On 25 September 2020, the two chambers of parliament reached common ground on the revision of the Federal Data Protection Act ("DPA") thereby concluding a three year deliberation process that started in September 2017 with the Federal Council submitting its draft for a revised DPA to parliament. The revision strengthens individuals' protection of personal data and responds to technological advancements and developments in international data protection standards (including the EU General Data Protection Regulation ("GDPR")). It is meant to allow Switzerland to uphold its status as a country adequately protecting personal data from an EU perspective. The Federal Council will decide on entry into force at a later stage.
As key amendments, the revision provides for strengthened individuals' rights, increased transparency in data processing activities and extended governance and process rules for data controllers ("Controllers") and processors ("Processors"). The revised DPA also stipulates more severe fines for particular violations as well as certain reliefs.
1. Key Amendments
(comparison to GDPR in italic)
a) Strengthened Individual Rights
- Enhanced information duties: Individuals must (at the time of collection) be informed about the Controller's identity and contact information; purpose(s) of processing; the identity of recipients (or the categories of recipients) in case of disclosure to third parties; and the jurisdiction where the data is transferred to and safeguards implemented, as applicable, in case of cross-border disclosure.
Although mostly in line with the GDPR, the revised DPA additionally requires disclosure of every jurisdiction where personal data is being transferred to (Swiss Finish).
- New right to intervene in case of automated decision making: Individuals must be informed of decisions solely based on automated data processing and having legal effects or significantly affecting him/her, whereby the affected individual may generally request to express his/her point of view and have the decision reviewed by a person.
The GDPR is stricter, as automated decision making requires a justification from the outset.
- New right to data portability: Individuals have the right to receive their own personal data in a commonly used electronic format, where the processing is (i) carried out by automated means and (ii) based on consent or occurs in direct connection with the conclusion or performance of a contract.
This is generally in line with the GDPR.
b) Extended Governance & Process Rules
- Keeping of data processing records / No more duty to register data files: Controllers and Processors must maintain records of data processing activities under their respective responsibility. Exemptions apply for companies with less than 250 employees in case of low risk data processing. This new duty replaces the former duty to notify data files to (and register with) the Federal Data Protection and Information Commissioner ("FDPIC").
The GDPR's relief from maintaining data processing records only applies if - further to abovementioned prerequisites - data are only processed occasionally and no special categories of data or data relating to criminal convictions and offences are processed.
- Use of Processors and sub-Processors: Controllers may generally assign data processing to a Processor either by agreement or by law. However, a Processor may not engage a sub-Processor without the prior consent of the Controller.
In contrast to the GDPR, the revised DPA does not prescribe any (minimum) content for a data processing agreement.
- Data Protection Impact Assessment ("DPIA"): Controllers must perform a DPIA whenever it appears that an envisaged data processing activity is likely to lead to a high risk to an individual's personality or fundamental rights (e.g. in case of extensive processing of sensitive personal data or systematic monitoring of public areas). The Controller must generally consult with the FDPIC prior to such processing if the DPIA indicates that the contemplated processing may be of a high-risk nature despite any measures taken.
This is generally in line with the GDPR.
- Data breach notification: Data breaches that are likely to lead to a high risk to the personality or fundamental rights of the individual(s) concerned must be notified to the FDPIC as quickly as possible. Where necessary for the protection of the individual or if requested by the FDPIC, the Controller must also notify the respective individuals.
While the revised DPA does not provide for a firm deadline, under the GDPR data breaches must - where feasible - be notified to the supervisory authority within 72 hours, unless the breach is unlikely to result in a risk to the individual's rights and freedoms.
- Swiss representative: Controllers domiciled (or resident) abroad must designate a representative in Switzerland in case the processing of personal data of Swiss individuals is: (i) related to the offering of goods or services in Switzerland or monitoring of their behavior; (ii) extensive and takes place on a regular basis; and (iii) likely to result in a high risk to the individual's privacy.
To fall under the GDPR's obligation to designate a representative in the EU, processing personal data of individuals in the EU in the context of offering goods or services to them or monitoring their behavior is sufficient (unless processing is limited to the occasional, small scale processing of non-sensitive personal data).
c) No more protection for legal entities
Personal data pertaining to legal entities is no longer covered by the DPA.
This is in line with the GDPR, and most foreign data protection laws.
d) Increased Duties of FDPIC
The FDPIC has the competence to issue extensive good practice recommendations and render binding administrative decisions (e.g., to modify or terminate unlawful data processing). Further, professional, sectoral and trade associations may submit codes of conduct to the FDPIC for public comment. The authority to assess whether a country provides for adequate protection of personal data (in relation to cross-border transfer), however, is transferred to the Federal Council.
Unlike most other European data protection authorities, the FDPIC still cannot impose any (administrative) fines.
e) Introduction of Severe Fines
Fines for willful misconduct are increased significantly from previously up to CHF 10k (for violations of a limited enumeration of duties) to up to CHF 250k for a broader catalogue of offenses (failure to comply with orders and duties related to information, disclosure or cooperation and breaches of professional secrecy). Any such fines however must be pursued in a court of law of competent jurisdiction.
If a (pursued) fine does not exceed CHF 50k and the breach is committed within a business, the prosecutor may decide not to prosecute the responsible person and instead hold the business liable for the payment of the fine.
The GDPR primarily foresees administrative fines to be levied against companies (whereas the revised DPA also foresees fines to be imposed against individuals within companies; Swiss Finish), however, such, fines can reach up to EUR 20 million or 4% of worldwide annual turnover of the legal entity, depending on the infringed duty.
2. Key Takeaways
- Individual rights are strengthened and governance and process rules extended. Further, technological advancements are accounted for and certain long-awaited reliefs introduced.
- No shift in paradigm: Contrary to the GDPR (under which data processing is generally prohibited unless justified for specific reason(s)), under the DPA, processing in accordance with the general data processing principles (i.e. lawfulness, good faith, binding purpose, proportionality, accuracy) generally remains permitted. A justification (such as consent or overriding interests) is only required in case personal data is processed contrary to the general data processing principles (i.e. data processing is generally permitted unless prohibited for specific reason(s)).
- GDPR compliance mostly covers DPA compliance (very limited Swiss Finishes, as in rules that go beyond the GDPR's requirements).
- Cross-border transfer regime remains largely unchanged: Cross-border disclosure to any jurisdiction providing an adequate level of data protection remains permitted. The Federal Council (instead of the FDPIC as under the current regime) decides on the jurisdictions providing adequate protection (adequacy decision). For transfers to other countries, Controllers or Processors exporting data may rely on treaties, contractual clauses notified to the FDPIC in advance or pre-approved standard contractual clauses or binding corporate rules. The Swiss-US Privacy Shield may no longer be relied upon for a transfer of personal data to the United States. The duty to notify the FDPIC in case cross-border transfer is based on pre-approved standard contractual clauses or binding corporate rules is removed.
3. Next steps
Controllers and Processors in Switzerland and abroad should, in particular:
- review privacy policies and notices for compliance with the extended information duties;
- establish processes to address requests related to the exercise of individual rights and to respond to (and promptly notify) data breaches;
- keep and update records of data processing activities, as required;
- review and amend existing data processing agreements, as necessary; and
- assess whether they must designate a representative in Switzerland.
The Federal Council will decide at a later stage when the revision will enter into force. However, the new provisions on the duty to conduct a DPIA (and to implement privacy by design/by default) do not apply to processing activities initiated before the entry into force of the revised DPA, provided the purpose of processing remains unchanged and no new personal data is being collected.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.