New Information Duties under the Data Protection Act

Philipp Rosenauer
Partner Legal, PwC Switzerland

The revised Federal Act on Data Protection (revFADP) introduces extended information obligations when collecting personal data. Both the General Data Protection Regulation (GDPR) and the revFADP require the controller to inform all data subjects about the collection and processing of their data. A breach of this obligation is sanctionable under the revFADP, which now stipulates fines up to 250,000 CHF for individuals.

How can the data subject be informed?

The information duty is best provided in form of a written document, such as a Privacy Notice. A Privacy Notice can be used on your company’s website to inform users, prospects, and clients about how you process their data. This shall not only refer to the external relationship to your clients, prospects, or vendors, but also internally, to your employees. The latter can be covered for example with a dedicated a HR Data Protection Notice.

What must the data protection notice contain?

At the time of collection, the controller must provide all information to the data subject which is required for the data subject to assert his or her rights according to the revFADP and to ensure transparent processing of data.
This includes information about:

the controller’s identity and contact information (address, phone number, email);
the purpose of processing;
if applicable: the recipients or the categories of recipients to which personal data is disclosed;
If personal data is disclosed abroad, you also must inform the data subject of the country or international body and the safeguards used to protect the personal data.

The required information is less extensive than the information duty stipulated in the GDPR. However, it should be kept in mind that under the revFADP, a list of countries to which personal data is transferred needs to be created. Notably generic mentions such as “Europe” or “every country where we have an establishment” are in principle sufficient.

In addition, the safeguards (such as the use of Standard Contractual Clauses in cases of transfers outside the EU) or exceptions that apply to the data transfers must be outlined.

The Draft Ordinance to the FADP clarifies that the controller and the processor need to share the information about collecting personal data in a precise, understandable, and easily accessible manner. Even pictograms are allowed.

How to write a privacy notice and what to do if you already have a GDPR-compliant privacy notice

You should consider the processing activities and the existing data protection information as a starting point. Your company should also have an overview of all relevant existing data protection policies and information (also e.g., in terms and conditions). The record of processing activities is of major help to identify the processing activities and their purposes. In case you have already set up a privacy notice, you might need to undergo some adaptations. If you export personal data to another country, this data export should be addressed from a Swiss and not from a European point of view. Accordingly, the countries’ names to which the data is transferred must be listed. Additionally, you must mention the reason for a data export to an unsafe third country and, finally, any exceptions, if applicable.