Fines in the new data protection law - up to CHF 250,000.00 possible for private individuals
Can a web designer be liable to prosecution in the future when creating websites? Is the office employee responsible for data protection information? Will the online store operator have one foot in the fine in the future?
We answer the most important questions about the penalty standards in the new data protection law, which comes into force on September 1, 2023. Although criminal sanction standards already existed under the previous data protection law, the amount of the fines and the scope of the sanctioned breaches of duty will change as of September 1, 2023. "Ignorance is no excuse", i.e., employees entrusted with data processing cannot exonerate themselves under criminal law by not having known about the legal provisions. It is true that Art. 21 StGB provides that an error of law cannot be punished or can be punished less severely unless it was avoidable. However, ignorance is not an error of law, so the following applies: Know the law. We provide advice on what you should pay attention to in the future.
1. what will be sanctioned and how expensive will it be?
In the event of a breach of duties of information, disclosure and cooperation (Art. 60 revDSG) or breach of duties of care (Art. 61 revDSG), persons may be fined CHF 250,000.00. Only intentional commission is covered, not also negligence. Intent(Art. 12 in conjunction with Art. 104 and Art. 333 para. 1 StGB) is the execution of the act with knowledge and will. It is already intentional who considers the realization of the act possible and accepts it (so-called contingent intent).
Examples:
intentionally false or incomplete information about the acquisition and processing of personal data in the privacy statement
Intentionally false or incomplete information about processing in the case of automated individual case decisions
Intentional failure to provide information about processing in the case of automated individual case decisions
willful omission of information about the acquisition and processing of personal data in the privacy statement
intentionally providing false or incomplete information in response to a request for information, e.g. intentionally providing incorrect information or providing incomplete information while giving the impression that the information is complete
Communication of personal data abroad without adequate protection and without the consent of individuals
Processing of personal data by processors without a corresponding order processing contract
Two legal restrictions are advantageous for the responsible persons. First, only intentional acts are punished; negligent acts are not punishable. And secondly, criminal prosecution only takes place if a criminal complaint has been filed by a person concerned.
The biggest risks are:
Incorrect or inaccurate provision of information - Example: A data subject requests information, but this is deliberately provided incorrectly because one does not want to disclose where the personal data was (inadmissibly) stored;
Violation of information duties - Example: the manager decides that you don't need a privacy policy because you don't want to provide contact details of the person in charge;
The transfer abroad without consent - example: data transfer abroad or foreign SaaS or cloud service, in particular to the USA or China, as there is currently (as of 03/2023) no adequate level of data protection there
2 Who is liable? The manager or each employee?
The penalty is imposed on the natural person, i.e. the private individual. Unlike in the GDPR, the natural person is liable and not the company. There is one exception: In case of a fine of not more than CHF 50,000 and a disproportionate investigation effort, the company can be fined instead of the responsible person (Art. 64 revDSG).
My assessment: Corporate liability could be applied more often, especially in larger organizational units and companies. This is because it is considerably more procedurally economical for the responsible cantonal public prosecutor's office to fine the company than to conduct various interviews and determine who the responsible person is and whether he or she acted with intent.
According to the dispatch on the revDSG (BBl 2017, 7100), the management person should be the one targeted by the fine provisions and liable.
"Insofar as data is processed by a company, the obligations derived from the DPA are generally incumbent on its management person."
Rather, I share the view of fellow attorneys that employees in a company who perform data processing are exposed to liability:
"Although the message [...] tries to allay the concern that the penalties can affect any employee, the punishability will probably primarily not affect the management, but those who in an executive position factually decide what is concretely done." (Rosenthal/Gubler, SZW/RSDA 1/2021)
In my opinion, managers should only be criminally liable if specific instructions are given or an omission is reproachable. Ultimately, it is the responsibility of the data-processing employee to provide accurate information or not to transfer data abroad without consent. Web designers, office employees and online store operators are therefore exposed to the risk of criminal liability.
3. must every employee now expect criminal proceedings and a heavy fine?
My assessment: Even with the new data protection law, nothing is as hot as it is cooked. Experience with the introduction of the GDPR shows that the maximum penalties are only imposed for really significant and blatant data protection violations; in some cases, the penalties imposed by the data protection authorities have been significantly reduced by the courts. A comparison with the fines under the GDPR shows that violations of disclosure obligations or missing information (e.g., on video surveillance in a restaurant) were only punished with a few hundred or a few thousand euros (see presentation at the Winter Congress 2023: What costs how much? Are fines only placebo or effective?).
In addition, it must be taken into account that the cantons are responsible for prosecution and that there is no uniform determination of penalties. It will probably be several years before the first supreme court rulings provide guidelines for determining penalties.
However, it is to be expected that convictions for data protection violations will increase in the coming years, although other criminal offenses will naturally be much more in the focus of public prosecutors.
Our TOP 5 tips:
Create data protection regulations; this defines clear responsibilities within the company. This protects employees and management.
Companies should sensitize and train their employees.
Create information and documentation; free samples and templates e.g. from www.datenschutzmuster.ch are better than no documentation at all.
When developing new processes and technical innovations, check and document whether personal data are processed and how data protection is observed.
Seek legal advice in proceedings with the FDPIC or in criminal proceedings: Experience with the GDPR shows that cooperation with the authority and early legal advice are helpful in imposing fines.
If you have any questions on this topic, please contact Sven Kohlmeier.