September 16 2022

New Swiss Data Protection Ordinance: key aspects

Walder Wyss Ltd | Tech, Data, Telecoms & Media - Switzerland

Jürg Schneider, Hannes Meyle

Key aspects of nDPA
Key aspects of DPO
Comment


On 31 August 2022, the Swiss Federal Council adopted the new Data Protection Ordinance (DPO) and the new Ordinance on Data Protection Certifications. These provisions will enter into force on 1 September 2023, together with the new Data Protection Act (nDPA).

This article discusses the key aspects of the nDPA and the DPO for private persons and companies.

Key aspects of nDPA

The nDPA introduces several additional data protection obligations (for further details please see "Revised Data Protection Act approved"). Principally, controllers must:

  • provide privacy notices when collecting personal data (article 19 et seq of the nDPA);
  • carry out data protection impact assessments where processing is likely to result in a high risk to the rights and freedoms of the data subject (article 22 of the nDPA);
  • enter into and review contracts with processors and third parties, especially those involving international data transfers (eg, articles 9 and 16 et seq of the nDPA);
  • comply with the principles of "privacy by design" and "privacy by default" (article 7 of the nDPA);
  • notify data security breaches (article 24 of the nDPA); and
  • ensure data subjects rights, including the new right of data portability (article 28 et seq of the nDPA).

Except for small and medium enterprises, companies are required to maintain an inventory of processing activities (article 12 of the nDPA). Under certain circumstances, controllers outside Switzerland need to appoint a representative in Switzerland where personal data of individuals in Switzerland is processed (article 14 of the nDPA). Some of these provisions are subject to personal criminal liability, such as in the following cases:

  • Private persons are liable to a fine of up to 250,000 Swiss francs if they wilfully breach their obligations to provide information to data subjects (either in privacy notices or in the context of data subjects' right to information) or to the Federal Data Protection and Information Commissioner (FDPIC) in an investigation (article 60 of the nDPA).
  • Private persons are liable to a fine of up to 250,000 Swiss francs if they wilfully violate the conditions for transferring personal data abroad or fail to comply with the conditions for data processing or with the minimum data security requirements (article 61 of the nDPA).

Key aspects of DPO

The key aspects of the DPO for private persons and companies are the following:

  • Articles 1-6 of the DPO contain provisions on data security and accountability. The DPO confirms the risk-based approach and specifies the goals of any technical and organisational measures (ie, confidentiality, availability, integrity and traceability). It is noteworthy that the Federal Council classifies the provisions on accountability and documentation obligations (articles 4-6 of the DPO) as data security measures. This means that wilful violations of these provisions are principally subject to criminal liability (article 61 of the nDPA).
  • Articles 8-12 of the DPO address cross-border data transfers. The DPO and the accompanying explanatory report do not explicitly endorse the risk-based approach that the FDPIC recently questioned (for further details please see "FDPIC questions risk-based approach for transborder data transfers"). However, the legislative materials indicate that the appropriateness of the required measures depends on the circumstances of the individual case. This can only be understood as a reference to the risk-based approach and helps to dispel the doubts raised by the FDPIC.
  • The annex to the DPO lists the countries with adequate data protection. This list will replace the current list published by the FDPIC.
  • With regard to information obligations, article 13 of the DPO requires that data subjects be informed in a form that is precise, transparent, comprehensible and easily accessible.
  • Article 14 of the DPO specifies that data protection impact assessments have to be stored for at least two years after the end of the data processing.
  • Article 15 of the DPO stipulates which information must be provided to the FDPIC and data subjects in case of a data breach. These obligations are similar, but not identical to the notification obligations under the General Data Protection Regulation (GDPR). In contrast to article 33 of the EU GDPR (which provides for a time limit of 72 hours), the nDPA and the DPO do not contain a specific time limit but oblige the controller to act as soon as possible.
  • Articles 16-19 of the DPO specify details regarding data subjects' right to request information. In principle, information requests must be answered within 30 days and at no cost for the data subject. Only in exceptional cases, the controller may charge the data subject up to 300 Swiss francs.
  • Articles 20-22 of the DPO provide details on the newly introduced right to data portability. It remains to be seen how relevant this right will be in practice.
  • Article 24 of the DPO stipulates that private law organisations that employ less than 250 employees (at the beginning of each year) and natural persons are exempt from the obligation to keep a register of processing activities. This exception does not apply if particularly sensitive personal data is processed on a large scale, or if high-risk profiling is carried out.

Comment

The countdown to the implementation has begun: on 1 September 2023, the nDPA and the DPO will enter into force. Companies that have not yet implemented the new nDPA and DPO requirements should start now. Large companies and companies involved in the processing of particularly sensitive data should check whether they need to comply with the increased documentation obligations. Every company should take special care to ensure compliance with the provisions sanctioned by criminal law.

For further information on this topic please contact Jürg Schneider or Hannes Meyle at Walder Wyss by telephone (+41 58 658 58 58) or email ([email protected] or [email protected]). The Walder Wyss website can be accessed at www.walderwyss.com.