GDPR with a "Swiss finish": What companies need to know about the revised Data Protection Act

New scope of application: Natural persons

One of the key changes concerns the scope of the revised law. While the DPA of 1992 applies to the data of both legal entities and natural persons, the revised DPA will only apply to the data of natural persons from September. Foreign companies operating in Switzerland must also meet the requirements. This aligns the scope of application with the European GDPR.

Data Protection Officer: Voluntary but recommended

The main role of the data protection advisor, in addition to being the point of contact with the supervisory authority (FDPIC), is to comply with any requests for information and to train employees accordingly. It therefore corresponds to the role of the Data Protection Officer (DPO) in the GDPR. In contrast to the GDPR, however, the rDSG does not require private-law organizations to appoint a DPO. However, this voluntary nature may, under certain circumstances, be associated with extended requirements and thus increased effort in dealing with the stately supervisory authorities (FDPIC).

Data processing directory and data protection impact assessment (DPIA)

Companies are now obliged to keep a data processing register. However, there are exceptions for SMEs with fewer than 250 employees whose data processing entails a limited risk. In particular, the data processing directory must contain information about the processing of personal data abroad. In contrast to the GDPR, however, the DPA does not contain any comprehensive formal requirements for the data processing directory.

Companies must also introduce a data protection impact assessment (DPIA) process. There is also a specific list of processing activities for which a DPIA is mandatory, such as the processing of sensitive personal data, the processing of data for the purpose of surveillance, the processing of large amounts of personal data, the processing of personal data in connection with automated decision-making, etc.

The revised Data Protection Act introduces personal criminal liability

While the European GDPR provides for fines against companies, under the new Swiss DPA the responsible employees can be held criminally liable. The violation of data protection information, disclosure and cooperation obligations can be punished with fines of up to CHF 250,000. The consequences of breaching the duty of care, professional confidentiality and disregarding orders are also regulated – all of which are also punishable by fines of up to CHF 250,000.

Another new regulation worth mentioning is the extension of the previous duty of confidentiality for specific professional groups (lawyers, doctors, etc.) to a general duty of confidentiality for all professionals. While the obligation to maintain confidentiality of personal data was previously usually limited to the employer’s business and manufacturing secrets, the new regulation also obliges employees to maintain confidentiality with regard to the employer’s customer data. Violations of the provisions may result in fines of up to CHF 250,000 for the natural person responsible.

These regulations represent a significant tightening of the previous legislation and it is therefore necessary to train the employees concerned accordingly.

Requests for information and rights of natural persons concerned

The rDSG also defines rights and requirements in relation to requests for information from natural persons, which must be answered within 30 days. These include:

• Right of access: Data subjects have the right to obtain from the controller information about the personal data concerning them and about the origin, recipients and purposes of the processing.

• Form and scope: The information must be provided in a clear and comprehensible form and may only contain the necessary information.

• Timing: The person responsible must respond to the request for information within 30 days.

• Security measures: The person responsible must take appropriate security measures to ensure that the information is only provided to the authorized person.

• Right to rectification, erasure and restriction: Data subjects have the right to have inaccurate data rectified or erased or to have the processing of their data restricted.

It is important to note that there may be exceptions to these requirements in certain cases, e.g. if the provision of information would adversely affect the rights and freedoms of other persons or if it concerns internal business information. In addition,unlike the GDPR, the rDSG does not stipulate that electronic requests for information must be made available free of charge.