Newsletter #2 9/2022 Completion of the total revision of the Federal Act on Data Protection (FADP)


Overview The total revision of the Federal Act on Data Protection (nFADP) has been completed. On 31 August 2022 the Federal Council published the Data Protection Ordinance (nDPO) and decided that the new rules would enter into force on 1 September 2023. The purpose of the total revision was to adapt the aging Federal Act on Data Protection to today’s social and technological conditions and to bring it closer to the more recent and modern regulations in the European data protection environment (esp. GDPR). The new FADP and nDPO are now in line with the EU rules in many respects. Nevertheless, there are some so-called “Swiss finishes” to consider when reviewing and implementing the new data protection setup in a company. Swiss companies now have one year to implement the new rules – (further) transition periods are not foreseen. We would like to inform you briefly about the most important changes and our offer for you. Attached you will also find a checklist with the individual tasks for the step-by-step implementation of the data protection rules in your company. Important changes The following points highlight the most important changes compared to the current law: No protection of data concerning legal persons: While the current FADP applies to data of both natural and legal persons, the nFADP limits the scope – just like the GDPR – to data of natural persons. Profiling and profiling with high risk: A distinction is made between normal “profiling” and “profiling with high risk”. Profiling includes any type of automated processing of personal data that consists of using such data to evaluate, analyze or predict certain personal aspects relating to a natural person (Art. 5 lit. f nFADP). Profiling with high risks entails a high risk to the personality or fundamental rights of the data subjects (Art. 5 lit. g nFADP). Profiling does not in itself require consent, even in the case of high risk. However, it is important in relation with information and other administrative obligations as well as logging (see below). Significantly expanded duty to inform and right to information: The new rules require that data subjects be informed about the acquisition of personal data, providing all information necessary to enable data subjects to assert their rights and to ensure transparent processing. This includes the contact details of the controller, the purpose of the processing and, if applicable, recipients of personal data (Art. 19 nFADP). A willful breach of this obligation is subject to criminal sanctions. In addition, any person may request information as to whether personal data about him or her is being processed. If this is the case, they must be provided with all information necessary to enable them to assert their rights and to ensure transparent data processing. The law contains a corresponding enumeration (Art. 25 nFADP). New role designations: The new rules will introduce the terms “controller” and “processor”. To understand the further explanations – as well as the legal text itself – it is helpful to know these two roles. A controller is defined as anyone who decides on the purpose and means of data processing, e.g., an employer for the processing of personal data of its employees or a merchant for the processing of personal data of its customers. In contrast, a processor is defined as anyone who processes personal data on behalf of the controller, e.g., the storage of data on an external server or by cloud service providers. Administrative duties: Administrative duties have also been expanded. These include, for example: record of processing activities (Art. 12 nFADP). The record contains the different processing activities of the company, including the purposes of processing (e.g., HR, marketing, etc.) and their main framework conditions. Exceptions apply to companies with fewer than 250 employees (Art.24 nDPO); the preparation of data protection impact assessments if processing may entail a high risk to the personality or fundamental rights of the data subject (Art. 22 nFADP); notification of breaches of data security (Art. 24 nFADP and Art. 15 nDPO); the logging of automated processing of special categories of personal data on a large scale or profiling with high risk, if the preventive measures taken are insufficient to guarantee data protection (Art. 4 nDPO); and the creation of policies for automated processing. These policies must be updated regularly if special categories of personal data are being processed automatically on a large scale or if profiling with high risk is carried out (Art. 5 nDPO) Data security: Technical and organizational measures (e.g., access rights, pseudonymization) must be taken to ensure adequate data security. This also includes that the applications are designed, among other things, in such a way that personal data is anonymized by default and/or deleted after a certain time. If personal data is being processed by a processor, the controller must ensure that the processor is able to guarantee data security (e.g., through so-called data processing agreements, DPA). In connection with data security, it is also worth mentioning, that there is an obligation to review and, if necessary, adjust the measures taken “over the entire processing period” and a willful breach of the minimum requirements on data security is subject to criminal sanctions. Cross-border disclosure: In particular, the storage of personal data on a foreign system (server, cloud), but also access by a foreign support team is considered a “disclosure”. In principle, personal data may be disclosed abroad if the legislation of the foreign country guarantees adequate protection (Art. 16 para. 1 nFADP). The countries deemed to have an adequate level of data protection are listed in Annex 1 of the nDPO. The disclosure of personal data to other countries – including the USA – requires a specific exemption or the implementation of alternative protection measures to guarantee an adequate level of data protection (Art. 16 para. 2 and Art. 17 nFADP). Sanctions: The new Federal Act on Data Protection provides fines of up to CHF 250’000 for the violation of certain obligations (Art. 60 f. nFADP). Punishable are intentional acts and omissions, but not negligence. Unlike in the EU, where the sanctions are directed against the companies, in Switzerland the responsible natural persons will be fined. The company itself can only be fined up to CHF 50’000 if the identification of the criminal natural person within the company or organization would entail a disproportionate investigation effort. We recommend that you start implementing the new regulations in a timely manner so that your company will be nFADP-compliant on 1 September 2023. As mentioned above, a short checklist that can help you get started is available in the appendix. Our offer We will be happy to provide you with pragmatic and sustainable support for your data protection projects, for example: through education and training; with a GAP analysis and setting up your data protection setup; with recommendations for helpful data protection tools; in the preparation of the necessary data protection declarations; in drafting contracts with your partners; for major outsourcing of data processing (e.g., when using cloud services) or in connection with data transfers abroad. We hope to be of service to you with this information and will be happy to answer any questions you may have. Checklist_DE.pdf Checklist_IT.pdf Checklist_FR.pdf Checklist_EN.pdf Prof. Dr. Cornelia Stengel +41 58 200 39 00 +41 58 200 39 11 cornelia.stengel@kellerhals-carrard.ch Stefano Perucchi +41582003100 +41582003111 stefano.perucchi@kellerhals-carrard.ch Dr. Urs Marti +41 58 200 35 28 +41 58 200 35 11 urs.marti@kellerhals-carrard.ch Dr. Mario M. Marti +41 58 200 35 00 +41 58 200 35 11 mario.marti@kellerhals-carrard.ch Christophe Rapin +41 58 200 33 30 +41 58 200 33 11 christophe.rapin@kellerhals-carrard.ch Dr. Thomas Bähler +41 58 200 35 00 +41 58 200 35 11 thomas.baehler@kellerhals-carrard.ch Dr. Nicolas Mosimann +41 58 200 30 49 +41 58 200 30 11 nicolas.mosimann@kellerhals-carrard.ch Dr. Daniel Alder +41 58 200 39 33 +41 58 200 39 11 daniel.alder@kellerhals-carrard.ch Ralph Gramigna +41 58 200 39 06 +41 58 200 39 11 ralph.gramigna@kellerhals-carrard.ch

Overview

The total revision of the Federal Act on Data Protection (nFADP) has been completed. On 31 August 2022 the Federal Council published the Data Protection Ordinance (nDPO) and decided that the new rules would enter into force on 1 September 2023. The purpose of the total revision was to adapt the aging Federal Act on Data Protection to today’s social and technological conditions and to bring it closer to the more recent and modern regulations in the European data protection environment (esp. GDPR). The new FADP and nDPO are now in line with the EU rules in many respects. Nevertheless, there are some so-called “Swiss finishes” to consider when reviewing and implementing the new data protection setup in a company.

Swiss companies now have one year to implement the new rules – (further) transition periods are not foreseen. We would like to inform you briefly about the most important changes and our offer for you. Attached you will also find a checklist with the individual tasks for the step-by-step implementation of the data protection rules in your company.

Important changes

The following points highlight the most important changes compared to the current law:

No protection of data concerning legal persons: While the current FADP applies to data of both natural and legal persons, the nFADP limits the scope – just like the GDPR – to data of natural persons.
Profiling and profiling with high risk: A distinction is made between normal “profiling” and “profiling with high risk”. Profiling includes any type of automated processing of personal data that consists of using such data to evaluate, analyze or predict certain personal aspects relating to a natural person (Art. 5 lit. f nFADP). Profiling with high risks entails a high risk to the personality or fundamental rights of the data subjects (Art. 5 lit. g nFADP). Profiling does not in itself require consent, even in the case of high risk. However, it is important in relation with information and other administrative obligations as well as logging (see below).
Significantly expanded duty to inform and right to information: The new rules require that data subjects be informed about the acquisition of personal data, providing all information necessary to enable data subjects to assert their rights and to ensure transparent processing. This includes the contact details of the controller, the purpose of the processing and, if applicable, recipients of personal data (Art. 19 nFADP). A willful breach of this obligation is subject to criminal sanctions. In addition, any person may request information as to whether personal data about him or her is being processed. If this is the case, they must be provided with all information necessary to enable them to assert their rights and to ensure transparent data processing. The law contains a corresponding enumeration (Art. 25 nFADP).
New role designations: The new rules will introduce the terms “controller” and “processor”. To understand the further explanations – as well as the legal text itself – it is helpful to know these two roles. A controller is defined as anyone who decides on the purpose and means of data processing, e.g., an employer for the processing of personal data of its employees or a merchant for the processing of personal data of its customers. In contrast, a processor is defined as anyone who processes personal data on behalf of the controller, e.g., the storage of data on an external server or by cloud service providers.

Administrative duties: Administrative duties have also been expanded. These include, for example:
- record of processing activities (Art. 12 nFADP). The record contains the different processing activities of the company, including the purposes of processing (e.g., HR, marketing, etc.) and their main framework conditions. Exceptions apply to companies with fewer than 250 employees (Art.24 nDPO);
- the preparation of data protection impact assessments if processing may entail a high risk to the personality or fundamental rights of the data subject (Art. 22 nFADP);
- notification of breaches of data security (Art. 24 nFADP and Art. 15 nDPO);
- the logging of automated processing of special categories of personal data on a large scale or profiling with high risk, if the preventive measures taken are insufficient to guarantee data protection (Art. 4 nDPO); and
- the creation of policies for automated processing. These policies must be updated regularly if special categories of personal data are being processed automatically on a large scale or if profiling with high risk is carried out (Art. 5 nDPO)

Data security: Technical and organizational measures (e.g., access rights, pseudonymization) must be taken to ensure adequate data security. This also includes that the applications are designed, among other things, in such a way that personal data is anonymized by default and/or deleted after a certain time.

If personal data is being processed by a processor, the controller must ensure that the processor is able to guarantee data security (e.g., through so-called data processing agreements, DPA).

In connection with data security, it is also worth mentioning, that there is an obligation to review and, if necessary, adjust the measures taken “over the entire processing period” and a willful breach of the minimum requirements on data security is subject to criminal sanctions.

Cross-border disclosure: In particular, the storage of personal data on a foreign system (server, cloud), but also access by a foreign support team is considered a “disclosure”.

In principle, personal data may be disclosed abroad if the legislation of the foreign country guarantees adequate protection (Art. 16 para. 1 nFADP). The countries deemed to have an adequate level of data protection are listed in Annex 1 of the nDPO. The disclosure of personal data to other countries – including the USA – requires a specific exemption or the implementation of alternative protection measures to guarantee an adequate level of data protection (Art. 16 para. 2 and Art. 17 nFADP).

Sanctions: The new Federal Act on Data Protection provides fines of up to CHF 250’000 for the violation of certain obligations (Art. 60 f. nFADP). Punishable are intentional acts and omissions, but not negligence. Unlike in the EU, where the sanctions are directed against the companies, in Switzerland the responsible natural persons will be fined. The company itself can only be fined up to CHF 50’000 if the identification of the criminal natural person within the company or organization would entail a disproportionate investigation effort.

We recommend that you start implementing the new regulations in a timely manner so that your company will be nFADP-compliant on 1 September 2023. As mentioned above, a short checklist that can help you get started is available in the appendix.

Our offer

We will be happy to provide you with pragmatic and sustainable support for your data protection projects, for example:

through education and training;
with a GAP analysis and setting up your data protection setup;
with recommendations for helpful data protection tools;
in the preparation of the necessary data protection declarations;
in drafting contracts with your partners;
for major outsourcing of data processing (e.g., when using cloud services) or in connection with data transfers abroad.

We hope to be of service to you with this information and will be happy to answer any questions you may have.

Newsletter #2 9/2022 Completion of the total revision of the Federal Act on Data Protection (FADP)

Prof. Dr. Cornelia Stengel

Stefano Perucchi

Dr. Urs Marti

Dr. Mario M. Marti

Christophe Rapin

Dr. Thomas Bähler

Dr. Nicolas Mosimann

Dr. Daniel Alder

Ralph Gramigna