Last call to implement the new Swiss regulations on data protection!

• Compliance/Data Protection/ESG
• Contracts
• SME

Since 1 September 2023 the new Swiss Federal Act on Data Protection and its revised Ordinance came into force. The new Swiss regulations impose on the private sector a number of new obligations which are very similar with those ones under the European General Data Protection Regulation (GDPR) and yet differ in certain areas (so called “Swiss Finish”). If not already done, companies have to bring their documents and activities related to processing of personal data in line with the new requirements. This article provides a brief overview of the new legal situation and contains our recommendations for action for your company.

What changes do the new Swiss data protection regulations entail?

The new Swiss data protection regulations impose a number of new obligations on companies and individuals when processing personal data, for example the obligation to report losses of personal data or other data protection breaches to the Swiss Data Protection and Information Commissioner, as well as the obligation to carry out data protection impact assessments, etc.

Some parts of the new regulations are based on the legal requirements of the GDPR and Swiss companies whose processes already comply with the GDPR have a solid basis. For example, the GDPR already includes the requirement to create data protection notices. This obligation to provide information when procuring data is now also mandatory under the new Swiss data protection regulations and requires a certain minimum level of information which is not completely congruent with the EU regulations. Companies should therefore review their existing processes, IT tools and documents, including contracts, with regard to the new Swiss requirements and take appropriate actions such as:

• Introduce a register of processing activities (except for companies with less than 250 employees and if there is no significant privacy risk);
• Adapt existing data protection notices to inform data subjects in an appropriate manner about the processing of their personal data and the specific purposes of processing and, in the case of cross-border transfers of personal data, to provide the necessary information on the countries to which personal data is transferred and how data protection is guaranteed.
• Revise contracts under which personal data will be transferred abroad. The privacy clauses should refer to the Swiss Federal Data Protection Act and the list of countries where personal data are transferred to.

On the other hand, the existing general data protection principles (lawfulness, good faith, proportionality, purpose limitation, transparency or recognizability, data accuracy, data security) continue to apply under the new Swiss Data Protection Act. This means that, unlike the GDPR, the new Swiss Data Protection Act does not require a legal basis “per se” for all data processing. However, a justification (consent, legal basis or an overriding public or private interest) for the processing of personal data is still required under the Data Protection Act if the processing is carried out contrary to the data protection principles or contrary to the express declaration of intent of the data subject, or if particularly sensitive data is to be disclosed to third parties.

Risks under the new Swiss regulations on data protection

In case of non-compliance with the new Swiss Federal Data Protection Act the law foresees fines up to the amount of CHF 250’000. These fines are not as high as the ones of the GDPR, however they are imposed on individuals and not on the company!

Further, data breaches of personal data of business partners may qualify as breach of contract and entail contractual penalties, premature termination of the contract, claims of a counterparty to compensate damages, etc.

Recommendations

We recommend that Swiss companies:

• ensure that the general data protection principles (in particular, lawfulness, good faith, proportionality, purpose limitation, transparency or recognizability, data accuracy, data security) are complied with before any processing of personal data (a legal basis as known under the GDPR is only necessary in special cases);

• review existing processes, instruments, documents, including contracts, to ensure that they comply with the new Swiss data protection regulations;

• create a register of processing activities (except for companies with fewer than 250 employees and if there is no significant data protection risk);

• prepare all necessary documents and procedures, for example:
  • Data Protection Policy “Privacy by Default & Design”,
  • Personal Data Breach Policy,
  • Data Protection Impact Assessment Policy,
  • Personal Data Retention Policy,
  • Policy on access to employee business emails, including after termination of employment,
  • List and description of technical and organisational measures in the area of data protection,
  • Data protection notices for employees, freelancers and job applicants;
  • Data Privacy Policy to be placed on the company’s website;
  • Cookies Policy (including Cookie pop ups and consent banners),
  • Terms of Use for the website, etc.;

• before transferring personal data to any foreign country:
  • check whether the third country in question is listed in the Swiss Federal Council’s so-called adequacy conclusions list as a country that guarantees an adequate level of protection, and
  • if not – apply the modernised standard contractual clauses for the transfer of personal data to third countries (including language which specifies how data breach notifications are handled);

• create or revise data protection notices that inform data subjects in an appropriate manner about the processing of their personal data and the specific purposes of processing, including, in the case of cross-border transfers of personal data, with necessary information about the countries to which personal data is transferred and how data protection is guaranteed;

• provide training for employees to make them aware of the requirements and restrictions in the area of personal data protection;

• take other necessary organizational and technical measures in the area of data protection (if deemed appropriate, to appoint a data protection officer in the company).