hat's the latest?
At its meeting on 31 August 2022, the Federal Council confirmed the entry into force of the new Data Protection Act (DPA) on 1 September 2023. The Federal Council also published the new Data Protection Ordinance (DPO) (as well as the new Ordinance on Data Protection Certification (ODPC), which will enter into force together with the DPA (media release in German).
What are the innovations in the just published ordinance (DPO)?
Here is a brief overview of the most important regulations of the DSV that are relevant in practice:
· Confirmation of the risk-based approach
In various provisions, the DPO confirms that the (due diligence) measures to be taken are based on the (potential) risk for the data subjects, e.g. with regard to data security and the transfer of personal data abroad.
· Duty to inform
As is well known, companies will have to provide information about the collection of personal data in future (e.g. by means of a data protection declaration). According to the DPO, the information must be provided "in a precise, transparent, comprehensible and easily accessible form". According to the explanatory report (in German), this means, for example, that in the case of the data protection declaration on the website, in accordance with the "best practice" approach, the information is available in the form of a structured overview. In order to obtain further information, the data subject can then click on this information displayed first, which opens a window with more detailed information.
· Data transfers abroad (e.g. in connection with cloud outsourcing):
o The Federal Council has published the countries with (from Switzerland's point of view) adequate data protection in the Annex to the Ordinance (this will replace the Federal Data Protection and Information Commissioner’s (FDPIC’s) current country list).
o If at a later date the Federal Council no longer considers a country to be equivalent, this will not affect data transfers that have already taken place.
o If standard contractual clauses of the European Commission (with corresponding adaptations to Switzerland according to the FDPIC's communication of 27.08.2021) ("SCC") are used, the controller must take "measures" to ensure that the data importer complies with the SCC. In the Federal Office of Justice's commentary on the DPO, this duty of care is specified as follows: "The appropriateness of the required measures depends on the circumstances in the specific case and the state of the art (...). " Here too, a risk-based approach is thus assumed. In this regard, the FDPIC has already published a guide on 18.06.2021 to checking the admissibility of direct or indirect data transfers to foreign countries.
· Data security breaches
The DPO contains a list of the minimum information to be provided when notifying the FDPIC and the data subjects of a data breach. There is also a documentation obligation (the documentation must be kept for at least 2 years from the time of the notification).
· Data Protection Advisor:
- Private companies are still free to appoint a Data Protection Advisor.
- For "federal bodies" (including companies organised under private law that perform tasks for the Confederation, e.g. pension funds in the compulsory sector), however, the appointment of a Data Protection Advisor will be mandatory in future. The contact details of the Data Protection Advisor must be published on the internet and communicated to the FDPIC.
· Register of Processing Activities (RoPA):
Companies under private law with fewer than 250 employees are in principle exempt from the obligation to keep a RoPA (exceptions apply in the case of extensive processing of "particularly sensitive personal data" or "high-risk profiling"). However, especially with regard to the creation of the data protection declaration, the maintenance of a RoPA can also be useful in these cases.
· Automated processing of personal data at "federal bodies":
Planned automated processing activities (e.g. in connection with automated decision-making) must be notified to the FDPIC at the time of the project decision and at the time of the transition to productive operation (or project termination).
· Logging and regulations for the automated processing of certain data: In the case of (automated) processing of "particularly sensitive" personal data (e.g. health data, extracts from criminal records, biometric data, etc.) and "high-risk profiling", the processing (storage, modification, reading, disclosure, deletion and destruction of data) must be logged under certain conditions. Likewise, under certain conditions, there is an obligation to draw up internal regulations (concerning internal organisation, data processing and control procedures, measures to ensure data security).
· Data protection impact assessments must be kept for at least two years (after the end of data processing).
What is the need for action for Swiss companies?
Companies now have one year for the (finalization of the) implementation of the new regulations. Particularly since the implementation may also have IT implications (e.g. introduction of deletion capacities), companies should get started now at the latest. You can find an overview of the necessary adjustments in the context of the revised data protection law in our recent blog.
In addition to the implementation deadline, there is another deadline: companies must also replace SCCs that are still based on the "old" version (i.e. before 27.08.2021) with the new SCCs (adapted to Switzerland) by 31.12.2022.
In our blog series, we provide up-to-date information on the requirements and innovations in data protection law.
Our Data Privacy | ICT | Implementationᐩ team at PwC Legal Switzerland supports companies in the private as well as the public sector in the implementation of the new data protection law with an efficient and pragmatic approach.