On 5 March 2021, the Federal Data Protection and Information Commissioner (FDPIC) published a short position paper on the revised Swiss Data Protection Act (revDPA). The position paper provides guidance for companies that are subject to the revDPA as to how to meet its requirements once it enters into force, which is expected to be in the second half of 2022 after the Federal Administration has completed drafting the associated implementing ordinances.
The revDPA will implement many of the requirements of the EU General Data Protection Regulation (GDPR) into Swiss law, although sometimes with a Swiss flourish. To quote the FDPIC “the new [revDPA] is in line with Switzerland’s legal tradition, as it features a high level of abstraction and is technology-neutral. It sets itself apart from the GDPR not only in its brevity, but also in the sometimes different terminology it uses.”
The FDPIC’s guidance provides some useful insights on how the revDPA may be applied in practice:
- Personal data of natural persons: it will come as a relief to many that in terms of material scope, the revDPA is aligned with the GDPR and will no longer protect personal data of legal entities, such as commercial organizations, associations and foundations. However, it is important to note that legal entities can continue to seek privacy protection under Article 28 of the Swiss Civil Code. Manufacturing and trade secrecy also remains protected under Article 162 of the Swiss Criminal Code as well as under the Federal Act against Unfair Competition and the Federal Act on Cartels and other Restraints of Competition.
- Cross-border data transfers: Unfortunately, the FDPIC does not provide guidance with respect to the aftermath of the Schrems II decision. However, the FDPIC had confirmed in a position paper dated 8 September 2020 that the Swiss-US Privacy Shield does not provide an adequate level of protection for the transfer of personal data from Switzerland to the United States. To date, the FDPIC has not provided any guidance as to what extent existing Standard Contractual Clauses (SCCs) must be adapted, and/or what additional supplemental safeguards must be implemented. However, the FDPIC confirms that it will recognize SCCs that have been approved by the European Commission under the GDPR, which will likely include the revised SCCs which are expected to be published shortly by the European Commission. In turn, the question arises as to whether the FDPIC will continue to accept the previous versions of EU SCCs, or whether companies will be forced to adapt the SCCs and transfer agreements they are currently using.
- Obligation to report personal data breaches: Pursuant to Article 24 revDPA, the controller must notify certain serious personal data breaches to the FDPIC “as soon as possible”. The FDPIC notes that “controllers should have previously drawn up a prediction of the potential implications of the breach and carried out an initial assessment as to whether there could be an imminent danger, whether data subjects need to be notified and how this could be done.” In turn, controllers do not need to inform the FDPIC about unsuccessful cyberattacks. Although, voluntary reports may be submitted to the FDPIC.
- Data protection officers (DPO): The revDPA expressly provides for the optional appointment of a DPO (Article 10 revDPA). Unlike under the GDPR, the designation of a DPO is always optional for private controllers. In its guidance (and in line with the GDPR), the FDPIC emphasizes the importance of the independence of a DPO, meaning that his or her activities should remain separate from other business activities of the controller, including other legal advice and representation. Notably, where a DPO has been appointed, there would be no need for a company to consult with the FDPIC in the event the outcome of a data protection impact assessment identifies a high risk for data subjects. In such case, consultation with the DPO is sufficient. Moreover, as opinions of the FDPIC can be accessed under the Freedom of Information Act, protecting business secrets may present another incentive to designate a DPO and avoid additional interaction with the FDPIC.
- Data protection impact assessments (DPIA): Pursuant to Article 22 revDPA, not only Federal bodies (as it was the case under the current law), but also private controllers will be obliged to conduct a DPIA prior to high risk data processing. According to the FDPIC (and in line with the GDPR) “the high risk comes from the nature, scope, context and purposes of processing – particularly when using new technologies. In particular, processing is deemed high risk if profiling or extensive processing of sensitive data is planned.”
- Sanctions: The applied sanction regime under the revDPA is an important difference from the GDPR. In the event of an intentional violation of the revDPA, private individuals (and not the company) may face criminal sanctions of up to CHF 250,000.00 (Article 54 revDPA). Additionally, companies may be sanctioned with a fine not to exceed CHF 50,000.00 if it is not possible to identify the responsible private individual within the company for such intentional violations. Unlike under the GDPR, it is not the FDPIC that can impose these fines. These powers remain with the cantonal criminal prosecution authorities. The FDPIC can simply report to these authorities the non-compliance of the revDPA that it considers should be subject to a fine. The future will show how these authorities will work together and how these fines will be applied.
- The role of the FDPIC: The revDPA vests new powers to the FDPIC. It will now investigate all violations of the revDPA, unless it is a minor breach (Article 49 revDPA). The FDPIC confirms, however, that a controller can prevent formal sanctions if he or she recognizes and rectifies the deficiencies in the application of the law within a reasonable time period after having been notified by the FDPIC. Interestingly, the FDPIC confirms that it will continue to prioritize investigations according to the principle of discretionary prosecution due to its limited resources. Moreover, the FDPIC now has the power to issue binding decisions – which could be appealed by a concerned controller. The FDPIC may order a controller to delete personal data or even adapt, suspend or discontinue its processing activity, including to send specific notices to data subjects.
- Fees: The FDPIC will now charge a controller additional fees to, for example, issue opinions on DPIAs and codes of conduct and to issue approval of standard data protection clauses. Also, the FDPIC states that it will no longer consult private controllers for free.
In addition to the above, the FDPIC also commented on the duty to provide privacy notices, the rights of data subjects, the principles of privacy by design (data protection through technology design) and privacy by default (only data that is absolutely necessary to a specific purpose is processed) as well as data portability, certifications and the obligations to keep records on the processing activities.
The short commentary is available on the FDPIC’s webpage.