assessments in various areas of law and cross-industries (e.g., e-signature admissibility, Cloud feasibility, data protection GDPR and nFADP, data retention period requirements, etc). Paul has also an excellent understanding of the in-house legal function and expectations from the business, as he was seconded as Legal Counsel in charge of the EMEA region within Alcon Group, global leader in eye care.

Email

Audrey Soutter - Senior Manager, Deloitte Legal

Audrey joined Deloitte in 2023. She previously worked for Ernst & Young for 6 years. She holds a Master in Commercial Law from the University of Paris II and a Master in Sciences of Management from EM Lyon Business School. She is also a member of the Paris bar. She focuses on data protection and governance subjects for national and international clients in various industry. In this context, Audrey is used to working in multidisciplinary and international teams by assisting both Swiss and international companies in multi-jurisdictional legal projects.

Email

Lise Morin - Senior Consultant, Deloitte Legal

Lise is senior consultant in the legal team in Geneva, with a focus on data protection (Swiss law and GDPR) and digital law (cloud and e-signature legal validity assessment and other data and regulatory related topics) for national and international clients in various industry.

Email