Key Overview of the Revised Swiss Personal Data Protection Act
On 25 September 2020, the revisions to Switzerland’s Federal Data Protection Act were approved and the revised Federal Act on Data Protection (RS 235.1) will come into force from 1 September 2023. Ahead of this impending deadline, it is useful to familiarize yourself with the provisions of the Act if your company carries out personal data processing that might be covered under the scope of the revised Swiss Act.
While many requirements set out in the revised Act are similar to the well-known EU General Data Protection Regulation (GDPR) obligations, there are some notable differences discussed below.
To assess whether a company will be impacted by this piece of legislation, one should have a look at its scope. When it takes effect, the Act will govern the processing of personal data relating to natural persons and will have an extraterritorial scope, applying to situations that have effects in Switzerland, even if they occur outside the country. This is quite a broad scope and can involve a wide range of data processing activities.
Data Protection Authority
The Federal Data Protection and Information Commissioner (FDPIC) remains responsible for monitoring the application of the federal data protection provisions in Switzerland.
The basic definitions that have remained unchanged in the revised Act are, e.g., personal data, data subject and processing. Personal data is defined as all information relating to an identified or identifiable natural person. The definition of processing includes any operation in relation to personal data, regardless of the means and processes used.
The Act also provides certain definitions of new terms as well as redefines existing ones. For example, the definition of sensitive personal data now explicitly lists genetic and biometric data, among others. Controller and processor are defined in a similar way to the EU GDPR. Data security breach and high-risk profiling are new notable additions to the definitions list.
Data controllers’ duty of transparency is increased. While the current 1992 Act triggers the requirement to provide “adequate information” to the data subjects in cases of processing sensitive data or profiling, the revised Act requires the controllers to actively and adequately inform data subjects of the collection of personal data, regardless of whether the collection is carried out by the data controller itself or not (similarly to the GDPR).
The information to be communicated must be sufficient for the individuals to assert their rights under the Act and for the transparency of processing to be guaranteed. The minimum information to be included in the communication is the identity and contact details of the data controller, the purpose of processing, and, where applicable, recipients or categories of recipients of personal data. If data is not collected from the data subject directly, categories of personal data processed shall also be communicated to the individual. Importantly, when the data is transferred abroad, the data subject must be given information about the receiving country or international organization, and, where necessary, about the applicable guarantees or exemptions.
Exceptions to the duty to provide information include but are not limited to the cases when the individual already has the information, the processing is provided for by law, or the data controller, who is a private person, is bound by a legal obligation to secrecy.
Data controllers who have their seat or domicile outside Switzerland shall appoint a local representative if they process personal data relating to individuals in Switzerland and meet the following conditions:
- The controller offer goods or services on the Swiss market
- It processes data on a large scale
- It process data systematically
- The processing presents a high risk for data subjects
Data controller is required to publish the name and the address of its representative.
Data Protection Advisor
The Act does not require mandatory appointment of a data protection advisor (equivalent of data protection officer or DPO), however, voluntary appointments may be made by private controllers. If a data protection advisor satisfies the requirements set out in the Act, controllers may consult him/her instead of the FDPIC if data protection impact assessments (discussed below) result in a high risk for data subjects.
Data Protection Impact Assessment (DPIA)
It will be mandatory for controllers to carry out the DPIA intended processing may result in a high risk for data subjects. The existence of such risk depends on the nature, extent, circumstances and purposes of the processing, in particular, if new technologies are used; however, two specific cases are identified where high risk is assumed: when sensitive data is processed on a large scale or when systematic monitoring of large parts of public areas are undertaken. Certain exemptions exist. If the DPIA reveals that, despite the measures adopted or to be adopted, the risk to the data subjects remains high, FDPIC shall be consulted. An exception from this rule is consulting with the own Data Protection Advisor, as discussed above.
Records of Processing Activities (ROPA)
Similar to the GDPR, the revised Act requires controllers as well as processors to keep records of their data processing operations. The law provides minimum information to be contained in the ROPA register. Exceptions are provided for companies with fewer than 250 employees and/or whose processing operations present a low risk to data subjects.
Privacy by Design and by Default
The Act reaffirms the obligation to implement appropriate technical and organizational measures to ensure compliance with data protection regulations. This must be done commencing at the design stage of processing.
Personal Data Breaches
Data breach notification requirements set the “as soon as possible” standard, whereby data controllers must notify FDPIC regarding all breaches that are likely to result in a high risk to the personality or fundamental rights of data subjects. A special portal has been created for this purpose. Informing data subjects is only required if this is necessary for their protection or if the FDPIC so requires. Processors have an obligation to report incidents of any kind to the controllers as soon as possible.
Under the revised Act, personal data may be transferred abroad if the Federal Council has determined the recipient country (or international organisation) as having legislation ensuring an adequate level of data protection. Prior to the revision, controllers and processors were to determine the recipient country’s level of data protection themselves, while now the Federal Council issues a list of such countries. Annex 1 to the Data Protection Ordinance (SR 235.11) sets out states/territories/specific sectors within a state with adequate data protection legislation. The list largely overlaps with the EU’s white list, excluding Japan and South Korea.
Notably, Switzerland is a “third country” under GDPR as well as the EU/EEA countries are “third countries” under the Swiss Act, although all EEA countries are whitelisted and the EU also recognizes Switzerland as having an adequate data protection framework.
Under the Swiss Act, if a country is not recognized as providing an adequate level of data protection, transfers are permitted to private controllers and processors if one of the safeguards set out in Article 16(2) are applied:
- International treaty
- Individual data protection clauses, communicated to the FDPIC in advance
- Standard contractual clauses previously approved, if recognized by the FDPIC
- Binding corporate rules approved by the FDPIC or a data protection authority of another country providing for an adequate level of protection
- Specific guarantees drawn up by a competent federal body, communicated to the FDPIC in advance
Even in the absence of any of the above, data transfers can be made based on a few exemptions listed in Article 17 of the Act, inter alia, when:
- The data subject has provided explicit consent
- The transfer is in direct connection with the conclusion or performance of a contract with the data subject or in his/her interest
- The transfer is necessary to protect the life or physical integrity of the data subject or of a third party and it is impossible to obtain the consent within a reasonable time, etc.
Notably, the Act clarifies that a mere publication of personal data by means of automated information and communication services (such as websites) in order to inform the public is not considered as data transfer abroad, even if such data can be consulted from outside Switzerland.
The revised Act sets higher fines for individuals than for companies; and overall, the fines are primarily directed to individuals. Persons acting for private controllers (managers, employees, etc.) may receive fines as high as CHF 250,000. There is a possibility of a company being fined if the specific responsible individuals cannot reasonably be determined; in this case, the maximum fine is CHF 50,000. The fines are issued by cantonal criminal authorities. Possible imprisonment is also envisaged for collecting sensitive personal data from non-public sources without authorization.
As many privacy professionals have stressed, GDPR-compliant entities will not have to make substantial adjustments in preparation for 1 September 2023, when the Swiss Act takes effect. However, it is advisable to proactively assess and review the requirements set out in the revised Act, in the Ordinance and other implementing measures as well as relevant guidance that the FDPIC may issue.
Market Insights Straight to Your Inbox
Get the most important regulatory updates straight to your inbox. Join 30,000+ product compliance & market access experts around the world!