In autumn 2020, the Swiss federal parliament finally passed the long-awaited complete revision of the Federal Act on Data Protection. This year, the work of the federal administration will now focus on drafting the accompanying ordinances, so the new law will probably be able to be enacted in the second half of 2022. This will then become binding for the private sector and the federal administration, which means that personal data processing will need to be adapted to meet the new regulations. We begin this blog series with the most important new features and assessments of the revised Data Protection Act.
It is no secret that the existing Data Protection Act (DPA), which dates back to 1992, is outdated, so it is no surprise that it fails to take into account the changed (and also increased) requirements in areas such as social media, cloud computing and the Internet of Things (IoT). The new law is not only intended to cover these areas, but also to considerably strengthen the rights of those concerned by it. Here it follows a risk-based approach in order to determine privacy risks as early as possible. This should enable measures regarding data protection requirements to be taken as promptly as the planning or design stage.
In this respect, the revised DPA also incorporates the General Data Protection Regulation (GDPR), which has been in force since May 2018. This, of course, benefits those companies that have already had to take on board the requirements of the GDPR. What are the specific changes companies impacted by the revised DPA will have to face in the coming year?
The revised Data Protection Act means that the Federal Data Protection and Information Commissioner (EDÖB) will now be able to investigate data protection breaches on its own initiative. It will be able to issue orders to modify, restrict or completely refrain from data processing, and enforce them within the framework of the Administrative Procedure Act. Furthermore, the services of the EDÖB, such as advice on Data Protection Impact Assessments (DPIA), codes of conduct and general services like consultations for private individuals will now be subject to a fee. The level of the fees will be set in the ordinance.
From now on, the law only applies to the personal protection of natural persons and no longer applies to legal entities as in the current DPA. This provision is in line with the GDPR. The list of personal data requiring special protection is also extended to include genetic data. In addition, biometric data is also considered to be particularly worth protecting, to the extent that this data can be used to clearly identify the persons concerned.
As mentioned above, the revised DPA uses a risk-based approach. This includes the requirement of a concept (Privacy by Design, Privacy by Default), which already takes into account the data protection requirements in the planning phase and addresses them through technical as well as organisational measures. However, this is nothing new. The existing DPA already required protection through the use of appropriate technical and organisational measures. Moreover, data protection-friendly basic settings (privacy by default) must be identified and implemented without users having to plough through pages and pages of general provisions first. This of course requires existing forms, consent procedures and applications to be adapted, using data protection-friendly techniques.
Also, companies can now voluntarily appoint a person who is responsible for data protection (Data Protection Officer, DPO), who acts both as the internal contact person for data protection issues, and also as an intermediary (or first point of contact) with the authorities and the EDÖB. It is worth mentioning that, unlike under the GDPR, DPOs are not compulsory for private companies. However, it is important for DPOs to be professionally independent. It means that companies can have data protection impact assessments (for which the high level of risk cannot be overestimated) reviewed not by the EDÖB, but by an internal or external person in charge of data protection.
While we are talking about data protection impact assessments - according to Article 22 of the revised DPA, now private individuals, and not just federal bodies as was previously the case, must carry out a DPIA if there is a high risk to the fundamental rights or privacy of data subjects. This must be performed before the intended data processing takes place. A high risk exists if, for example, personal data requiring special protection according to Art 5 of the revised DPA is subject to large-scale processing, or if the data processing results in profiling1 that poses a high risk to the data subjects.
In accordance with the EDÖB, a risk assessment must now also be carried out when personal data is transferred to the USA. This is a consequence of the ruling by the European Court of Justice in the “Max Schrems II” case, where the privacy shield was declared invalid. We regard the above-mentioned "risk assessment" as a DPIA. You will soon find out more about this in this series of blogs.
If, after the DPIA, the risk is still high, the data protection officer must submit the kind of processing envisaged to the EDÖB to be assessed in advance, in accordance with Article 23. The exception, as explained above, is when an independent DPO is appointed. Ultimately, the DPIA must specifically address data processing and deal with the risks that arise from it. Otherwise, DPIAs that are too general may in the future be the subject of objections by the EDÖB.
There is a further exception to carrying out a DPIA. This applies if the processing, the data protection management system or the products (hardware & software) are certified in accordance with Article 13, or an industry-standard code of conduct has been implemented, which is based on a DPIA that has already been carried out.
The revised DPA relies on self-regulation by industry associations. The advantage here is that companies can agree on a standard, thereby benefitting from the documents and guidelines that have been developed without having to conduct their own DPIA for every processing operation. However, companies are to be able to voluntarily submit their codes of conduct to the EDÖB for approval.
Additionally, in the future, data protection management systems, services and products will be able to be certified for compliance with data protection governance. It is still uncertain whether this also includes data protection-compliant data processing. Here, too, a DPIA can be waived if there is a recognised certification. Recognition and other provisions will be regulated at a later date in the ordinance.
For companies with over 250 employees, Article 12 of the revised DPA requires both the data protection officer and the data processor to maintain an up-to-date register of all data processing activities, but this does not have to be reported to the EDÖB. Directories that have already been created within the framework of GDPR compliance can be adopted with a just few adjustments, such as listing the export countries or data protection guarantees.
According to Article 16, personal data can still be disclosed abroad if the laws of the recipient country provide adequate protection. The countries where this protection is guaranteed are published as a list by the EDÖB. Even if the exporting country does not provide sufficient protection or is not listed, data may be transferred provided there are international treaties, data protection clauses or internal company data protection rules (binding corporate rules, BCRs) in place. These data protection clauses, BCRs and other safeguards must be notified to the EDÖB beforehand, and must be approved if they were not recognised under the GDPR.
Data disclosure also applies to remote access, even when the server is located within Switzerland. This means that companies must also comply with Article 16 if they make accessible personal data coming from branches abroad.
As we explained at the top of this article, the revised DPA strengthens data subjects' rights. For example, the right to information has been expanded, meaning that data subjects must be provided with the information specified in Article 25 (paragraph 2) upon request. This also includes current contact details, including the identity of the person or persons with responsibility for data processing in the company.
Furthermore, data protection officers must inform the data subject beforehand if there is any intention to collect personal data, even if the data is not collected by them. As a minimum, the information must include the purpose of the processing, the data's intended recipients and, most importantly, the safeguards to be implemented to ensure adequate data protection.
This gives every person the opportunity to request their personal data in a standard electronic format or to have it transferred to a third party. In principle, the release or transfer has to be free of charge, unless the data protection officer is able to claim there is disproportionate expense.
Under the new DPA, breaches of data protection, where it can be assumed that there is a high risk to the privacy or fundamental rights of the data subjects, must be reported to the EDÖB as soon as possible. As well as this, data protection officers also need to provide an assessment of the risks and the consequences, and indicate whether and to what extent there is a need for the data subjects to be informed.
The revised DPA now foresees fines for private individuals of up to 250,000 Swiss Francs, with "only" intent and omission being punishable, according to Article 60, but not negligence. If requested, the non-observance of data subjects' rights, the breach of due diligence obligations and the breaching of reporting obligations can be also be prosecuted. Unlike under the GDPR, these sanctions are much less onerous, as they are directed against legal persons, and fines of up to 20 million euros or 4 % of the global annual turnover can be imposed.
As you can see, there will be a lot for companies to deal with in the next two years. To get you prepared step by step, we will be posting more blogs about the revised DPA in the coming weeks, but like everywhere else, it is never too early to get to grips with the challenges. If you already have some questions or need support with the changeover or implementation, we are happy to help you.
By the way, you can already find further tips and information about the innovations and procedures for its introduction today in a previously posted blog.
*Profiling: any automated processing of personal data which consists of using such personal data to assess certain personal aspects relating to a natural person