Revision of the Swiss Data Protection Act on September 25, 2020 – What is new?

Author: Dr. Astrid Tran-Glück, Certified Data Protection Officer

The Swiss Data Protection Act (DPA) has been revised on September 25, 2020, being expected to come into force in 2022. How fast things will progress from now on depends partly on the EU: The European Commission’s adequacy decision has still to be renewed, which would allow unhindered data transfers to Switzerland. Switzerland could be put under pressure by this situation to speed up putting the revised DPA into effect.

The main changes in the new DPA are compatible with the European General Data Protection Regulation (GDPR), consisting in:
  • New governance obligations, such as the requirement to maintain records of data processing activities
  • The obligation to report data losses and other data security breaches to the Federal Data Protection and Information Commissioner (FDPIC)
  • The obligation to conduct data protection impact assessments (DPIA) for sensitive data processing

The companies with already implemented GDPR requirements will not have to make much additional changes. The main differences between the new DPA and the GDPR consist in:
  • The obligation to provide information on relevant countries and legal bases in the case of data exports
  • The rights of data subjects for which the DPA provides several exceptions
  • The obligation to report data breaches for which the DPA does not foresee a 72 hours deadline and includes slightly different thresholds
  • The appointment of a data protection officer or representative which in the DPA is not formally required

The majority of the companies theoretically has enough time to implement the most important provisions of the revised DPA. However, even if not required by law, it is recommended to appoint a data protection officer or advisor in order to be able to implement the requirements of the revised DPA properly.

As first step, a company’s data protection statement should be reviewed in light of the new requirements and adapted. If there is none in place, a new one should be created. Much attention must be paid to the internal review of data protection activities to ensure that all cases in which a company procures personal data are covered. Once this information has been obtained, the data protection statement can be updated or created, and an inventory of data processing activities can be established.

Companies should also implement a process for data protection impact assessments, consisting of a description of a planned data processing activity, an assessment of the negative consequences for the affected data subjects and a description of the countermeasures taken as a result to alleviate those consequences.

It is also necessary to introduce a process for identifying, analysing, reporting and handling data security breaches, such as unintentional data losses and misdirected e-mails. Every company is supposed to have also a process in place for responding to requests from affected individuals, such as those requesting access to their personal data.

It also does not have to be forgotten to adapt existing training in order to correspond with the requirements under the revised DPA. As final step, it is worth to verify implementation of the new requirements by conducting corresponding audits.