Changes are ahead in the new year: The complete revision of the Federal Act on Data Protection (FADP) and the Ordinance to the Federal Act on Data Protection (DPO), which was approved by Parliament in September 2020, will enter into force on September 1, 2023. The federal government originally planned to bring the laws into force in the second half of 2022. But they wanted to accommodate companies and their data protection officers and give them adequate time to prepare. From September of next year, however, things will get serious. In the meantime, however, there is still time to scrutinize your own data processing and prepare yourself for the new law.
Who does the new law apply to?
The Data Protection Act and the associated ordinance apply to the processing of personal data by private individuals (and federal bodies). As a result, private companies, associations and private individuals are also affected. While companies and associations generally cannot avoid observing data protection law, private individuals are exempt from complying with data protection law as long as they process personal data exclusively for personal use. However, the “for personal use” exception only applies to data processing in close private and family life (closer family and friends), which normally does not include a public website. Private website operators – as well as commercial ones – are therefore regularly affected by the new FADP and the new OFADP.
What is “personal data” and what does “process” mean?
Personal data refers to all data relating to an identified or identifiable natural person. In practice, this can extend very far and may, in some circumstances, be as simple as an IP address.
“Processing” is also broadly defined. The term actually encompasses almost all activities that can be imagined in relation to it. This includes the procurement, storage, retention, use, modification, disclosure, archiving, deletion or destruction of data. Nothing will change in this respect compared to the the previous law. The revision does simplify one thing, however: The FADP and the OFADP no longer apply when data relating to legal entities is processed. But take note: a company’s employees are still protected by the FADP under the new law.
What should we do now?
Data protection law imposes numerous obligations on the controllers of data processing, some of which are new and some of which already existed. Below you will find an overview of the most important obligations of the controllers.
Principles of data processing
The revision does not significantly change the processing principles, so previously permitted data processing should usually continue to be permitted under the new law. Personal data may only be processed lawfully, in good faith and in a proportionate manner. It is important that data may only be processed for the purpose for which it was collected and that the purpose is also apparent to the data subject (purpose limitation). If personal data is processed contrary to the principles of data protection law (e.g. for another purpose), this may constitute an infringement of the personal rights of the data subject. However, this may be justified if there is an overriding private or public interest (e.g. data processing in direct connection with a contract) or if the data subject consents.
Deletion of personal data
Personal data must be erased or anonymized as soon as it is no longer required for the purpose for which it is processed.
Processing inventory
Companies and organizations with 250 or more employees must keep an inventory of all processing activities. Companies with fewer than 250 employees are generally exempt from this requirement unless particularly sensitive personal data is processed on a large scale or high-risk profiling is carried out.
Information obligations and privacy policy
When personal data is processed, the data subjects must be informed of the scope and purpose of the data processing. This is usually done by means of a privacy policy. We recommend following these tips:
- It should provide information about all data processing, not just about the processing of data via the website.
- The privacy policy should be easy to find on a website, ideally on every page in the footer.
- Privacy policies should not normally have to be accepted by the user (e.g. forms). Instead, it can be pointed out where the privacy policy can be found.
- Please note that due to the new, more extensive information obligations, you may need to amend your existing privacy policies.
Learn more:
In a previous post on the Hostpoint blog, the law firm VISCHER put together some important and helpful tips for drafting a privacy policy for your own website:
How to write a good privacy policy for your website
Processor
A data processing agreement(DPA) should be concluded with providers such as Hostpoint that process personal data on behalf of the controller. Here, too, we recommend following these tips:
- Such a contract should contain technical and organizational measures that the IT provider must comply with (see also the information on data security below as well as Art. 32 of the GDPR).
- A DPA in accordance with the European General Data Protection Regulation (GDPR) is generally sufficient in Switzerland, but it should also explicitly refer to the FADP.
- The involvement of other third parties by the processor should be regulated.
Data security
Access to personal data should only be possible for those persons (e.g. employees, club members) who really need access, for example to carry out their work. This should be ensured through technical and organizational measures (TOMS). Technical measures could include restricted access rights or firewalls, while organizational measures could take the form of directives and training. Websites and other IT systems should be kept up to date so as not to create security loopholes that could have devastating effects.
Should the confidentiality, integrity or availability of personal data be breached and thus present a high risk for data subjects, this must be reported to the Federal Data Protection and Information Commissioner (FDPIC). The Federal Council is also planning to introduce a reporting obligation for cyberattacks on critical infrastructure. The National Cyber Security Center (NCSC) must also be informed. In such cases, seek advice on how to act correctly.
Disclosure of data abroad
If data is disclosed abroad, either the country must have an adequate level of data protection or additional measures must be taken. This is already required under the current law. Disclosure abroad does not only mean active sending of data, but also remote access, for example. The term “disclosure” is therefore also broader than it might initially suggest. Measures that may have to be taken include the conclusion of standard contractual clauses (“EU SCCs”) and the amendments required in Switzerland (“Swiss amendments”).
Check which service providers you use in connection with your website and other services. If you are abroad, make sure that the country in question has adequate data protection and, if not, that you have taken the necessary additional measures.
Rights of data subjects
Personen, deren Personendaten bearbeitet werden, haben das Recht, Auskunft über ihre eigenen Daten zu erhalten. Diese Auskunft sollte in der Regel innert 30 Tagen und ohne Kostenfolge für die Betroffenen erfolgen. Ferner besteht auch das Recht der Personen, fehlerhafte Daten korrigieren zu lassen oder die Löschung von Daten zu verlangen. Diese Rechte gelten jedoch nicht absolut und es gibt Einschränkungen.
Consent
If consent is required for data processing, the data subject must be informed of the consequences of the consent and the consent must be given voluntarily. In the case of particularly sensitive personal data (e.g. health data) or high-risk profiling, consent must be given explicitly.
“Privacy by default and privacy by design”
This refers to data protection through technology and privacy-friendly default settings. There is now an obligation to structure data processing technically and organizationally in such a way that data protection law is complied with and that default settings are as data protection-friendly as possible. If operators of websites, apps or other software offer different privacy settings, the most privacy-friendly variant must always be defined as the default setting. For example, if a website has a member area where registered users can decide whether other users can see their name or not, the visibility of the name must be disabled by default.
Extended professional secrecy
In addition to the generally known professional secrecy (e.g. lawyer’s or doctor’s confidentiality), professional secrecy in data protection law has also been expanded. Confidential personal data that is entrusted to you in the course of your professional activities must be kept confidential. If you do not want to guarantee this, you must clarify this in advance or say who you may share the information with. Confidential personal data is considered to be personal data if it is not generally known and the data subject has a legitimate interest in keeping the data confidential. However, this does not mean that non-secret personal data may be disclosed without restrictions. Disclosure of such data is also only permitted in the framework of data protection law.
Data protection impact assessment
If new data processing operations are planned that could potentially have a high risk for data subjects, a data protection impact assessment must be carried out. The assessment must document the precise plan and evaluate the measures intended to protect the data subjects.
Data protection adviser and representative in Switzerland
Under the new data protection law, it is possible to appoint a data protection adviser in the company. However, there is no obligation to do so. A voluntary data protection adviser under Swiss law is to be distinguished from a data protection officer under the GDPR. In cases where the GDPR is applicable, the latter may even be required.
Controllers based abroad who process personal data in Switzerland must, under certain circumstances, appoint a representative in Switzerland. This applies to the following cases:
- If the data processing is related to the offer of goods and services or the monitoring of behavior of individuals in Switzerland.
- If the processing is extensive and regular.
- If the data processing involves a high risk for the data subject.
Criminal liability
With regard to criminal liability, it should be borne in mind that, from September 1, 2023, the breach of certain obligations will give rise to criminal liability, which – unlike in the GDPR – is borne not by the company, but rather the natural person responsible for it. The responsible persons may be members of the executive board, other persons with decision-making authority in the company or persons who have committed a breach of duty (e.g. breach of confidentiality). Under Swiss law, however, only deliberate commission is punishable.
The following offenses in particular are punishable by a fine of up to CHF 250,000:
- Breach of information obligations (e.g. no or only inadequate privacy policy)
- No contract with processor
- Breach of data security (breach of confidentiality, availability or integrity of data, TOMS)
- Disclosure of personal data to countries without an adequate level of data protection, without taking additional protective measures or without an exception being applicable (e.g. consent)
- Breach of obligations to provide information
- Breach of “extended professional secrecy”
How is this to be implemented?
It is advisable to appoint a person in your company, organization or club to take care of data protection. This is not a data protection adviser within the meaning of the law (see above), but rather a person in the company or association who acquires a basic knowledge of data protection law and is also the contact person in the company for related questions. The person can acquire the necessary basic knowledge from public sources or through further training and, if necessary, enlist external support.
Learn more:
The VISCHER data protection team summarized and published a guide on what needs to be done in an SME – or an association – in an article. It can be found here.