Almost to the day three years after the Federal Council first published the draft bill to revise the Swiss Data Protection Act (FADP), the Parliament was finally able to agree on a new law.
The revised FADP will contain many changes compared to the current legislation. Some of these had been hard debated in the Swiss Parliament, which is why a settlement of differences between the National Council and the Council of States was necessary. The most relevant changes are the following:
- Data of only natural persons will be protected by law; the protection will no longer cover legal entities.
- The catalogue of penal provisions for individuals will be expanded. For example, a fine of up to CHF 250,000 is now envisaged for the person responsible for data processing within the company in the following events:
- breach of obligations to inform, disclose and cooperate with the data subject
- breach of compliance obligations
- breach of professional secrecy
- disregard of injunctions from the authority
- A fine against companies is only envisaged in exceptional cases, namely when a fine of up to CHF 50,000 is foreseen and the investigation of the offending natural person requires investigative measures that would be disproportionate to the penalty.
- In accordance with the provisions of the European General Data Protection Regulation (GDPR), a record of processing activities will also have to be kept. The Federal Council may grant exemptions for companies with fewer than 250 employees.
- The data controller will now have an explicit duty to provide information to the data subject when collecting any personal data.
- When processing personal data, appropriate technical and organisational measures must be taken "from the planning stage" to ensure that the data protection principles are implemented.
- In accordance with the provisions of the GDPR, the data controller must first conduct a data protection impact assessment if processing "may entail a high risk to the personality or fundamental rights of the data subject".
- In addition to normal profiling, the concept of “high risk profiling” is introduced. In the case of high-risk profiling, any necessary consent must be explicit. The requirement of explicit consent also applies to the processing of sensitive personal data.
- Finally, in the event of an overriding interest, the person responsible is entitled to process up to ten-year-old data in order to check creditworthiness.
It remains unclear when the revised Data Protection Act will enter into force. However, this is not expected to happen before summer 2021. Furthermore, it is also depending on whether a referendum will be held against the law.
Nevertheless, it is highly advisable for companies to proactively take measures to comply with the upcoming legislation and critically review their current data protection organisation, especially if they considered GDPR as not applicable for its business. Violations of the new legislation may not only result in high penalties. They can also cause a loss of reputation and trust. Companies operating in Switzerland are advised to have a complete and comprehensive picture of how and where they process personal data. By following a risk-based approach, the necessary measures can be taken to ensure that data processing will comply with the new Data Protection Act.
PwC will be happy to support your company in adapting to the new framework and will be available to answer any questions you may have.