On September 25, 2020, the Federal Chambers approved the revision of the Federal Data Protection Act, which was initiated on September 15, 2017. However, since the implementing ordinances will still have to be put out to consultation, the new version is not expected to come into force before January 1, 2022, which gives companies about a year to comply.
As Switzerland is not a member of the European Union, the transfer of personal data from Switzerland to a member state of the European Union can only take place without special safeguards if the European Commission recognizes that Swiss legislation guarantees an adequate level of protection (art. 45 GDPR), which means a level of protection more or less equivalent to that now provided by the General Regulation on Data Protection (GDPR).
In order to guarantee the competitiveness of Swiss companies and to allow the free flow of data from Switzerland to the member states of the European Union, the legislator has therefore set itself the goal of giving the new version of the law a level sufficiently close to that of the GDPR to ensure that the European Commission will continue to consider it an adequate level of protection.
It is therefore against the yardstick of the GDPR that this revision has taken place. What should be retained?
- The new law will apply not only to Swiss companies, but also to companies located abroad that “have effects in Switzerland” (art. 3), which in our opinion means companies whose activities also take place in Switzerland (including through e-commerce). In this case, the foreign company must appoint a representative in Switzerland (Art. 14). In doing so, the Swiss legislator thus adopts the counterpart of the GDPR vis-à-vis Swiss companies (art. 3 para. 2 and 27 GDPR).
- The data controller must keep a register of files (art. 12), thus taking up the inventory requirement of art. 30 GDPR.
- The controller may appoint a data protection officer (DPO), but is not obliged to do so (art. 10). Swiss law is therefore broader and more flexible in this respect than the Articles 37 and 38 GDPR, which require such an appointment under certain conditions.
- Any recourse to a sub-contractor must give rise to a contract relating to the processing of data (art. 9), a situation comparable to that referred to in art. 28 GDPR.
- The data controller must carry out a privacy impact assessment as to the impact of the data processing when such processing may result in a high risk to the personality or fundamental rights of the person(s) concerned (art. 22), a situation comparable to that referred to in art. 35 GDPR.
- The controller must inform the Federal Commissioner of any security incident that is likely to pose a high risk to the personality or fundamental rights of the person concerned (art. 24). In doing so, Swiss law is similar to the GDPR, but does not regulate the obligations put upon the data controller as precisely as the GDPR (art. 33-34 GDPR).
- The rights of the individuals whose data are processed and which must be implemented by the data controllers are now extended, with regard to: the duties of transparency and information of the data controller (art. 19), the possibility to require the implementation of a natural person in any automated decision based on the processing of personal data (art. 21), the right of access (art. 25-27), the right to the delivery or transmission of personal data (art. 28-29). Although Swiss law is similar to the GDPR, the granularity offered here is however less than that the one proposed in art. 16 et seq. GDPR.
- The Federal Commissioner will have broad powers to investigate and impose sanctions, including the suspension of the processing in question and the imposition of a fine of up to CHF 250,000 in the event of intentional violation of the obligations imposed on the data controller concerned (art. 49-51, art. 60-63), it being specified that the Cantons are responsible for prosecuting and judging offences (art. 65). In this respect, Swiss law therefore goes much less far than the GDR, whose violation is punishable by penalties of up to € 20 million or, in the case of a company, up to 4% of the total annual worldwide turnover of the company (art. 65).
In the end, while Swiss companies that have already taken steps to ensure compliance with the GDPR will have little additional effort to make to comply with the new version of the Federal Data Protection Act, it will be time for all others to take a close interest in this new regulation which, no doubt, will see the Federal Commissioner exercise the new prerogatives conferred on him with greater zeal, as evidenced by the approach now followed by the European authorities in this area.
Unless Swiss companies are willing to take the risk of being fined or, worse, having to suspend any data processing that could jeopardize their operational continuity, Swiss companies will have to take the necessary steps to prepare themselves. They have one year to do so.