What should you consider?
The term “sensitive personal data” has been an important topic during the pandemic, be it in relation to the COVID-App or to measures at the workplace. How is sensitive data different from non-sensitive personal data and what needs to be considered in their processing?
With the revised Federal Act on Data Protection (revFADP), biometric and genetic data have been added. The Swiss revFADP follows a different concept than the European General Data Protection Regulation (GDPR). In principle, no legal ground is required, but you need to provide a “justification” to lawfully process sensitive personal data. Unlike its European counterpart, “sensitive personal data” under the revFADP also includes data on administrative or criminal proceedings and sanctions, data on social security measures and data on the intimate sphere. Switzerland follows a “risk-based approach”. This means that the higher the risks for the data subjects, the stricter the general data processing principles must be. Hence, the processing of sensitive personal data must meet higher standards.
If there are reasons that sensitive data is stored and processed, it must be ensured that no unauthorised person can access the data. Employees who work with sensitive data are also obliged to maintain confidentiality. The data must be protected in such a way that access is only granted to those employees who must work with it. This applies to both electronic and physical data. On the one hand, if the data is in electronic form, security can be ensured by encrypting the data. On the other hand, paper documents must be kept safe and out of reach of unauthorised persons.
You should avoid collecting sensitive personal data to the best possible extent. Unless not needed for the relationship with your client or for work purposes regarding your employee, you should not process personal sensitive data. However, if you need to do so, you should strengthen your data protection principles and implement appropriate technical and organisational measures.
Dr. Günther Dobrauz
Partner and Leader Legal, PwC Switzerland
Tel: +41 58 792 14 97
Partner Legal, PwC Switzerland
Tel: +41 58 792 18 56
Senior Manager | Data Privacy | ICT | Implementationᐩ, PwC Switzerland
Tel: +41 58 792 4728
Director | Co-Head of FinTech, Blockchain and Digital Assets, PwC Switzerland
Tel: +41 58 792 92 24
Data Privacy | ICT | Implementationᐩ, PwC Switzerland
Tel: +41 58 792 2750
Anna Maria Tonikidou
Senior Associate | Data Privacy | ICT | Implementationᐩ, PwC Switzerland
Tel: +41 58 792 46 89