The new Swiss Data Protection Act (nFADP) has finally been completed. Following the resolution of the last differences on “profiling” on Wednesday, the Swiss Federal Parliament passed on Friday, September 25, 2020, the new law. It is expected to come into force on September 1, 2023. As a next step, the supporting ordinances will now be drawn up and submitted for public consultation. How fast things now progress will of course also depend on the EU: Switzerland is still waiting for the renewal of the European Commission’s adequacy decision, which allows unhindered data transfers to Switzerland. The EU could put pressure on Switzerland to speed up putting the revised DPA into effect.
More governance: records of data processing activities, DPIA, reporting obligation
Much like in the case of the GDPR, the main changes in the new DPA are new governance obligations, such as the requirement to maintain records of data processing activities, the obligation to report data losses and other data security breaches to the Federal Data Protection and Information Commissioner (FDPIC) and the obligation to carry out data protection impact assessments (“DPIA”) for sensitive data processing. All three requirements are comparable to the corresponding provisions under the GDPR, and will result in an additional workload for companies that have not already undergone the process for the purposes of the GDPR. Those who have can adopt the existing data processing inventories more or less directly and have their data breach notification procedures amended to also comply with Swiss law (the DPA provides for slightly different thresholds as to when a notification becomes necessary, but essentially works along the same lines as the notification obligation under the GDPR). Swiss lawmakers have also “copied” the concept of a DPIA, which so far has not formally existed under Swiss law although it is already well known under Swiss data protection law as “good practice” in the case of sensitive data processing activity.
Basic principles unchanged
Although the DPA has been totally revised, the private sector will in general not have to change the way it processes personal data. The basic principles of data processing remain unchanged in the new DPA, with one exception: personal data of legal entities are no longer protected, even though certain general protections continue to apply. The Swiss concept, according to which data processing in the private sector is in principle permissible and justification (or “legal grounds”) is only required in certain situations, remains unchanged.
Thus, the DPA continues to deviate from the EU General Data Protection Regulation (GDPR): There, the processing of personal data is generally prohibited unless there is a legal ground such as consent, the performance of a contract, a sufficient legitimate interest or a legal provision in the law.
Consents: Less restrictive than under the GDPR
Switzerland also does not go as far as the GDPR in terms of the requirements for valid consent; essentially nothing changes here compared to the current legal situation in Switzerland, with the exception of a minor change with respect to profiling (see below). There is no need to inform on the possibility of withdrawal, and multiple consent declarations can be combined.
The grounds on which data processing activities can be justified remain more or less the same as in the current DPA, and go beyond what is provided for in the GDPR. What has been worded slightly more restrictively is the justification for non-personal processing purposes (e.g., statistical uses) and the justification upon which credit agencies have been relying; they now have to delete data that is older than ten years in the event that a data subject so requests.
The principle of “Privacy by Design” is now also explicitly included in the law, but strictly speaking, it has always existed – even under the current DPA. Indeed, the only provision that is new is the Swiss version of “Privacy by Default”, which is relevant only in cases where a provider of an (online) service provides data protection settings as part of such service, which must be set by default so as to limit data processing to the intended minimum.
No duty to appoint a data protection officer
Whereas the new DPA provides that companies can appoint what is referred to as a “data protection advisor” (which, in essence, is a data protection officer), there is – unlike under the GDPR – no obligation to do so. Yet, most midsized and larger companies will not be able to implement data protection properly unless they have appointed a responsible person to deal with data protection. Furthermore, foreign companies with significant activities in Switzerland will have to appoint a Swiss representative, but we expect only a few companies will be subject to this requirement. Thus, the obligation goes much less far than the corresponding provision in article 27 of the GDPR.
Right to information is restricted
The rights of the data subjects are somewhat extended, but at the same time also defined a bit more clearly. While it will be easier for data subjects to request their own data from a company, the new DPA also offers new arguments for rejecting abusive access requests. For example, only personal data “as such” may be requested and “exclusively” what it is necessary to assert data protection rights. The “right to be forgotten” known from the GDPR existed under the DPA all along and will remain. It is still not absolute, but provides for a balancing of interests. Likewise, the principle that data may only be processed as far and as long as necessary continues to apply. Entirely new to the DPA, however, is the right to data portability, which Swiss lawmakers copied from the GDPR: It actually does not have much to do with data protection, but enables consumers to obtain their data stored with online or other services providers in order to transfer such data to competitors. Also completely new is the right to demand that a person reconsiders important decisions that were made exclusively on an automated basis and which by their nature allow for interpretation. The provision is comparable to the GDPR provision on automated individual decisions, but the DPA only requires a controller to inform about such decisions and allow the data subject to request human intervention.
Data processing agreements
The requirements for contracts with data processors, i.e. companies to whom controllers delegate their own processing of personal data, such as cloud service providers, have been tightened up somewhat; namely, the use of subcontractors must now be approved by the controller. Yet, the new provisions still fall short of those of the GDPR. Since the requirements under article 28 GDPR are nowadays considered standard in the industry, we do not expect any problems for controllers to ensure compliance with the new rules under the DPA. The clauses agreed with processors will usually only have to be adapted to refer not only to the GDPR but also to the DPA.
The obligation to provide information has been expanded under the new DPA. This means that companies must have a data protection declaration in which they provide certain mandatory information regarding the personal data they collect. This type of information is usually provided on the companies’ websites and by means of links included in their forms and contract terms & conditions. Conceptually, the information obligation under the new DPA is very similar to the information obligation under the GDPR, but does not require as much mandatory content as the GDPR. The only exception is the obligation of a controller to indicate the countries to which personal data is exported and the legal provisions on which the company relies on doing so. However, in our view, it is not necessary to list each and every country; terms such as “Europe” or “worldwide” should work, too. If a company has appointed a data protection advisor or a representative, information on this must also be provided. As a consequence, certain adjustments to the existing data protection statements are therefore necessary, but we do not expect this to create any big issues.
Transfer abroad: It will be easier
The revised DPA governs cross-border transfers of personal data slightly differently than in the past, but the practical consequences are very limited. It is now up to the Federal Council to bindingly determine the countries that are considered to have an adequate level of data protection and to which data can be exported without special precautions. So far, it has been the FDPIC that maintained a list of countries with his assessment on the topic, but this list was not binding (this is also the reason why the effects of the ECJ decision “Schrems II” in Switzerland were much more limited than in the EEA). The EU standard contractual clauses for data exports can still be used; the obligation to notify the FDPIC has been removed from the new DPA. The disclosure of personal data to foreign authorities will also become easier; previously this was often only possible in the context of judicial proceedings.
More fines are possible, but still the exception
The enforcement of the DPA will also change under the new law. In the past, the FDPIC was only able to issue “recommendations” to data controllers and processors who in his opinion did not comply with the DPA. If they did not comply with his recommendation, he could sue them. In the future, he will directly issue orders against controllers and processors. For example, he will be able to order that a particular data processing activity be stopped. That said, these new powers will also result in the FDPIC’s procedures becoming more complicated and requiring more resources than those under the current DPA. It remains to be seen whether the new concept will lead to more enforcement, or result in actually fewer cases given the FDPIC’s constant understaffing. The FDPIC will still be unable to impose fines.
The right to impose fines lies with the Cantonal law enforcement authorities (which are not specialized in data protection), and the catalogue of fines been significantly expanded. In the past, fines were possible for the violation of the duty to inform, the duty to comply with the data subject access right and the duty to cooperate with the FDPIC. Now, violations of the provisions on data exports, the provisions on commissioning processors and certain violations of data security measures can also be fined. The fines are primarily to be paid by the decision-makers but only if they acted intentionally. They can be found liable up to the amount of CHF 250’000. (€ 230’000) Although these amounts pale in comparison with the amounts under the GDPR, they will likely be even more effective given that they are of personal nature and cannot be insured. We assume that fines for data protection violations will continue to be the exception in Switzerland. Furthermore, violations of the fundamental principles of the DPA continue to be exempt from punishment – an important difference to the GDPR. In addition, the revised DPA introduces general professional secrecy for all professions (with fines of up to CHF 250’000) and a new provision against identity theft.
No consent necessary for profiling
The main bone of contention of the deliberations on the new DPA was “profiling”, which has the same meaning under the DPA as under the GDPR. Noteworthy, as under the GDPR, the legal significance of “profiling” as such is very limited. Profiling is, in essence, the automated formation of an opinion on certain aspects of an individual. Although profiling is a defined term in the new DPA, there are hardly any provisions of the DPA that refer to it, at least with regard to the private sector. Unlike what has generally been reported, the new DPA does not provide that profiling requires consent. What the new DPA does say is that if consent is required in a particular case, such consent has to be of an express nature in the case of profiling with a “high risk”. Profiling is considered high risk if it results in a more detailed profile of an individual. This is already in line with the current legal situation under the existing DPA. In other words: Almost nothing actually changes under the new DPA. Although profiling as such does not require consent, it is – of course – already possible that a data processing operation goes so far that justification is required. Consent is one possible form of justification, but the controller may also be able to rely on an overriding private interest depending on the circumstances.
Need for action
What needs to be done now? Most companies should have enough time to implement the most important provisions of the revised DPA. First, they should review their data protection statements in light of the new requirements and adapt them or, if necessary, create new ones if they have none in place. The most time-consuming part of the process is usually the internal review of data protection activities to ensure that all cases in which the company procures personal data are covered. Once a company has obtained this information, it can create or update the data protection statement and establish an inventory of data processing activities. If such statements and inventories have already been created for the purposes of the GDPR, they can to a large extent be re-used for the DPA.
Create records of processing activities 70% faster with the GDPR Register! Try 14 days for free!
In a further step, controller-processor relationships need to be identified and related contracts checked and adapted as per the new, stricter rules of engagement. If this work has already been done for the GDPR, again, not many changes will be necessary; what is usually necessary is to expand the references to the GDPR to also include the DPA. In a similar manner, controllers and processors should identify international data transfers and verify whether they fulfil the DPA’s requirements, given that non-compliance can be fined going forward. If the DPA’s current requirements are fulfilled, most likely no changes are necessary.
Companies should also implement a process for data protection impact assessments and, if necessary, appoint a data protection officer, even if not required by law. A process for identifying, analyzing, reporting and handling data security breaches (which term includes unintentional data losses and misdirected e-mails) should also be introduced. Every company should also have a process – if not already in place – for responding to requests from affected individuals e.g., those requesting access to their personal data. When referring to “processes”, we mean that a company should at least appoint an individual to be responsible for handling the relevant topic who knows what to do in each case or where to get the relevant information on what should be done.
Finally, automated individual decisions should be identified and, if relevant, data subjects should be informed and given the opportunity to ask for human intervention. Furthermore, the processing of genetic and biometric data as well as data for non-personal purposes and creditworthiness should be identified, checked and adapted to the new requirements. Of course, existing training should also be adapted to correspond with the requirements under the revised DPA and it may make sense to verify the implementation of the new requirements by way of conducting audits.
The nFADP’s 12 key requirements:
Swiss SMEs must implement the following 12 measures to comply with the nFADP:
- Check and modify data protection statements (website, contracts, advertising content, etc.)
- Draft (or modify) corporate data handling guidelines
- Establish a data processing register (except for companies with less than 250 employees and if there is no significant privacy risk)
- Establish procedures for responding promptly to data subjects’ requests (e.g., for information or deletion of data)
- Implement a data breach reporting procedure
- Establish a process for impact assessments that are required when data processing is high risk (e.g., in the case of systematic monitoring of the broader public domain)
- Analyze contracts with subcontractors, to check whether data security is provided and add clauses in this regard (including data breach notification)
- Provide for the data to be deleted or rendered anonymous (and immediately after they are no longer necessary for the original purpose for which they were processed)
- Review the countries where data is transmitted, including for simple cloud backup (these countries must be on a Federal Council list. If not, more stringent requirements apply)
- Ensure data security through appropriate technical and organizational measures
- Ensure the data is provided in electronic format (in the case of automated data processing and, in particular, the conclusion or implementation of a contract)
- Designate a data protection advisor and publish his or her contact details ( it is recommended that this person be notified to the Federal Data Protection and Information Commissioner (FDPIC)).