Revised Data Protection Act Approved
October, 2020 - Jürg Schneider, Noémi Ziegler
On 25 September 2020 Parliament approved the final draft of the revised Data Protection Act (rev-DPA).(1) The rev-DPA is expected to enter into force in 2022. However, it is subject to a facultative referendum and the corresponding ordinance will be adapted accordingly – thus, the rev-DPA is still a work in progress.
The revision aims to modernise Switzerland's data protection landscape in line with the more sophisticated EU legislation, particularly the EU General Data Protection Regulation, which entered into force in 2018.
Accordingly, the rev-DPA comes with stricter constraints and requirements than those that apply under the current DPA. The new powers of the Federal Data Protection and Information Commissioner (FDPIC) (Article 49 et seq of the rev-DPA) and the potential criminal fines of up to Sfr250,000 imposed on the individuals responsible for certain types of infringement (Article 60 et seq of the rev-DPA) strengthen its enforcement by increasing exposure for controllers and processors that are subject to the rev-DPA.
In this respect, foreign controllers and processors should assess whether they are subject to the rev-DPA pursuant to Article 3 thereof, which governs the territorial scope of application of the rev-DPA following the effects doctrine. Thus, all data processing activities that have an effect on Switzerland are subject to the rev-DPA, regardless of where the respective processing is taking place.
The rev-DPA will increase companies' duties. In particular, new obligations will be imposed in relation to transparency and documentation matters, as well as specific risk-related processing activities. In particular, the following new requirements are likely to have an impact on most companies:
- creating and maintaining an inventory of processing activities, unless the small and medium-sized enterprise exception applies (Article 12 of the rev-DPA);
- drafting or updating privacy notices for data subjects (eg, customers, business partners, applicants and employees) to meet the new duty of information when collecting personal data (Article 19 et seq of the rev-DPA);
- reviewing contracts with processors, joint controllers and third parties, considering special requirements for international data transfers (eg, Articles 9 and 16 et seq of the rev-DPA);
- carrying out a data protection impact assessment where processing is likely to result in a high risk to the rights and freedoms of the data subject, potentially including all "profiling carrying a high risk" (Article 22 of the rev-DPA);
- applying the principles of 'data protection by design' and 'data protection by default' (Article 7 of the rev-DPA);
- establishing codes of conduct and policies providing for respective procedures in the event of data breaches and notifications of data security breaches (Article 24 of the rev-DPA) and the execution of data subjects' rights (Article 25 et seq of the rev-DPA); and
- for private controllers with domicile or residence outside of Switzerland: under certain circumstances, appointing a representative in Switzerland where personal data of individuals in Switzerland is processed. The representative's name must be communicated to the FDPIC (Article 14 rev-DPA).
Businesses are encouraged to use the time until the rev-DPA's entry into force to assess its impact on their activities and start implementing or elaborating processes that will comply with the revised act and stay up to date with ongoing developments.(2)
For further information on this topic please contact Jürg Schneider or Noémi Ziegler at Walder Wyss by telephone (+41 58 658 58 58) or email ([email protected] or [email protected]). The Walder Wyss website can be accessed at www.walderwyss.com.
Footnotes: (1) The rev-DPA is available in German, French and Italian. An unofficial English translation may be found here. Moreover, an updated comparison chart in German of the current DPA, the Federal Council's draft rev-DPA and the final version of the rev-DPA can be found here. |