Newsletter 4/2020: Completion of the total revision of the Swiss Data Protection Act (DPA)


Overview After much back and forth, the Swiss parliament, after settling the last differences, in its final vote on 25 September 2020 passed the total revision of the Swiss Data Protection Act (DPA). We are pleased to provide you with brief information on the background to the draft law and particularly regarding the most important changes. The purpose of the total revision of the Swiss Data Protection Act (dating from 1992) was to adapt this outdated law to today's social and technological conditions and to align it with the more recent and modern European data protection regulations (in particular the GDPR). The following four aspects were of particular importance: The increase of transparency and the strengthening of the rights of data subjects; The promotion of prevention measures and of the personal responsibility of data processors; The strengthening of data protection supervision; The extension of the penal provisions. Correspondingly, stricter regulations will have to be observed in the future when processing personal data. These new rules should be dealt with at an early stage in order to be able to review and, where necessary, adapt a data protection concept before the revised law comes into force (e.g. preparation of data privacy statements and, if necessary, records of processing activities, adaptation of data processing processes, appointment of a data protection officer, conclusion of data processing agreements, etc.). At the end of the 100-day referendum period, the Federal Council will decide when the Federal act will enter into force. Accordingly, the revised Data Protection Act ("revDPA") is unlikely to enter into force before 1 January 2022, as the corresponding ordinance ("DPAO") will also need to be amended. Important New Features We are therefore limiting our overview to the most important developments in comparison to the applicable law: No protection of legal entities' data Whilst the current DPA applies to the data of both natural persons and legal entities, the scope of the revDPA is to be limited to the data of natural persons, as it is under the GDPR. Particularly sensitive personal data The revDPA extends the list of data that qualifies as particularly sensitive and therefore is subject to additional legal requirements (inter alia regarding a consent, data protection impact assessment, the disclosure to third parties and credit assessments). For example, genetic data and biometric data (e.g. fingerprints) that uniquely identify a natural person are also to be classified as particularly sensitive under the revDPA. Profiling and high-risk profiling Whether to include "high-risk profiling" in addition to "ordinary" profiling in the act, was the most controversial and widely discussed issue of the entire proposed new act. In the end parliament followed the proposals of the conciliation conference, according to which high-risk profiling should be defined and specifically regulated by law. Thus, in the case of high-risk profiling, any consent that may be required must be explicit. Moreover, controllers processing data for credit assessment may no longer rely on legitimate interest and therefore no longer can justify a violation of privacy rights if said credit assessment involves high-risk profiling. Further, if personal data is processed automatically and a combination of data allows for the assessment of "essential aspects of personality" this qualifies as high risk profiling. The legal definition is very wide and a differentiation from "standard" profiling will in practice not be easy. Here, the DPAO will hopefully provide further clarification. In any case, in the future as a result of this amendment, in the case of a credit assessment involving high-risk profiling, it must be ensured that all processing principles are complied with or that other grounds for justification (in particular consent by the data subject) are given. Records of data processing activities The revDPA provides an obligation, as does the GDPR, both for the controller and for the processor to keep records of their respective data processing activities. The respective records must contain at least the information specified by law. The Federal Council provides exceptions for companies that employ fewer than 250 employees and whose data processing involves a low risk of personal injury to the data subjects. These exceptions are still to be regulated in the DPAO. Data Processor According to the revDPA, a relationship between controller and the processor can be established by contract or by law. The prerequisite is, the same as under current applicable law, that the processor processes the data in the same extent as the controller himself would be permitted. As is already the case in the EU, the transfer of data processing to a sub-contractor is now only permitted with the prior consent of the data controller, so that the latter (at least indirectly) retains control over the data processing, and that the data controller ensures that the data processor is able to guarantee data security. Beyond that there has been little change in this area. In particular, the data processing agreement is still not subject to any particular form requirements. Privacy by design and default The revDPA contains, as does the GDPR, the principles of privacy by design and privacy by default. From the planning stage onwards, the controller must design the data processing technically and organisationally in such a way that the data protection regulations, in particular the processing principles, are observed (privacy by design). In addition, the controller must configure the default settings, e.g. for apps or websites, in such a way that the processing of personal data is limited to that of the minimum required for the intended purpose (privacy by default). Extension of information obligations According to the revDPA, in the acquiring of personal data the following minimum information must now be provided to the person concerned: The identity and contact details of the data person in charge; The purpose of the processing of their data; If applicable, the recipients or categories of recipients to whom their personal data is disclosed. If the personal data is disclosed abroad, the data subject must also be informed of the state or international body and, if applicable, the guarantees for the protection of personal data of said state. Extension of the duties of disclosure The revDPA provides for extended obligations for the provision of information in comparison to the current DPA. The obligation to provide information is no longer limited to the minimum information which is exhaustively defined (which now also includes information on the duration of storage, foreign transfers and automated individual decisions), but further includes all information that is necessary for the data subject to assert their rights under the revDPA. However, the information on "processed personal data" is now also subject to the fact that this data must be communicated or disclosed "as such". This should clarify that the right to information under data protection law does not constitute a right to request the release of documents or files. Right to data portability The revDPA provides for a right to data release and transmission ("data portability"). Accordingly, the data subject can demand from the controller, typically free of charge, the release of their personal data in a common electronic format or its transfer to another controller, if the controller processes the data automatically and the data is processed with the consent of the data subject or in direct connection with the conclusion or execution of a contract. Automated individual decision-making The revDPA stipulates that the controller must inform the data subject of a decision which is based exclusively on automated processing and which is associated with a legal consequence for them or significantly affects them. The data subject must have the opportunity to express their point of view and may request that the decision be reviewed by a natural person. This does not apply if the decision is directly related to the conclusion or performance of a contract between the controller and the data subject, and the data subject's request is granted, or if the data subject has expressly consented to the decision being automated. Data protection impact assessment According to the revDPA, the controller is obliged to carry out a data protection impact assessment if a data processing operation may entail a high risk to the personality or fundamental rights of the data subject. An aforesaid high risk can result from the type, scope, circumstances, and purpose of the processing. A data protection impact assessment must describe the planned processing and the risks it entails, as well as appropriate measures to mitigate the latter. Exceptions under certain circumstances may be possible if the controller complies with a code of conduct. Notification of data protection breaches In accordance with the revDPA, in the event of a data protection violation controllers must notify the Federal Data Protection and Information Commissioner ("FDPIC") as soon as possible, if there is a serious risk to the personality or fundamental rights of the data subjects. Subject to certain exceptions, the controller must also inform the data subject if this is necessary for their protection or if the FDPIC so requires. The data processor must report any breach of data security to the controller (not the FDPIC and/or the data subject) as quickly as possible. Sanctions According to the revDPA, natural persons can now be punished, in particular in the case of an intentional violation of the information and disclosure obligations as well as in the case of an intentional violation of the duties of care, with a fine of up to CHF 250,000.00 (previous maximum CHF 10,000.00). In the future, a lack of data protection compliance will not only entail reputational risks for companies, but may also have far-reaching criminal consequences for the non-compliant employees themselves. We hope that you find this overview helpful and are happy to answer any questions you may have. Authors of this text: Cornelia Stengel Prof. Dr. iur., Attorney at Law, Partner Luca Stäuble MLaw, Attorney at Law Nicolas Mosimann Dr. iur., LL.M., Attorney at Law, Partner Christophe Rapin lic. iur., Attorney at Law (CH and Bruxelles), Partner Stefano Perucchi lic. iur., LL.M., Attorney at Law, Partner Contacts Christophe Rapin Tel. +41 58 200 33 30 Fax +41 58 200 33 11 christophe.rapin@kellerhals-carrard.ch Dr. Nicolas Mosimann Tel. +41 58 200 30 49 Fax +41 58 200 30 11 nicolas.mosimann@kellerhals-carrard.ch Stefano Perucchi Tel. +41582003100 Fax +41582003111 stefano.perucchi@kellerhals-carrard.ch Prof. Dr. Cornelia Stengel Tel. +41 58 200 39 00 Fax +41 58 200 39 11 cornelia.stengel@kellerhals-carrard.ch

Overview

After much back and forth, the Swiss parliament, after settling the last differences, in its final vote on 25 September 2020 passed the total revision of the Swiss Data Protection Act (DPA). We are pleased to provide you with brief information on the background to the draft law and particularly regarding the most important changes.

The purpose of the total revision of the Swiss Data Protection Act (dating from 1992) was to adapt this outdated law to today's social and technological conditions and to align it with the more recent and modern European data protection regulations (in particular the GDPR). The following four aspects were of particular importance:

The increase of transparency and the strengthening of the rights of data subjects;
The promotion of prevention measures and of the personal responsibility of data processors;
The strengthening of data protection supervision;
The extension of the penal provisions.

Correspondingly, stricter regulations will have to be observed in the future when processing personal data. These new rules should be dealt with at an early stage in order to be able to review and, where necessary, adapt a data protection concept before the revised law comes into force (e.g. preparation of data privacy statements and, if necessary, records of processing activities, adaptation of data processing processes, appointment of a data protection officer, conclusion of data processing agreements, etc.).

At the end of the 100-day referendum period, the Federal Council will decide when the Federal act will enter into force. Accordingly, the revised Data Protection Act ("revDPA") is unlikely to enter into force before 1 January 2022, as the corresponding ordinance ("DPAO") will also need to be amended.

Important New Features

We are therefore limiting our overview to the most important developments in comparison to the applicable law:

No protection of legal entities' data

Whilst the current DPA applies to the data of both natural persons and legal entities, the scope of the revDPA is to be limited to the data of natural persons, as it is under the GDPR.

Particularly sensitive personal data

The revDPA extends the list of data that qualifies as particularly sensitive and therefore is subject to additional legal requirements (inter alia regarding a consent, data protection impact assessment, the disclosure to third parties and credit assessments). For example, genetic data and biometric data (e.g. fingerprints) that uniquely identify a natural person are also to be classified as particularly sensitive under the revDPA.

Profiling and high-risk profiling

Whether to include "high-risk profiling" in addition to "ordinary" profiling in the act, was the most controversial and widely discussed issue of the entire proposed new act. In the end parliament followed the proposals of the conciliation conference, according to which high-risk profiling should be defined and specifically regulated by law. Thus, in the case of high-risk profiling, any consent that may be required must be explicit. Moreover, controllers processing data for credit assessment may no longer rely on legitimate interest and therefore no longer can justify a violation of privacy rights if said credit assessment involves high-risk profiling.

Further, if personal data is processed automatically and a combination of data allows for the assessment of "essential aspects of personality" this qualifies as high risk profiling. The legal definition is very wide and a differentiation from "standard" profiling will in practice not be easy. Here, the DPAO will hopefully provide further clarification.

In any case, in the future as a result of this amendment, in the case of a credit assessment involving high-risk profiling, it must be ensured that all processing principles are complied with or that other grounds for justification (in particular consent by the data subject) are given.

Records of data processing activities

The revDPA provides an obligation, as does the GDPR, both for the controller and for the processor to keep records of their respective data processing activities. The respective records must contain at least the information specified by law. The Federal Council provides exceptions for companies that employ fewer than 250 employees and whose data processing involves a low risk of personal injury to the data subjects. These exceptions are still to be regulated in the DPAO.

Data Processor

According to the revDPA, a relationship between controller and the processor can be established by contract or by law. The prerequisite is, the same as under current applicable law, that the processor processes the data in the same extent as the controller himself would be permitted. As is already the case in the EU, the transfer of data processing to a sub-contractor is now only permitted with the prior consent of the data controller, so that the latter (at least indirectly) retains control over the data processing, and that the data controller ensures that the data processor is able to guarantee data security. Beyond that there has been little change in this area. In particular, the data processing agreement is still not subject to any particular form requirements.

Privacy by design and default

The revDPA contains, as does the GDPR, the principles of privacy by design and privacy by default. From the planning stage onwards, the controller must design the data processing technically and organisationally in such a way that the data protection regulations, in particular the processing principles, are observed (privacy by design). In addition, the controller must configure the default settings, e.g. for apps or websites, in such a way that the processing of personal data is limited to that of the minimum required for the intended purpose (privacy by default).

Extension of information obligations

According to the revDPA, in the acquiring of personal data the following minimum information must now be provided to the person concerned:

The identity and contact details of the data person in charge;
The purpose of the processing of their data;
If applicable, the recipients or categories of recipients to whom their personal data is disclosed.

If the personal data is disclosed abroad, the data subject must also be informed of the state or international body and, if applicable, the guarantees for the protection of personal data of said state.

Extension of the duties of disclosure

The revDPA provides for extended obligations for the provision of information in comparison to the current DPA. The obligation to provide information is no longer limited to the minimum information which is exhaustively defined (which now also includes information on the duration of storage, foreign transfers and automated individual decisions), but further includes all information that is necessary for the data subject to assert their rights under the revDPA. However, the information on "processed personal data" is now also subject to the fact that this data must be communicated or disclosed "as such". This should clarify that the right to information under data protection law does not constitute a right to request the release of documents or files.

Right to data portability

The revDPA provides for a right to data release and transmission ("data portability"). Accordingly, the data subject can demand from the controller, typically free of charge, the release of their personal data in a common electronic format or its transfer to another controller, if the controller processes the data automatically and the data is processed with the consent of the data subject or in direct connection with the conclusion or execution of a contract.

Automated individual decision-making

The revDPA stipulates that the controller must inform the data subject of a decision which is based exclusively on automated processing and which is associated with a legal consequence for them or significantly affects them. The data subject must have the opportunity to express their point of view and may request that the decision be reviewed by a natural person. This does not apply if the decision is directly related to the conclusion or performance of a contract between the controller and the data subject, and the data subject's request is granted, or if the data subject has expressly consented to the decision being automated.

Data protection impact assessment

According to the revDPA, the controller is obliged to carry out a data protection impact assessment if a data processing operation may entail a high risk to the personality or fundamental rights of the data subject. An aforesaid high risk can result from the type, scope, circumstances, and purpose of the processing. A data protection impact assessment must describe the planned processing and the risks it entails, as well as appropriate measures to mitigate the latter. Exceptions under certain circumstances may be possible if the controller complies with a code of conduct.

Notification of data protection breaches

In accordance with the revDPA, in the event of a data protection violation controllers must notify the Federal Data Protection and Information Commissioner ("FDPIC") as soon as possible, if there is a serious risk to the personality or fundamental rights of the data subjects. Subject to certain exceptions, the controller must also inform the data subject if this is necessary for their protection or if the FDPIC so requires. The data processor must report any breach of data security to the controller (not the FDPIC and/or the data subject) as quickly as possible.

Sanctions

According to the revDPA, natural persons can now be punished, in particular in the case of an intentional violation of the information and disclosure obligations as well as in the case of an intentional violation of the duties of care, with a fine of up to CHF 250,000.00 (previous maximum CHF 10,000.00). In the future, a lack of data protection compliance will not only entail reputational risks for companies, but may also have far-reaching criminal consequences for the non-compliant employees themselves.

We hope that you find this overview helpful and are happy to answer any questions you may have.

Authors of this text:

Cornelia Stengel
Prof. Dr. iur., Attorney at Law, Partner

Luca Stäuble
MLaw, Attorney at Law

Nicolas Mosimann
Dr. iur., LL.M., Attorney at Law, Partner

Christophe Rapin
lic. iur., Attorney at Law (CH and Bruxelles), Partner

Stefano Perucchi
lic. iur., LL.M., Attorney at Law, Partner

Contacts

Limit search