Data Protection in Switzerland & the new DPA effective in 2023

• Federal Data Protection Act (DPA) of 2020 (effective 09/2023) applies to the processing of personal data of natural persons by private and federal entities.
• Federal Data Protection and Information Commissioner (FDPIC) is responsible for data processing by federal and private entities.
• Data processing by cantonal and communal entities falls under cantonal law; supervision is the responsibility of the cantonal and communal data protection commissioners. In addition to the validity of the DPA, there are also cantonal data protection laws.

Data protection primarily refers to the protection of individuals against "data power", not the protection of data itself.

"This law aims to protect the personality and fundamental rights of individuals about whom data is processed." (DPA, version of 25.09.2020)

What are personal data?

Personal data (data): all information that relates to a specific or identifiable person (Art. 5 DPA)

"A person is identifiable if the information provided does not allow for a clear conclusion as to the identity (for example, by naming the name and address, or by a number assigned to a person), but identification is possible based on the given information (e.g., a 40-year-old employee of the Federal Office for the Environment, who has been in the service of the office for 15 years, has three children, and is a hobbyist musician at a high level)." (Epiney 2009)

Identifiability is given when...

• someone with access to the data is able to find out which natural person is connected to it
• someone is also willing to make the necessary effort to identify it

The singularity ("singling out") of a subject is not sufficient as a characteristic for identifiability alone.

In case of doubt, it is better to be GDPR compliant rather than just DPA compliant, as the GDPR is generally stricter and more detailed.

Objectives of data protection

▪ Protection of privacy and personality ▪ Transparency ▪ Ensuring rights

EU GDPR applicable since May 2018 and also relevant for many Swiss companies

• The GDPR does not allow data collection by default
• Applicability also to many Swiss companies (Art. 3 para. 2 GDPR), for example
• Processing initiated/performed by a controller or processor established in the EU (processing also affected outside the EU)
• Processing of data of EU persons
• Offering of goods and services to affected persons in the EU
• Monitoring of behavior of affected persons taking place in the EU.

Compared to the DPA, the GDPR is stricter

Main principles of the DPA

— Principle of proportionality (Art. 6 para. 2 DPA)

• "Data minimization"
• Only meaningful data is collected
• Data must be deleted after a certain period of time

— Purpose limitation principle (Art. 6 para. 3 DPA)

• Purpose of data acquisition and processing must be recognizable (DataProtectionPolicy)

— Storage period (Art. 6 para. 4 DPA)

• Personal data is destroyed or anonymized as soon as it is no longer necessary for processing purposes.
• If keeping the data doesn't make sense, they should be deleted

— Data accuracy (Art. 6 para. 5 DPA)

• Data processor must ensure the accuracy of the data. Obligation to correct inaccurate data.

— Information obligation (Art. 19 DPA)

• "Appropriate" information about the acquisition of personal data
• Privacy policy is mandatory!

— Consent (Art. 6 para. 6 DPA)

• Not generally required, often information is sufficient
• Must only be given in certain cases (e.g. automated individual decisions) and only in certain cases must be "explicit" (e.g. particularly sensitive data) → pre-ticked boxes are generally allowed

— Data protection by design and default (Art. 7 DPA)

• Privacy by Design / Privacy by Default
• Data protection must already be taken into account in the planning stage, measures according to the state of the art. Default settings are limited to the necessary minimum (not collecting all data by default, but only necessary data)
• High risk: Data protection impact assessment (Art. 22 DPA) → possibly a statement from the EDPS

— Data security (Art. 8 DPA)

• Must be appropriate to the risk (data determines the risk/ sensitive data must be better protected), generally all data should be protected
• Notification "as soon as possible" (GDPR within 72 hours)

— Disclosure of personal data abroad (Art. 16)

• Adequate level of data protection, otherwise consent is required
• For example, the USA does NOT have an adequate level of data protection, here consent would be necessary

— Contract processing (Art. 9 DPA)

• As the responsible party would do it themselves
• Data processor requires permission from the responsible party if they want to transfer the processing to third parties

— Data protection adviser (Art. 10 DPA)

— Register of processing activities (Art. 12 DPA)

• Database which describes which data is used how and where & who is responsible.

— Right to information (Art. 25 DPA)

• Generally free information to natural persons within 30 days (collected data, purpose, retention period)

— Data disclosure or transfer (Art. 28 DPA)

• Any person can request from the responsible party the disclosure of their personal data that they have provided to them, in a common electronic format (if processed automatically)

Fines for individuals up to CHF 250,000 (Art 60ff. DPA) for intentional violations