Introduction
Switzerland is adopting a new legislation to better protect its citizens' data. It improves the handling of personal data and grants new rights to Swiss citizens. This important legislative change is also accompanied by a number of obligations for companies, which must comply with it from 1 September 2023[1].
The first federal law on data protection ("FADP") dates from 1992. With the revision of the legislation, the Swiss government is responding to the fundamental evolution of the technological and social landscape since the 90s. The aim is to ensure that the population's data is adequately protected and adapted to the technological and social developments of our time[2][3].
In drafting the new FADP, the Swiss Federal Council was inspired by the General Data Protection Regulation ("GDPR") of the European Union ("EU")[4]. The new FADP deviates from the GDPR in some ways and even exceed it in some aspects [5]. This modernization is important to ensure that the EU continues to support Switzerland as a third country with an adequate level of data protection, helping Swiss companies to remain competitive.
This presentation will explain some of the changes brought by the new FADP and will focus primarily on the surveillance/support measures that companies must take to ensure data protection in the course of their activities, while comparing it to the GDPR.
Some Distinctions and Definitions
The new FADP will distinguish controllers, processors and data protection advisor.
“Data Controller” or “Private Controller” refers to the private or federal entity that determines the purpose and means of the processing of personal data. Data controllers are those who collect and process data, managing their collections and are responsible for their compliance processing[6].
“Data Processor” or “Private Processor” is the private or federal entity that processes the data on behalf of the data controller. It will be an entity outside the company's organization who acts under the guidance and on the basis of instructions given by the company - the data controller, if legally authorised, or by contractual agreement, under specific conditions[7]. Processing is defined as “any handling of personal data, regardless of the means and procedures used, in particular the acquisition, storage, keeping, use, modification, disclosure, archiving, deletion or destruction of data”[8].
“Data Protection Advisor” or “DPA” is the person training and advising the controller in matters of data protection, he serves not only as a point of contact within the company, but also as a link to the data protection authorities, in particular the Federal Data Protection and Information Commissioner ("FDPIC")[9]. This point will be discussed in more detail in the following developments.
“Federal Data Protection and Information Commissioner” or “FDPIC” is the competent authority for data processing by federal bodies and private persons, including enterprises. He supervises and advises federal and private bodies but also assists federal and cantonal authorities in the field of data protection and cooperates with data protection authorities in Switzerland and abroad.
The new FADP applies to both physical and electronics data/flies[10].
The principles of "Privacy by Design" and "Privacy by Default" are introduced
These principles require authorities and companies to implement their internal system with these new principles at the design stage by taking appropriate technical and organizational protection measures. The applications used to process personal data have to be designed from the very beginning to respect data protection[11].
According to the principle of “Privacy by design”, the data controller and the data processor, must respond appropriately to reduce the risk of privacy breaches during data processing at the planning stage. The goal is to design your application in such a way that, among other things, data are systematically anonymized or deleted.
Privacy by default, protects users in particular from private online offers that don’t provide conditions of use and related opposition rights. Only data absolutely required for the intended purposes are processed, as long as the users don’t become active and allow further processing. In order to guarantee this protection under the new law, as a Swiss company, you have to check your online offers in good time and if necessary, make changes in your internal data processing application[12].
Art. 7 new FADP is more flexible than the GDPR because the data controller is not responsible for demonstrating compliance and documenting its data processing activities[13].
Data Protection Advisors
The Art. 10 new FADP introduced the position of "data protection advisor"("DPA"). This position is also known in the GDPR as the "data protection officer" ("DPO")[14]. Under the new FADP it’s not mandatory to appoint a DPA. The consulting activity of the DPA will be separated from the other tasks of the company. In practice, the DPA may be an external service provider[15]. Moreover, the DPA must be independent and not subject to instructions, which means that the DPA must not have an executive function[16].
In contrast to GDPR, the appointment of a DPA will remain optional for private entities; only federal bodies will be legally obliged to do so[17]. The DPA will not only be the internal contact person for data protection, but also the intermediary for administrative data and the first contact for FDPIC. His task will be to participate to the development and application of the condition of use for data protection[18].
As a Swiss company, appointing a data protection advisor is a real advantage because he will be able to provide your data controller with the perspective and experience needed to comply with the new legal requirements for data protection.
Impact analyses must be carried out if there is a high risk to the personality or fundamental rights of the data individuals
The Data Protection Impact Assessment (“DPIA”) - is regulated by art. 22 new FDPA. It’s now the tool of choice to validate and justify the processing of more sensitive data. Nowadays, if a project is to be submitted to the FDPIC for assessment, the FDPIC regularly requires a DPIA[19]. The GDPR also contains the notion of DIPA[20].
In practice, if the intended processing operation is likely to result in a high risk to the data subject's personality or fundamental rights, the private controller will now also have to carry out a prior impact analysis. Such a risk exists especially when high-risk profiling or large-scale processing of sensitive data is planned[21]. For example, installing a surveillance camera for the purpose of public monitoring, will require a DPIA because its purpose will be a systematic monitoring of a publicly accessible area on a large scale [22].
If an impact assessment shows that the proposed processing operation still poses a high risk to the individual or to the rights of the data subject (despite the measures taken by the controller), the data controller shall consult the FDPIC before processing. However, the data controller may renounce to consult the FDPIC if he has consulted its internal DPA[23]. On the contrary, if there is no DPA the data controller must consult the FDPIC in this case of high risk to obtain his opinion.
The DPIA often takes the form of an Excel table summarizing various elements, in particular the nature of the data, its recipient, its duration, but also the flow and supports used to exploit the data, the risks of a breach and an internal self-assessment of the measures taken to prevent the breach or reduce the high risk to the data subjects concerned[24]. The aim is for data controllers to be aware of the risks that data processing may entail and to take them into account in an appropriate manner
Keep a Register of Processing Activities
In the future, every data controller and data processor must keep a register of their processing activity, the information required by law (such as the identity of the data controller, the purpose of the processing or even the retention period of personal data) must be recorded. This rule was inspired by the GDPR and is regulated by art. 12 new FADP.
The Swiss Federal Council has made exceptions to the obligation to keep a register of processing activities [25] for companies with fewer than 250 employees and whose data processing presents a limited risk of harm the personality of the persons concerned[26][27]. While federal entities will be required to declare their registry to the FDPIC, private data processors will not be required to do so under the new law.
As a Swiss company with less than 250 employees, it’s still highly recommended for you to keep a register of processing activities because this measure is complementary to the rest of the changes in the new FADP and will enable you to better adapt to current data protection requirements.
In the internal operation of your company, there is no formal and technical obligation to keep the register: an Excel or Word document is completely acceptable. The violation of the obligation to keep a register does not lead to a direct sanction. The FDPIC can request access to the register, but not the person concerned by it directly[28].
The Consequences of Non-Compliance with the New FADP And Sanctions
New FADP entered into force on 1 September 2023 without transitional period [29]. Thanks to its new powers, the FDPIC will be able to:
- open an investigation, in the event of a violation of data protection rules, to order strict measures such as changes or interruptions to data processing or even "data deletions";
- to report offences and assert the rights of a complainant in the proceedings, however, he will not have the right to file any complaint[30];
- to report violations and rights of a complainant in the proceedings[31].
The new FADP still doesn’t give the FDPIC any power of sanction, whereas the European data protection authorities now have such powers. In the event of a deliberate violation of the new FADP's obligations to provide information, explanation, cooperation or due diligence, a fine may be imposed[32]. Non-compliance with the new legal data protection requirements puts your company at risk of being reported, which could trigger proceedings with cantonal prosecution authorities but also damage the image and the proper functioning of your company[33].
Footnotes
[1] The new Data Protection Act from the FDPIC’s perspective, 7thOctober 2022, p. 2.
[2] Ibidem, p.2.
[3] Message du concernant la loi fédérale sur la révision totale de laloi fédérale sur la protection des données et sur les modifications d’autreslois fédérales, du 15 septembre 2017, FF 2017 65 65, p. 6592, file:///C:/Users/bfr/Downloads/fedlex-data-admin-ch-eli-fga-2017-2057-fr-pdf-a.pdf.
[4]Regulation(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 onthe protection of natural persons with regard to the processing of personaldata and on the free movement of such data, and repealing Directive 95/46/EC(General Data Protection Regulation), https://eur-lex.europa.eu/eli/reg/2016/679/oj.
[5] Rosenthal David/ Studer Samira / Lombard Alexandre, La nouvelle loi sur la protection desdonnées, in : Jutletter 16novembre 2020, p. 1, https://www.rosenthal.ch/downloads/Rosenthal-Studer-Lombard-nouvelleLPD.pdf.
[6] Art. 5 let. new FADP.
[7] Art. 9 new FADP.
[8] Art. 5 let. d new FADP.
[9] Art. 10 al. 1 et 2 new FADP.
[10] Art. 5 let. d new FADP.
[11] RosenthalDavid/ Studer Samira / LombardAlexandre, op. cit., p. 22.
[12] The new Data Protection Act from the FDPIC’sperspective, 7th October 2022, p.3.
[13] Ibidem, p. 23.
[14] RosenthalDavid/ Studer Samira / LombardAlexandre, op. cit, p. 65-66.
[15] Ibidem, p. 66.
[16] The new Data Protection Act from the FDPIC’sperspective, 7th October 2022, p. 4.
[17] Ibidem, p.4.
[18] Idem, p. 4.
[19] RosenthalDavid/ Studer Samira / LombardAlexandre, op. cit., p. 58.
[20] Ibidem,p. 59.
[21] The new Data Protection Act from the FDPIC’s perspective, 7thOctober 2022 p. 4 -5.
[22] RosenthalDavid/ Studer Samira / LombardAlexandre, op. cit, p. 59.
[23] The new Data Protection Act from the FDPIC’sperspective, 7th October 2022, p. 5.
[24] FF 2017 65 65, p. 6677.
[25] Art. 24 new DataProtection ordinance (new DPO).
[26] RosenthalDavid/ Studer Samira / LombardAlexandre, op cit, p. 56.
[27] Art. 12 al. 5 new FADP.
[28] RosenthalDavid/ Studer Samira / Lombard, Alexandre, op. cit. ; p.57.
[29] The new Data Protection Act from the FDPIC’s perspective, 7th October 2022, p.2.
[30] Ibidem, p.8.
[31] Idem, p. 8.
[32] Art. 60 ss new FADP.
[33]Ibidem, p. 8.