The Swiss Data Protection Act (DPA) is currently being revised. Due to the rapid technological development over the last 20 years, the DPA is no longer up to date. In addition, the EU General Data Protection Regulation (GDPR) has been in force since 25 May 2018 and sets a stricter data protection standard. Already by May 2020 the EU will have to determine whether Switzerland still ensures an adequate level of data protection, i.e. allowing for straightforward cross-border data transfers. A preliminary draft of the DPA was issued in December 2016 and has been in revision ever since.
End of September 2019 the Swiss National Council has deliberated on the affair. Based on the current knowledge, the following key elements are likely to be included in the revised DPA:
- The protection of the DPA will be limited to natural persons, legal persons (e.g. companies) are no longer protected.
- The revised DPA will also apply to foreign companies that offer services or goods in Switzerland. Under certain circumstances, those companies in the role of data controllers will have to appoint a representative in Switzerland, when they process data of persons in Switzerland. The representative must then keep a record of processing activities.
- Storage limitation will be included as a data processing principle.
- If consent for personal data processing is required, it will have to be given voluntarily and after adequate information. Consent will only need to be explicit when sensitive personal data is being processed.
- The revised DPA will introduce the role of an internal Data Protection Officer (DPO). However, the nomination of this supporting function will not be mandatory.
- A record of processing activities will be mandatory for companies with at least 250 employees.
- Stricter and more comprehensive information duties will be introduced. However, under certain circumstances these duties are subject to restrictions.
- Profiling will no longer be considered as a high risk for the personality or fundamental rights of the data subject. Therefore, not every use of profiling will require a data protection impact assessment.
- The right to data portability will be introduced. Affected persons may require a service provider to provide them with their personal data in a common format (e.g. electronically) and for free.
- There will be criminal sanctions for the individuals responsible for the data processing (e.g. executives), whereas the maximum fine will be CHF 250’000.
The Federal Council will decide on the entry into force. There will not necessarily be a transition period of two years as the Political Commission of the National Council proposed.
The preliminary draft and the propositions made by the National Council will now be discussed by the Political Commission of the Council of States in Q4 2019. As a next step, the Council of States will deliberate on the further adjustments either in the winter session 2019 or in the spring session 2020. The entry into force of the revised DPA may be expected in 2021 the earliest.
Actions for companies
Companies should take proactive measures to comply with the upcoming legislation and critically review their current data protection organisation in order to identify and close gaps. For instance, they should implement records of processing activities and a data breach management. Furthermore, the appointment of an internal DPO may bring a certain relief to companies as a central point of contact for data protection issues. Violations may not only result in high penalties for members of the executive board, the risk of loss of reputation and trust in the company shall also be taken into account.
Do you need assistance, or would you like to learn more about data protection? Contact our experts. We are happy to answer your questions and support you in any way we can!