The new Swiss Data Protection Act has been in force since 1 September 2023, without a transition period. We will show you the most important takeaways once again
Alignment with the GDPR
With the new Data Protection Act, data protection has been adapted to technological developments, self-determination over personal data has been strengthened and transparency in the procurement of personal data has been increased. In doing so, the legislator also ensures compatibility with the EU General Data Protection Regulation (GDPR). These adjustments were essential to ensure that Switzerland continues to be considered a third country with an adequate level of data protection in the eyes of the EU
Accordingly, in the course of the revision, numerous terms (such as “controller” or “profiling”) and obligations (e.g. the data protection impact assessment in Art. 22 DPA or the obligation to keep a register of processing activities in Art. 12 DPA) were adopted from the GDPR, but with some Swiss specifics and adaptations. You can find out here which deviations there are from the GDPR and which adjustments need to be made in the sense of a “Swiss Finish” (webinar by Nicole Beranek Zanon)
Extended data subject rights
With the total revision of the DPA, among other things, the rights of data subjects have also been strengthened. Data subjects now have more control over their data and can ensure that companies handle acquired data in a transparent and responsible manner
The right to information pursuant to Art. 25 FADP contains a list of minimum information that must be provided to the data subject in the event of a request for information. In principle, the information must be provided within 30 days and free of charge. Only in the case of a disproportionately high expense may the person requesting information share the costs in accordance with Art. 19 Para. 1 FADP
Pursuant to Art. 28 Para. 1 FADP, all data subjects then have the right to request the surrender of personal data in a standard electronic format. However, handing over the data does not mean that the data controller may no longer process the data. The data subject must assert a claim for deletion of the data separately
The right to rectification pursuant to Art. 32 para. 1 FADP grants data subjects the right to request the rectification of inaccurate personal data. If neither the inaccuracy nor the accuracy of the processed data is proven, the data subject may request that a note of denial be affixed pursuant to Art. 32 para. 3 FADP
There is no standardised right to deletion in the FADP. Instead, general civil law is used and action can only be taken against (allegedly) unlawful personal data processing on the basis of personal rights
Finally, data subjects have the right to object to the processing of personal data. If personal data is nevertheless processed, this constitutes a violation of privacy. However, according to Art. 30 para. 2 lit. b FADP, an “explicit declaration of intent” by the data subject is required
More information on the rights of data subjects in the new Data Protection Act can be found here (article on rights of data subjects under the new Data Protection Act)
The appointment of a representative
If a private data controller processes data of persons who reside in Switzerland, it must be examined according to Art. 14 f. FADP, it must be examined whether a representative must be appointed. A representative is required if all the conditions listed in Art. 14 lit. a-d FADP are met. The data processing must be carried out in connection with the offer of goods or services or in the context of behavioural monitoring. In addition, the data processing must be extensive and regular and involve an increased risk to the personality of the persons concerned
You can find further information on the requirements and obligations relating to representation here (article on representation pursuant to Art. 14 nDSG)
Sanctions at C-Level
With the new Data Protection Act, fines of up to CHF 250,000.00 can be imposed for violations pursuant to Art. 60-66 FADP
Art. 60-63 nDSG deal primarily with penal provisions for violations of information and disclosure obligations. Anyone who violates his or her professional duty of confidentiality and intentionally discloses secret personal data will also be punished. The new data protection law also punishes non-compliance with orders of the FDPIC with a fine of up to CHF 250,000.00, if the fine was explicitly threatened in the order
Although criminal liability for negligent violations of the FADP is not provided for, a deliberate violation can be assumed as soon as the violation has been accepted. The basis for calculating the amount of the fine is Art. 106 para. 3 SCC, according to which fault and economic capacity are taken into account. Companies that strive for data protection compliance thus face lower fines
As was already the case under the previous DPA, but in contrast to the GDPR, the natural person responsible for the violation within the company is liable. However, the message on the new DPA clarifies that the focus is not on the person responsible for action, but on the person responsible for the organisation
Further information on the sanctions in the new Data Protection Act can be found here (article on the penalty provisions of the nDSG).