Total revision of the Data Protection Act finally passed
On the final straight, the revision came to a standstill once again, as the National Council and the Council of States did not quite agree on some details. In particular, there was disagreement on questions of high-risk profiling and the handling of data requiring special protection. These differences have now been resolved and the Data Protection Act was adopted by Parliament in the final vote on 25 September 2020.
As a result, the total revision is a moderate renewal and approximation to the GDPR, but less strict and comprehensive than originally envisaged.
At the moment, the referendum period is still running, but it is not expected that any interest group will take this step. The revised law is expected to come into force in 2021 or early 2022.
In contrast to the European GDPR, there will be no two-year transition period, which is why companies must address this issue relatively quickly. At this point in time, however, not all detailed questions have been clarified, as the Federal Council still has to adapt the ordinance accordingly. But the general direction of travel is clear.
Although the legislator has oriented itself on European data protection law (DSGVO), the DSG will not be quite as complex and strict. The main goal was to strengthen the protection and rights of data subjects. This was to be achieved primarily by improving transparency in the processing of data and with increased information obligations. In general, the new law strengthens the rights of the persons concerned, so that they have more control over their own data.
In future, companies that process personal data will therefore have to comply with stricter documentation requirements. In future, larger companies and companies that regularly process data will have to keep a register of their processing activities. In addition, breaches of data security must be reported if they are likely to pose a high risk to the personality or fundamental rights of the person concerned. In addition, data protection must be sufficiently taken into account during the planning stage and a data protection-friendly design will become mandatory. In the case of high risks, a data protection impact assessment must also be prepared.
Since these new requirements cannot be met overnight, companies should evaluate the current situation within the company as soon as possible and then define the target situation.
In principle, the new DPA does not provide for administrative fines. Therefore, a company does not have to fear fines in the millions as in the EU. However, the FDPIC will be given stronger control options. In future, it will be able to carry out comprehensive investigations and subsequently order an adjustment or cessation of data processing. A violation can also lead to criminal sanctions. A criminal investigation is primarily directed against the management and can be punished with a fine of up to CHF 250,000.
Today, practically all companies process personal data in some form and therefore every managing director should check how much his company will be affected by the new rules and what measures should be taken.
We are happy to support you in implementing the new requirements. We offer both individual consultations and package solutions (e.g. creation of all templates).
This article was written by RA Yves Gogniat.
If you have any questions or concerns about data protection, you can contact Balthasar Wicki directly.