On July 10, 2023, the European Commission issued the adequacy decision for data transfers from the EU to the U.S., thus endorsing the EU-U.S. Data Privacy Framework. Find out what this means for Switzerland in our newsletter.
Read more
In ruling BGer 4A_277/2020, the Federal Supreme Court ruled that the assertion of the right to information under Art. 8 DPA for the purpose of clarifying the prospects of litigation is an abuse of rights and must therefore be rejected. The question arises as to how this decision will affect areas other than corporate law, namely employment law disputes.
Read more
Cyber attacks on corporate and administrative data are regrettably part of everyday life in the age of digitalization. Often, the public and the people affected either do not learn about such incidents at all or learn about them very late, partly because they fear damage to their reputation. However, it is essential to respond appropriately to such cyber attacks.
Read more
In the first article in our series on the data protection revision, we showed you which changes are associated with the revision. In the following, we provide you with recommendations on how to respond to these changes.
Read more
In less than a year, on September 1, 2023, the new Swiss Data Protection Act (revDSG) will come into force. We would like to give you an overview of the new features of the revDSG and any necessary adjustments in your company.
Read more
Who is not familiar with the annoying advertising calls from some - often dubious - companies trying to sell you a new telephone subscription, a change of health insurance, online trading or other goods or services.
Read more
In the final straight, the total revision of the Data Protection Act came to a standstill once again, as the National Council and the Council of States did not quite agree on some details. Today, the parliament finally got the draft law over the finish line.
As a result, the total revision is a moderate renewal and approximation to the GDPR, but less strict and comprehensive than originally envisaged.
Read more
After almost two years of the GDPR, the fines from the regulators are starting to pile up. Buying or merging with a company that lacks proper cybersecurity, or one that is not in compliance with the GDPR, becomes a considerable risk. For instance, Marriott was fined £99 million by the Information Commissioner's Office (ICO), which is the UK regulator, after hackers stole the guest records of the Starwood Hotels & Resorts Worldwide that it had acquired. A study by Merrill Corporation has shown that over half (55%) of practitioners surveyed across EMEA said they had worked on M&A transactions that had not progressed because of concerns around a target company's data protection and compliance with GDPR. Therefore, non - compliance with GDPR can become a serious issue for the seller.
Read moreIn a recent article in Data Protection for Practitioners, Yves Gogniat looks at IoT, wearables, smart devices and other connected devices. Under the title "Can I collect personal data through connected devices without consent?", he explores the questions to what extent the consent of the data subject is necessary for the use of connected devices and how to deal with connected devices that do not have their own interface.
The article is available here.
Read moreThe National Council's State Policy Committee (SPK-NR) has concluded its deliberations on the bill for the total revision of the Data Protection Act(17.059). However, the bill was only narrowly adopted, by the casting vote of the president, after nine votes to nine with seven abstentions. It shows that there is still no agreement among the various interest groups and that the revision of the law will therefore take longer than originally planned. In addition, the Commission decided that the new law should only come into force after a transitional period of two years. This would mean that we will probably not have a new data protection law until around 2022/2023.
Read moreFashion ID operates the website of the Düsseldorf fashion house Peek & Cloppenburg and had integrated Facebook's "Like" button on the website. The Consumer Advice Centre NRW considered this to be a breach of data protection, as the integration automatically resulted in the transfer of data to Facebook. In the opinion of the consumer advice centre, the necessary consent for the transfer of data to Facebook was therefore lacking. The case is still being decided under the old data protection law, but since the term "controller" is very similar in both laws, the ruling will also be relevant under the GDPR.
The ECJ has ruled that Facebook's "Like" button was not implemented in a data protection-compliant manner and that the website operator bears joint responsibility for such plugins.
Read moreA Dutch hospital was fined because several unauthorised hospital employees accessed the electronic patient file of a prominent person (brief information in English as well as original report in Dutch).
Such incidents are unfortunately not isolated cases. In Switzerland, for example, the attempted sale of Michael Schumacher's patient file caused a stir, and in Germany, the Tugce case revealed that despite internal guidelines, an above-average number of hospital staff read Ms Tugce's patient file.
Read moreUntil now, EU data protection law only applied to companies that had an establishment in the EU. The General Data Protection Regulation (GDPR) now deviates from this principle, which means that the new law potentially affects not only companies in the EU. The scope of the law also covers companies outside the EU under certain conditions. In particular, Swiss companies that are often active in the EU could be affected by the GDPR.
This cross-border applicability has led to uncertainty for many companies outside the EU.
Read more