The new Swiss Data Protection Act introduces several key provisions, including the requirement for entities processing personal data to maintain detailed records of their data processing activities. The regulation outlines specific elements that must be included in the records of data processing, such as the objectives behind data processing, the varieties of personal data processed, and particulars of data transfers to foreign territories, among other requirements. Let's unpack what this means for businesses and data handlers in Switzerland.

Applicability and Responsibility

A common query arises: are all businesses subject to this requirement? Essentially, the answer is affirmative, with limited exceptions. Regardless of whether you operate a global conglomerate or a nascent startup, if your operations involve personal data processing, the Swiss Data Protection Act obliges you to document these activities. Responsibility for maintaining these records falls on the shoulders of both data controllers (those who determine the purposes and means of processing personal data) and processors (entities that process data on behalf of the controller).

Checklist for Data Controllers

  • Data controller identification: identify the entity responsible for data management.
  • Data processing purposes: indicate 'the why' behind processing activities.
  • Categories of data subjects: define the groups of individuals whose data is being processed.
  • Categories of personal data: specify the types of personal data being handled.
  • Data recipients: identify any third parties granted access to the data.
  • Data retention periods: specify the duration for which the data will be stored or outline the criteria used to determine this period.
  • Data security measures: describe the protocols established to ensure data security.
  • International data transfers: for data shared across borders, provide details of the destination countries and the protective measures implemented.

Checklist for Data Processors

  • Data processor identification: identify the entity processing the data.
  • Data controller's details: record the identity of the data controller on whose behalf the processing is conducted.
  • Nature of processing activities: detail the types of processing undertaken on behalf of the controller.
  • Data security measures: describe the protocols established to ensure data security.
  • International data transfers: for data shared across borders, provide details of the destination countries and the protective measures implemented.

Limited Exemptions

Private entities with fewer than 250 employees and natural persons are generally exempt from this record-keeping obligation. However, there's a catch: if the processing involves a significant volume of sensitive data or entails high-risk profiling, record maintenance is mandatory, irrespective of the entity's size.

Implementing Effective Data Processing Records

Implementing an effective record-keeping system might seem daunting, but it adheres to several key principles. First, ensure clarity and accessibility of records. This means keeping records in a format that's easy to understand and readily available for inspection by the relevant authorities. Second, adopt a proactive approach to record-keeping. Regularly assess whether your data processing activities or workforce size trigger the record-keeping requirement.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.