The Revised Swiss Federal Data Protection Act

With the recent revisions to the Swiss Federal Data Protection Act, our team have summarised both the key points of the changes as well as listed a number of next steps that may need actioning in your organisation.

As experienced experts in Swiss and EU data protection law, our experts are able to show you the differences to the EU and support you in implementing a data protection concept that is suitable for your company.

Key points of the revision

1. The new DPA is unlikely to enter into force before 2022; some do not expect it until summer 2022
2. The basic principles of data protection do not change; consent for processing personal data is still mostly not required (unlike under the GDPR)
3. More or less burdensome governance obligations have been added, such as the maintenance of data processing inventories, an obligation to report data breaches and other security breaches, and the obligation to conduct data protection impact assessments
4. New provisions allow companies to appoint data protection advisors and require foreign companies with significant activities in Switzerland to designate a Swiss representation
5. The rights of data subjects will be somewhat expanded; it will be even easier to demand that a company release one's own data
6. Contracts must be checked for compliance with the DPA; in particular, the involvement of subcontractors will be regulated more strictly (analogous to the DPA)
7. Profiling was at the center of the discussion, but hardly anything changes
8. The duty to provide information for data procurements is expanded in terms of content (i.e. what must be must be informed about) is expanded; companies must therefore review their data protection declarations
9. The transfer of data abroad will be liberalized, but violations will now be punishable by law
10. Processing of data for checking creditworthiness will be restricted, especially in terms of time.
11. The Federal Data Protection and Information Commissioner can now issue processing prohibitions and other and other orders and no longer only "recommendations".
12. The penalty provisions (CHF 250,000) are aimed at responsible employees, not companies, but concern only a few cases (information, disclosure, exports, security, outsourcing)
13. Whoever is DPA compliant will also be DPA compliant, with some exceptions; data about legal entities are no longer in the scope of application.

‍Need for action

‍Considering the above key points that came out of the revision, we have compiled a number of key actions that may need completing in your organisation. Our dedicated DPMS solution enables businesses to track these changes and identify actions for their own teams.

1. Review and adapt data protection declarations to the new requirements; check whether all cases are covered where the company procures personal data
2. Create a list of data processing activities
3. Identify order processing and check and adapt contracts to the new requirements
4. Identify foreign transfers and check and adapt them in accordance with the requirements
5. Introduce process for data protection impact assessment, possibly appoint data protection advisor
6. Introduce process for reporting and handling data security breaches
7. Establish or adapt guidelines for responding to requests from data subjects
8. Identify automated individual decisions and, if relevant, re-regulate them if necessary
9. Identify processing of genetic and biometric data and for non-personal purposes and creditworthiness, and review and adapt them in response to new requirements
10. Adapt training and instructions, provide for audits

Our team is at your disposal, click here to make an appointment for a detailed consultation.