After three years of discussions and in a final debate, the Swiss parliament has agreed on the final draft bill of a new and modernized data protection law.
In particular, the National Council and the Council of States found a compromise on the these outstanding issues:
- Definition of the term “profiling” (Article 4 (f) and (fbis) nDPA): The two chambers followed the suggestion of the Council of States to introduce “high risk profiling” in addition to normal “profiling”.
- Express consent (Article 5(7) nDPA): In accordance with the compromise regarding profiling, express consent will be required for the processing of sensitive personal data as well as for profiling by a Federal authority and “high risk profiling,” as suggested by the Council of States.
- Justifications in relation to the verification of the creditworthiness of a customer (Article 27(2)(c) nDPA): According to Article 27(2)(c) nDPA, a violation of the data protection principles set out in the law may be justified if the data controller processes personal data in order to verify the creditworthiness of a customer and if certain conditions are met: (1) the data controller neither processes sensitive data, nor conducts a high risk profiling, (2) the data is only transferred to third parties if required for the conclusion or processing of the contract with the customer, and (3) the processed personal data does not go back more than 10 years (instead of 5 years as originally suggested by the Council of States and the Federal Council).
The Federal Council will set the date for the entry into force of the revised law. That decision will depend on whether there will be a public vote, as the draft bill is subject to an optional referendum (the time limit for which is 100 days), as well as how fast the Federal Council can update the Ordonnance to the law (regulating some provisions in more detail).