Data protection law revision | Part 1: Overview of changes
In less than a year, on September 1, 2023, the new Swiss data protection law (revDSG) will come into force. The revision is not only intended to remedy the weaknesses of the current data protection law that have arisen due to rapid technological development. It is also intended to reflect developments at the European level, as it is essential for the Swiss economy and its data transfers that Swiss data protection law has an appropriate level of protection. Finally, the law aims to strengthen the transparency of data processing and the rights of data subjects to better control what happens to their data.
We recommend that companies and processors of personal data prepare themselves for the new legal situation. They should check whether processes need to be adapted and which new obligations need to be fulfilled by those responsible for data processing. As a rule, those who have already been active in the course of the implementation of the European General Data Protection Regulation(GDPR) and are oriented to its standard are well prepared.
We want to give you an overview of the innovations of the revDSG and any necessary adjustments in your company. However, experience with the GDPR in other European countries also shows: Although the GDPR has been in force since 2018, implementation in many companies is slow. Especially SMEs, associations or sole proprietorships often have neither the resources nor the time to create directories of processing activities or data protection impact assessments, but focus on their actual main business. For reassurance: Although data protection authorities in European countries are increasingly imposing fines, the spectre of excessive fines and bankruptcies has not been confirmed.
The following shows which innovations are contained in the revDSG.
Personal data protection
The scope of protection of the revDSG now exclusively covers the protection of personal data of natural persons. Data of legal entities (e.g. companies, associations or foundations) are no longer covered; these can invoke the protection of personality under Art. 28 of the Swiss Civil Code, the protection of trade and manufacturing secrets under Art. 162 of the Swiss Penal Code, as well as the provisions on unfair competition(UWG) or the Cartel Act(KG). In the future, genetic and biometric data will also be particularly worthy of protection.
FDPIC
The position of the Federal Data Protection Commissioner (FDPIC) will be strengthened. Based on the experiences in other European countries, he will also become more involved in political debates and recommendations to strengthen data protection in the future.
Transparency and strengthening of data subjects' rights
The voluntary consent of data subjects to data processing is more important than before, especially in the case of personal data requiring special protection or profiling. In addition to the right to information and correction, data subjects have the opportunity to object to automated individual decisions under certain circumstances, for example, in the case of online credit checks.
Privacy-friendly setting and risk analysis
It has been newly included that data processing must be technically and organizationally designed in such a way that the data protection regulations are complied with. In addition, default settings must ensure that the processing of personal data is limited to the specified purpose unless the data subject specifies otherwise. Also new for companies is the preparation of data protection impact assessments. In particular, the use of new technologies may result in a high risk for personal data concerned, which is why a prior risk analysis must be carried out. Under certain circumstances, the FDPIC must be consulted for an opinion if there is a high risk to the personality or fundamental rights of the data subjects.
List of machining activities
Data processors and order processors must maintain a directory of all data processing activities. The directory must contain at least the information required by law (e.g., retention period of personal data) and serves as proof of compliance with the revDSG. It is a building block of comprehensive data protection documentation (in addition to consents, data protection impact assessment, etc.). There are exceptions for companies with fewer than 250 employees if their data processing involves a low risk of personal data being breached.
Codes of conduct of associations
Professional, industry and business associations may adopt data protection codes of conduct coordinated with the FDPIC that regulate data protection-compliant behavior. Members of the associations who comply with these codes may be exempt from preparing their own data protection impact assessments.
Obligation to report data protection breaches
If personal data are affected in an incident (hacker attack, theft of data), a notification to the FDPIC is required. Under certain circumstances, the persons affected must also be informed.
Data processing and abroad
Data processors who process personal data in Switzerland require representation in Switzerland. When personal data is transferred from Switzerland to a foreign country, an adequate level of data protection must exist in the recipient country (adequacy decision), unless an exceptional circumstance exists (e.g. consent).
Buses
The sanctions for violations of the revDSG have been revised. Although the maximum fine of CHF 250,000.00 is significantly lower than the maximum fine of the GDPR (up to EUR 20 million or 4% of the annual turnover), the list of punishable conduct has been adapted to the extended obligations of the revDSG. The fine is not imposed on the company, but affects the data controller. In the case of individual misconduct by employees, a fine may also be imposed on them. If the data controller is a legal entity, the offense is imposed on the representative of the business body pursuant to Art. 29 SCC. In the case of fines of up to CHF 50,000.00, the business entity(Art. 7 VStrR) may also be fined if the investigation costs are disproportionate with regard to the person responsible for the criminal offense.
More information and download of data protection samples: www.datenschutzmuster.ch
Do you have questions about data protection and IT law? We can provide you with comprehensive and practical advice on implementing the new data protection requirements. Please feel free to contact Sven Kohlmeier.