Revision of the Swiss Federal Act on Data Protection
Swiss Parliament Approves the Revision of the DPA
Today, the Swiss Federal Assembly approved the revision of the Swiss Data Protection Act (DPA). Thus, the new DPA is in its final form. Whether a public referendum will be held is still open. We expect the new DPA to enter into force at the beginning of 2022 at the earliest.
Which final changes were adopted?
For most part, Parliament has been in agreement on the revision for a while. Nonetheless, the alignment on the last open issues took until yesterday:
- After much back and forth, Parliament agreed to include rules on a so-called high-risk profiling in the law. This is defined as a «profiling that involves a high risk to the personality or fundamental rights of the data subject by linking data that allows an assessment of essential aspects of the personality of an individual». However, the qualification as a high risk profiling has very few consequences only.
- As under the current law, the new DPA will provide that performing credit checks may serve to establish an overriding interest to justify the processing of personal data, but the prerequisites have been tightened: The data processed for such purpose must not be older than ten years, the person in question must be of legal age and the processing must not qualify as high-risk profiling. As under the current DPA already, sensitive personal data must not be used for the purpose of credit checks and the disclosure of such data to third parties remains restricted.
In the following, we summarize the key points of the revision of the DPA.
What will not change?
Most importantly, the core principles of Swiss data protection law will not change. As already under the current DPA, the new DPA will require compliance with a number of processing principles (such as transparency, purpose limitation, proportionality, data security, etc.), and the processing of personal data continues to be lawful if these processing principles are complied with.
In this respect, the new DPA continues to differ from the EU General Data Protection Regulation (the GDPR). There will not be a need for a legal basis for each processing activity. Rather, a processing activity must only be justified based on consent, legal requirements or overriding private or public interests if any processing principle is not complied with, or if personal data is processed against the data subject’s wish. Thus, the need for justification continues to be an exception rather than the default under the new DPA.
In practice, we do not expect the revision of the DPA to have a major impact on how companies process personal data. Rather, the new DPA will have an impact on data protection governance and documentation needed to ensure compliance.
What will change?
Nonetheless, the new DPA brings a number of relevant changes. The following are to be highlighted:
- Data relating to legal entities will no longer be protected by the DPA. As under the GDPR, only data relating to individuals will fall within the scope of the new DPA.
- The data controller’s information duties will be broadened. The controller will have to inform the data subjects at least about its identity and contact details, the purpose of processing and recipients or categories of recipients. The list provided in the DPA is however not comprehensive, and controllers will have to consider whether additional information needs to be provided to data subjects, so that they provide the «information needed for the data subjects to exercise their rights» under the DPA and to «ensure a transparent processing», as rather vaguely required by the new DPA.
- There will be an increased need to document processing activities and to implement governance processes. Subject to certain exceptions applying to companies with less than 250 employees, data controllers and data processors will have to maintain inventories of their processing activities. For high risk processing activities, data controllers will have to perform a data protection impact assessment.
- The new DPA introduces a data breach notification obligation into Swiss law: The data controller will have to report any data breach that is expected to trigger a high risk for the personality rights of data subjects to the Swiss Federal Data Protection and Information Commissioner (the FDPIC); the notification is to be made as soon as possible. Thus, the threshold for a notification obligation to be triggered is slightly higher than under the GDPR. If needed to protect the data subjects, or if requested by the FDPIC, the data controller must also inform the affected data subjects.
- While the data subject rights will remain unchanged for most part, the new DPA will introduce certain modifications regarding the data subject access right. In particular, it is clarified that transfers among affiliates within the same group will not deprive the data controller of its right to refuse to provide information insofar as justified by its own overriding interests. In addition, the new DPA stipulates that the access right extends only to the personal data as such. It remains to be seen whether this serves to clarify that the access right focuses on the data and not on the documents in which it is contained, as suggested by a member of Parliament.
- Further, the new DPA will introduce a right to data portability that is inspired by (but differs from) the GDPR.
- The new DPA will regulate automated individual decision making. Subject to certain exceptions, an information duty applies to the extent that decisions are exclusively based on automated processing and have legal consequences for, or otherwise significantly impair the data subject. There will not be a prohibition of such decision making, but a right of the data subject to escalate to a human being for review.
- The new DPA will govern profiling, but the regulation is limited to few restrictions with respect to performing credit checks and will likely not have a major impact for most private companies.
- The new DPA will distinguish between controllers and processors, essentially in the same way as the GDPR does. While the distinction already exists under the current DPA, it is now expressly introduced into the new DPA. In substance, the new DPA does not provide for detailed requirements regarding processor terms, so that GDPR-compliant processor terms continue to be compliant also with the new DPA. Further, the new DPA expressly states that the appointment of subprocessors requires the approval of the data controller.
- The obligation to register data files is abolished.
- The FDPIC is granted more extensive enforcement powers. Under the new DPA, the FDPIC will be empowered to conduct investigations ex officio or upon complaint, to collect evidence and to issue orders. The FDPIC’s orders will be binding, unless they are successfully appealed by the addressee. This deviates from the current law, that does not empower the FDPIC to issue binding orders to remedy non-compliance.
- The new DPA will significantly broaden the range of sanctions for non-compliance with he DPA. Under the new DPA, sanctions of up to CHF 250,000 can be triggered by a broad range of infringements of the DPA.
Will there be relevant changes regarding the export of personal data?
The core principles governing data exports will remain unchanged under the new DPA. Thus, data exports continue to be permitted to countries that have adequate data protection laws in place. Conversely, exports to third countries either require justification (such as the performance of an agreement with or in the interest of the data subject, overriding public interests, the enforcement of claims, etc.) or the implementation of other remedies to maintain an adequate level of data protection (e.g., by implementing standard contractual clauses, binding corporate rules, or other contractual arrangements, etc.).
However, there will be a few amendments with relevance for day-to-day business activities. First, the new DPA empowers the Federal Council to render binding adequacy decisions on the data protection level of foreign jurisdictions; the current non-binding FDPIC list of whitelisted countries will no longer be maintained. Second, the use of approved standard contractual clauses will no longer have to be notified to the FDPIC. Third, the possible justifications for exports to non-whitelisted countries are broadened in the context of foreign proceedings, given that the new DPA will also allow exports to exercise or enforce claims in proceedings at foreign authorities (and not only courts, as under the current DPA). This will facilitate data exports for the purpose of foreign regulatory proceedings in front of administrative authorities rather than courts, which triggered a number of litigations under the current DPA. Fourth, the information duties of the data controller under the new DPA will require the data controller to inform the data subject about the country to where the data will be exported, and the applicable justification or other remedy in case of exports to non-whitelisted countries.
Will the new DPA have extra-territorial reach?
Already the current DPA has a limited extra-territorial reach, which is the result of Swiss international private law that allows data subjects to choose Swiss law to apply in certain situations with respect to claims under data protection law. Going beyond that, the new DPA will apply to processing activities outside of Switzerland that take effect in Switzerland. Further, data controllers domiciled outside of Switzerland will have to appoint a representative in Switzerland in case they process personal data of individuals in Switzerland and the processing (i) occurs in the context of the offering of products or services in Switzerland or to monitor the conduct of individuals in Switzerland, (ii) is extensive and regular and (iii) implies a high risk for the data subjects. The representative has to maintain an inventory of the relevant processing activities.
Are there any Swiss Finishes?
In general, the requirements under the new DPA will not go beyond the level of protection of the GDPR. The «Swiss finishes» that were included in the first draft were essentially removed. There are however still a number of differences compared to the GDPR that need to be taken into account.
What are the sanctions under the DPA?
While the sanctions for breaches of the new DPA will be more severe compared to the current law, they are still moderate when compared to the GDPR. It is important to note, however, that the new DPA will not provide for administrative sanctions against companies, but continue to target responsible individuals based on criminal liability. Accordingly, an individual’s non-compliance with the new DPA may be fined with up to CHF 250,000. If it would require a disproportionate effort to identify the individual offender acting within a company and the expected fine does not exceed CHF 50,000, the company can be fined instead.
When will the DPA enter into force?
Subject to a public referendum, we currently expect the new DPA to enter into force at the beginning of 2022 at the earliest. Until then, also the Ordinance on the DPA will have to be revised and approved by the Swiss Federal Council.
Will there be a general transitional period?
No, the new DPA will not provide for a general transitional period. It will apply going forward as from its entry into force, with limited exceptions (e.g., in respect of ongoing proceedings, and the application of the principle of privacy-by-design).
How do companies prepare for the new DPA?
For businesses that have already implemented GDPR compliance, only limited changes are to be expected. For instance, they may have to review and update their documentation – such as privacy policies – to address the DPA requirements, extend their inventories to cover Swiss processing activities that were previously carved-out, and implement processes to comply with Swiss data breach notification obligations. For businesses that have not yet complied with the GDPR, major implications are to be expected. In particular, they will have to review their data protection organization, governance and documentation, and their agreements with third parties.
In particular, the following steps and activities are to be considered in view of the new DPA:
- Review the compliance organization. Consider establishing a data protection competence center for governance purposes and as internal and external point of contact for related questions.
- Identify and document processing activities. Understanding and documenting processing activities is key to enable an appropriate data protection governance. This applies even if there may not be a formal obligation to maintain an inventory, as may be the case for small and medium companies.
- Assess compliance of the processing activities. Check whether the requirements under the new DPA will be complied with. If not, implement necessary changes. Prioritize high risk processing activities and non-compliances that may have a high impact.
- Implement appropriate processes. Assess whether appropriate processes are in place to deal with data subject rights. There is no need to have a formal process in all circumstances, but processes should facilitate compliance. For instance, companies need to be in a position to adequately deal with data subject rights and data breach notification obligations.
- Update relevant documentation. For a large part, data protection compliance relies on up-to date and appropriate documentation. For instance, privacy policies need to be in place to inform employees, business partners and the public about processing activities, cross-border transfers may have to be secured by means of contractual arrangements with the data importer, and appropriate processor terms have to be implemented with third party processors. In view of the implementation of the new DPA, this documentation needs to be reviewed and updated.
- Review data security measures. Companies will continue to have to make sure that personal data is appropriately secured to avoid data breaches. Thus, security measures need to be reviewed and updated from time to time.
- Consider whether a representative in Switzerland needs to be appointed. For certain foreign companies, the new DPA will require the appointment of a representative in Switzerland.
- Prepare for inquiries. The obligation to demonstrate compliance with the DPA rests upon data controllers. Thus, be prepared to answer inquiries from authorities and to demonstrate compliance.
This Homburger Bulletin expresses general views of the authors at the date of the Bulletin, without considering the facts and circumstances of any particular person or transaction. It does not constitute legal advice. This Bulletin may not be relied upon by any person for any purpose, and any liability for the accuracy, correctness or fairness of the contents of this Homburger Bulletin is explicitly excluded.