Client Alert: Update on the Revision of the Swiss Data Protection Act

On 15 September 2017 the Swiss Federal Counsel published the draft of the revised Swiss Data Protection Act (“Revised DPA”) following the consultation procedure on the Predraft of 21 December 2016 (“Predraft”). The Revised DPA takes into account some of the criticism raised against the Predraft by correcting and specifying a range of data protection duties and abolishing in many instances the so-called “Swiss Finish” (i.e. provisions which were more extensive than the ones under the General Data Protection Regulation, “GDPR”). As regards the content, the Revised DPA is now closer aligned with the provisions of the GDPR than the Predraft was.

Please kindly note the following summary of the most relevant changes introduced by the Revised DPA in comparison to the Predraft:

Reduced: Amount of Fines (Articles 54 et seq. Revised DPA)

The major source of criticism against the Predraft were the fines for non-compliance with certain duties. The Revised DPA now reduces such fines (from previously CHF 500,000 in the Predraft) to a maximum amount of CHF 250,000 in the case of intent. While liability for negligence (previously fined with up to CHF 250,000 in the Predraft) has been abandoned in the Revised DPA, it still maintains the principle, that fines shall be imposed on natural persons being responsible for data protection and only in the second degree on companies with a maximum charge of CHF 50,000 (previously CHF 100,000 in the Predraft). The Swiss Federal Data Protection and Information Commissioner (“FDPIC”) is disappointed about this outcome and comments on this as follows in his notice of 15 September 2017: “[…] the proposed sanctions (a maximum fine of CHF 250,000) are a very weak deterrent when compared with those in the GDPR (20 million euros or 4 per cent of the annual turnover). Moreover, he fears that in practice they will affect subordinate employees of the miscreant enterprises rather than the enterprises themselves.”

New, only fines shall be imposed for the breach of certain co-operation duties towards the FDPIC, breach of information duties, breach of the cross-border data transfer duties, breach of duties relating to data processing by third parties and breaches relating to data security requirements. No longer punishable are violations in connection with privacy impact assessments and breach notifications as suggested under the Predraft.

New: Data Protection Counsel (Article 9 Revised DPA)

The Revised DPA introduces the new role of the “Data Protection Counsel” who can be designated by private companies (controllers) inter alia in order to be relieved from the obligation to consult the FDPIC, if a privacy impact assessment reveals a high data protection risk. Similar to the corporate Data Protection Officer under the GDPR, the Data Protection Counsel under the Revised DPA has to have expert knowledge, fulfill his tasks independently, may not receive any instructions by the data controller with regard to his tasks as Data Protection Counsel and must not perform any tasks that result in a conflict of interests.

Specified: Index of Processing Activities (Article 11 Revised DPA) and Privacy Impact Assessment (Article 20 Revised DPA)

The Revised Draft now further specifies the content (i) of the index of data processing activities to be maintained and (ii) of the data protection impact assessment to be conducted by controllers and processors.

The index of data processing activities has to indicate the identity of the controller, the purpose, categories of data subjects concerned and categories of personal data as processed, categories of recipients, retention period, measures implemented to ensure data security and in the event of cross-border data transfers, the indication of the country and the guaranties implemented. Moreover, the index has to be notified to the FDPIC. Also the processor has to maintain such an index, however, with fewer indications to list than the controller. Companies with less than 50 employees are exempted from this obligation. As regards the privacy impact assessment this must now contain a description of the planned processing, an assessment of the risks for the personality or the fundamental rights of the data subjects concerned and the measures to protect the personality and the fundamental rights. Controllers are exempted from performing a privacy impact assessment, if they are certified according to Article 12 Revised DPA or if they comply with a Code of Conduct.

Simplified: Cross-border Data Transfer (Article 13 Revised DPA)

The requirements for a compliant data transfer to countries without an adequate data protection have changed: while individual data protection agreements for a specific transfer only need to be notified to the FDPIC before starting the transfer, more general safeguards for data transfers such as standard data protection clauses or codes of conduct need prior approval by the FDPIC. Such approval may either be granted within three months or the authority has to open an administrative investigation. Binding group internal data protection rules need prior approval by the FDPIC or alternatively by a competent authority of a country with an adequate data protection level.

Clarified: Codes of Conduct (Article 10 Revised DPA) / Certification (Article 12 Revised DPA)

The Revised DPA stipulates that professional and business associations can submit Codes of Conduct with regard to data protection in their field of interest to the FDPIC, which will take official position on the Codes and publish such position. Furthermore, the Revised DPA sets out that producers of data processing systems and programs as well as processors and controllers can subject their systems, products and services to the assessment of independent and acknowledged certification bodies. The FDPIC shall adopt implementing provisions for the recognition of such certification procedures within two years after the new DPA will have come into force.

Time Schedule

The Revised DPA will now be debated in the Swiss Parliament and the Swiss Federal Council predicts that the Revised DPA will come into force in August 2018. However, given the fact that inter alia the subject matter of the fines is still severely being criticized, it is questionable whether the Revised DPA will pass smoothly through the debates in the Swiss Parliament. The date of entering into force in August 2018, therefore, seems very optimistic.

Since the GDPR will apply already as from 25 May 2018 it is highly advisable for companies doing business in Switzerland to already be compliant with the GDPR as from the said date. All work done to be compliant with the GDPR is also relevant for the Revised DPA – especially now since it is even more aligned with the GDPR than the Predraft was.

NKF Offerings

The NKF Data Protection Team has the knowledge, experience and resources to assist in all data protection matters (see offerings here). The NKF Data Protection Team also holds tailor-made presentations in-house, has trained administrative personnel to support in the data mapping/fact finding stage, performs data protection due diligences and assists in the drafting of new provisions and policies as required under the Revised DPA and GDPR. Please also sign up here to our Data Protection Client events