Site Search Site Search

Menu

Services

Menu

Private Wealth & Entrepreneurs

Menu

Family business & SME consulting

Featured

Artificial Intelligence

Menu

Events

Loading Results

Entry into force of the new Data Protection Act with Ordinance on 1 September 2023

The most important facts in brief

Philipp Rosenauer
Partner Legal, PwC Switzerland

What's the latest?

At its meeting on 31 August 2022, the Federal Council confirmed that the new Data Protection Act (DPA) will enter into force on 1 September 2023. The Federal Council also published the new Data Protection Ordinance (DPO) (as well as the new Ordinance on Data Protection Certification (ODPC), which will enter into force together with the DPA (media release in German). 

What innovations does the recently published ordinance (DPO) contain?

Here is a brief overview of the most important regulations of the DSV that are relevant in practice:

  • Confirmation of the risk-based approach: In various provisions, the DPO confirms that the (due diligence) measures to be taken are based on the (potential) risk for the data subjects, e.g. with regard to data security and the transfer of personal data abroad.
  • Duty to inform: As is well known, companies will have to provide information about the collection of personal data in future (e.g. by means of a data protection declaration). According to the DPO, the information must be provided “in a precise, transparent, comprehensible and easily accessible form”. According to the explanatory report (in German), this means, for example, that in the case of the data protection declaration on the website, in accordance with the “best practice” approach, the information is available in the form of a structured overview. In order to obtain further information, the data subject can then click on this information displayed first, which opens a window with more detailed information.
  • Data transfers abroad (e.g. in connection with cloud outsourcing):
    • The Federal Council has published the countries with (from Switzerland's point of view) adequate data protection in the Annex to the Ordinance (this will replace the Federal Data Protection and Information Commissioner’s (FDPIC’s) current country list).
    • If at a later date the Federal Council no longer considers a country to be equivalent, this will not affect data transfers that have already taken place.
    • If standard contractual clauses of the European Commission (with corresponding adaptations to Switzerland according to the FDPIC's communication of 27.08.2021) (SCC) are used, the controller must take “measures” to ensure that the data importer complies with the SCC. In the Federal Office of Justice's commentary on the DPO, this duty of care is specified as follows: “The appropriateness of the required measures depends on the circumstances in the specific case and the state of the art (...).” Here too, a risk-based approach is thus assumed. In this regard, the FDPIC published a guide to checking the admissibility of direct or indirect data transfers to foreign countries on 18.06.2021.
  • Data security breaches: The DPO contains a list of the minimum information to be provided when notifying the FDPIC and data subjects of a data breach. There is also a document retention obligation (the documentation must be kept for at least 2 years from the time of the notification).
  • Data Protection Advisor:
    • Private companies are still free to appoint a Data Protection Advisor.
    • For “federal bodies” (including companies organised under private law that perform tasks for the Confederation, e.g. pension funds in the compulsory sector), however, the appointment of a Data Protection Advisor will be mandatory in future. The  Data Protection Advisor’s contact details must be published on the internet and communicated to the FDPIC.
  • Register of Processing Activities (RoPA): Companies under private law with fewer than 250 employees are in principle exempt from the obligation to keep a RoPA (exceptions apply in the case of extensive processing of “particularly sensitive personal data” or “high-risk profiling”). However, especially with regard to the creation of the data protection declaration, the maintenance of a RoPA can also be useful in these cases.
  • Automated processing of personal data at “federal bodies”: Planned automated processing activities (e.g. in connection with automated decision-making) must be notified to the FDPIC at the time of the project decision and at the time of the transition to productive operation (or project termination).
  • Logging and regulations for the automated processing of certain data: In the case of (automated) processing of “particularly sensitive” personal data (e.g. health data, extracts from criminal records, biometric data, etc.) and “high-risk profiling”, the processing (storage, modification, reading, disclosure, deletion and destruction of data) must be logged under certain conditions. Likewise, under certain conditions, there is an obligation to draw up internal regulations (concerning internal organisation, data processing and control procedures, and measures to ensure data security).
  • Data protection impact assessments must be kept for at least two years (after the end of data processing).

What should Swiss companies do now?

Companies now have one year to complete their implementation of the new regulations. Particularly since the implementation may also have IT implications (e.g. introduction of deletion capacities), companies should get started now if they haven’t already. You can find an overview of the necessary adjustments in the context of the revised data protection law in our recent blog.

In addition to the implementation deadline, there is another deadline: companies must also replace SCCs that are still based on the “old” version (i.e. from before 27.08.2021) with the new SCCs (adapted to Switzerland) by 31.12.2022.

In our blog series, we provide up-to-date information on the requirements and innovations in data protection law.

Our Data Privacy | ICT | Implementationᐩ team at PwC Legal Switzerland supports companies in the private as well as the public sector in the implementation of the new data protection law with an efficient and pragmatic approach.

#social#

Do you have any questions?

https://pages.pwc.ch/core-contact-page?form_id=7014L000000kkHMQAY&embed=true&lang=en

Data protection insights

Data Protection Blog series

Our service for you

Related content

Contact us

Philipp Rosenauer

Philipp Rosenauer

Partner Legal, PwC Switzerland

Tel: +41 58 792 18 56

Linkedin Follow Email
Gabriela Tsekova

Gabriela Tsekova

Senior Manager, FS Regulations, PwC Switzerland

Tel: +41 58 792 29 93

Linkedin Follow Email
Tanja Stefanie Weber

Tanja Stefanie Weber

Associate | Data Privacy | ICT | Implementationᐩ, PwC Switzerland

Tel: +41 58 792 43 06

Linkedin Follow Email
Services Assurance Consulting Corporate Support Services Deals Global Markets Legal People and Organisation Private Wealth SME and Family Business Tax Advice
Industry Sectors Energy Financial Services Government and Public Sector Health care Industrial Manufacturing Real Estate Retail and Consumer Goods Pharmaceuticals and Life Sciences Sports Business Advisory Technology, Media and Telecommunications
Today's issues Artificial Intelligence Workforce of the Future Finance Transformation Customer Transformation Cybersecurity Data & Analytics ESG: Criteria and Implementation
About PwC Contact Press Locations Organisation and Management Purpose, Values and Code of Conduct Reports Corporate Sustainability Our History Alumni
Careers Open Positions Career Events Experienced Hires Graduates Students Apprentices PwC as an Employer PwC's Career Blog
Research & Insights Our latest insights Subscribe to PwC insights Preference Centre

© 2018 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.