In recent months, there has been a great deal written about the new Swiss Data Protection Act (DSG) – its innovations and content, differences from the European General Data Protection Regulation (GDPR), consequences and impacts for companies and how companies can best prepare for the revised law to be implemented. In this article, we will be focusing on the regulation’s effects on the new Data Protection Act.
Assuming that you have done your homework – a prerequisite for minimum legal compliance with the new data protection law – this means that:
- You know what personal data is involved in which processes and in which categories.
- You know where these processes occur and with which applications and systems.
- You know who is processing the data and for what purpose.
- You know where the data comes from and where/who it is sent to.
- You maintain an inventory of these processing activities in the form of one or more directories.
- The responsibilities for these activities are known and addressed.
In short, you know already what categories of personal data are processed where, by whom and why.
With the inventory being documented, you have laid the foundations for regularly reviewing the effectiveness and appropriateness over the entire period of processing. You can apportion risk-based measures to ensure data security to your processing activities. Are the protection goals specified in the regulation being adequately achieved? What measures are still needed in order to achieve them? Integration into a pre-existing ISMS (Information Security Management System), DPMS (Data Protection Management System) or QMS (Quality Management System) is a good idea, provided no new processes need to be defined.
In the event that processing activities continue to pose a high risk to data subjects’ personal privacy or fundamental rights after a data protection impact assessment has been carried out, despite the measures put in place, those persons responsible or the commissioned processors must ensure that the processing operations are comprehensively logged. These logs must cover all processing steps , not just provide information about the kind of processing operation, the identity of the person who undertook the processing, the identity of the recipient and the time at which the processing took place, but they also have to be stored separately from the logged system for at least one year.
The results of a data protection impact assessment also need to be documented in writing and kept for at least two years after the data processing has been completed. If you process personal data that requires specific protection on a large scale or carry out profiling with a high risk for the data subjects in your company, as the person with responsibility or on behalf of a third party, you are obliged to draw up and maintain up-to-date processing regulations for automated processing activities. As a federal body, not only do extended requirements apply, such as the linking of data files, but you are also obliged to make these processing regulations available to the Data Protection Officer .
Processing on your behalf
If there are processing activities in your company that you have outsourced to a contract-processing entity, the responsibility for ensuring legally compliant data protection rests with you. This means that you must ensure that the data processing is carried out in accordance with the contract and the law, and that data security is safeguarded. Any data transfer by the person processing the order to third parties also requires prior authorisation by the responsible person.
If your company discloses personal data outside the country, or if you are planning to move to the cloud, you are only allowed to do so if the destination country can guarantee suitable data protection there. Those countries with adequate data protection are listed in the regulation’s annex. However, adequate data protection can also be ensured via special guarantees, international treaties, data protection clauses and binding data protection regulations – as set out in Art. 16. 16 DSG no. 2, letters a-e. Whether the target country’s data protection is adequate must be “regularly” reassessed. If this assessment does not result in adequate data protection, disclosure must be stopped. Incidentally, according to the regulation , the FDPIC must be consulted before any decision on the adequacy of data protection is made. The anticipated number of requests leads us to assume that this requirement generally includes consultation of the list of countries published by the FDPIC, and is particularly advisable for target countries that are not included in the list.
According to the regulation, the minimum requirements for the content of the standard contractual clauses are (excerpt from Art. 9 para. 1 let. a-j DSV): the application of the principles, categories of data subjects or personal data disclosed, the nature and purpose of the disclosure, the rights of the data subjects and the names of the countries to which the data is disclosed.
Your inventory provides you with information about the categories of personal data being processed and where they were collected. As the person with responsibility, you are obligated to inform data subjects about the gathering of personal data in a concise, comprehensible and easily accessible manner.
As a federal body, you also need to inform the recipients of the personal data they are disclosing about its timeliness, reliability and completeness.
Rights of data subjects
The new Data Protection Act also strengthens the rights of the data subjects. Specifically, these include the right to access data, as well as the right to have it deleted, disclosed and corrected. All requests must be made in writing. You must also ensure that the applicant is correctly identified when providing information. The law also stipulates that the data subject has a duty to cooperate with you on this. A response must be given to a data subject right within 30 days and, in principle, free of charge. If it is anticipated that the effort required is disproportionate, the person concerned may be required to contribute to the cost. This contribution cannot exceed CHF 300.
The reasons for a refusal, limitation or deferral of the information must also be communicated to the parties concerned within the same timeframe. It is advisable to document and retain this information accordingly as proof.
Data protection incidents
In the event of what is known as a “data protection incident” or, under the law, a “breach of data security”, as the data controller you must report the incident to the FDPIC “as soon as possible”. If you are the data processor, you must inform the data controller if there are any there are “major risks” to the personality or fundamental rights of the data subjects. As a minimum, the following all need to be mentioned: the contact details for the contact person within the company, the kind of breach, the number of people affected, the consequences and risks for those affected and the measures taken. It may not always be possible to have all the information required to hand when a breach becomes recognised, so it is possible that as a first step a breach may be reported where only the basic known information is provided, and that the remaining information is still provided “as soon as possible” via a follow-up notification.
In addition, those people affected must also be informed of the nature and effects of the breaches, provided that this serves to protect the person concerned. Of course, these breaches need to be documented so that all the facts related to the incidents, their impact and the measures taken, are included. This documentation must be retained for at least three years starting from the date of the notification.
Data protection breaches: an expensive matter
Unlike the existing data protection law, a deliberate breach of the duty of care or the duty to provide information and disclosure can now be prosecuted, and it is punishable by a fine of up to CHF 250,000 for natural persons. Employees who are already aware of a breach and knowingly accept the consequences, and therefore act with potential intent, are liable to prosecution under the law. This means that not only data protection advisors, but also middle and upper management could be directly fined.
The new data protection law and its consequences: my verdict
DasIt is necessary for data protection not just to be dealt with at every level of the company, but also to be the subject of regular training sessions. On one hand, this prevents potential damage to the company’s reputation and, on the other hand, it also protects employees from committing unlawful acts that could lead to criminal prosecution.
Compliance with data protection, like information security, is not a static state that is attained, it consists of a multitude of interlocking, constantly refining processes. A continuous improvement process is required for formalisation, which also takes into account future changes or requirements and new processing.
There is still a little time left to do the homework, as the new law will not come into force until September 2023, pursuant to the Swiss Federal Council's decision. The most important steps are to create the registers of processing activities and to devote yourself to organising your own data protection.
The new law comes into force without a transition period. Companies would be well advised to tackle internal processes and responsibilities as soon as possible, and to actively make use of the “grace period”. If you need assistance, myself and our data protection experts will be happy to help you. On our website, you will find an overview of our data protection services – or contact us right away.