On 25 September 2020, the Swiss parliament approved the new data protection law (DSG) – aka ‘revDSG’. These new regulations are due to take effect as early as September 2023. The revision of the DSG is driven by the desire to align data protection with the European General Data Protection Regulation (GDPR). However, the fully revised data protection law will deviate from the GDPR in certain respects. In certain points, the revDSG also goes beyond the GDPR and provides for stricter regulation of privacy than its European counterpart. For Swiss companies, this means that they must adapt to the new regulation by 01 September. Read on to discover what changes companies can expect and how they can deal with stricter data protection.
The changes at a glance – personal data takes centre stage
The Swiss DSG has been revised in pursuit of two objectives. On the one hand, it is to be aligned with the GDPR that applies throughout Europe. This aims to ensure that the European Union will continue to recognise Swiss data protection legislation as being sufficient while also safeguarding the uncomplicated exchange of data between the EU and Switzerland into the future.
On the other hand, the revDSG is also intended to keep pace with rapid developments in the spheres of technology and society. These include advances in cloud computing, big data, social networks and the Internet of Things (IoT).
The revDSG exclusively targets the protection of personal data – in other words the privacy of natural persons and not that of legal entities such as private and public limited companies (GmbH and AG). The revDSG has a particular focus on personal identifiable information (PII).
In future, the list of particularly sensitive data will also include genetic and biometric data that can be used to uniquely identify a natural person, for example, with the help of fingerprint or retina scans.
In addition, profiling as well as profiling with high risk will also be subject to new regulations. Profiling in relation to personal data means the automated processing of data for the purpose of evaluating specific personal aspects of a natural person. On the other hand, high-risk profiling involves linking data to allow an evaluation of relevant aspects of a person. In this case, the data subject must issue a clear declaration of intent.
Another development is the introduction of ‘Privacy by Design’ and ‘Privacy by Default’. With privacy by design, the controller must configure data processing during the product planning stage to adhere to privacy regulations and processing principles. Privacy by default means that the privacy settings of a product must be configured by default to minimise the processing of personal data when the product or service is purchased, unless otherwise specified by the customer.
The obligation to provide information will also be expanded. A person must be informed in advance if their data will be edited or processed. This no longer only applies to what is referred to as particularly sensitive data. What’s more, impact assessments must be carried out if there is a risk to a person’s character or fundamental rights.
Likewise, the disclosure obligation will also be expanded. This means that persons are entitled to receive any information required in order to assert their rights under the revDSG. Minimum levels of information are no longer sufficient. This also linked with the right to data portability. Persons can request the data processor to hand over their data and to transfer it to a third party free of charge.
Reporting of and sanctions for privacy breaches
In the event of a privacy breach – such as the theft of data by cybercriminals – a company must report this immediately to the Federal Data Protection and Information Commissioner (EDÖB). This applies if there are substantial risks to the character and/or fundamental rights of the persons whose data has been leaked. The data subjects themselves must also be informed if this is deemed necessary for their protection. This may be the case, for instance, if login data or other sensitive information is stolen, potentially exposing the person to personal or financial losses as a result.
Companies that fail to comply with the new regulations can expect stiff financial penalties. Deliberate infringements of information and disclosure obligations as well as of the duty of care regarding personal data can incur a penalty of CHF 250,000. Recklessness can also be a sufficient ground to incur penalties. This is where the controllers have tacitly accepted the possibility of a privacy legislation breaches. Unlike the GDPR, which focuses more on companies, this means that CEOs and CIOs will be sanctioned directly under the terms of the revDSG. Responsibility lies with the respective public prosecutor’s office of the canton.
The EDÖB is also authorised to declare administrative measures, which can be used in future to prevent companies from editing and processing personal data and require them to delete specific data records.
Procedure for companies
Companies should take an inventory of their data until the revised DSG comes into force so as to gain an overview of their personal data. This will also enable them to determine their need to take action with regard to data compliance. Depending on the urgency, measures can then be taken to guarantee privacy and transparency in time for the deadline.
The introduction of consent and privacy management is also recommended. This will allow companies to track which data is collected and with whom it is shared. Companies will also be able to check quickly and easily which users have withdrawn their consent to data processing, for example. In this way, companies will have no difficulty complying with the new compliance directives.