The revised Data Protection Act (nDPA) and its implementing ordinances, the ordinance on data protection (DPO) and the ordinance on data protection certifications (DPCO), will enter into force on September 1, 2023. The revised provisions shall be implemented prior to this date, as there is no transitional period from its entry into force.

 VERSIONPDF: Newsletter - June 2023.pdf

I.       Introduction

Following the adoption of the nDPA by the Federal Parliament on September 25, 2020, the Federal Council decided on August 31, 2022, that the nDPA and its two implementing ordinances will enter into force on September 1, 2023.

A complete amendment of Swiss data protection law was required to adapt the legal provisions to recent technology developments and strengthen data protection, as well as bring Swiss data protection closer to the European law requirements.

The amended law allows Switzerland to ratify the revised Convention 108 on data protection of the Council of Europe, ratification which will occur after the entry into force of the nDPA. According to the Federal Council, the amended provisions also allow Switzerland to maintain an adequate level of data protection within the meaning of the General Data Protection Regulation (EU) 2016/679 (GDPR). As a consequence, exchange of personal data within the European Union is authorized without any additional requirement.

II.     The main amendments

Under the nDPA, the general principles applicable to the processing of personal data (legality, transparency, purpose, proportionality, accuracy and security) have not been modified and correspond essentially to the applicable principles under the current legal provisions on data protection. With respect to the geographical scope of its application, art. 3 nDPA confirms recent case law of the Swiss Federal Court by expressly providing that the nDPA applies to any circumstances having an effect in Switzerland, even when they occurred abroad.

This being said, the nDPA and its implementing ordinances substantially amend Swiss personal data protection. The main amendments are the following:

-          Modernised terminology consistent with the GDPR (art. 5 nDPA): the concept of "controller of the data file" is replaced by "data controller" and the concept of "data processor" is introduced, these concepts corresponding to the terms used in the GDPR. Genetic and biometric data are included in the scope of sensitive data, and the concepts of profiling and high-risk profiling are added, adapting the nDPA to modern tools of data collection.

-          Limited personal scope of application (art. 2 para. 1 nDPA): the data pertaining to legal entities (commercial companies, associations, foundations, etc.) are no longer protected. Only individual will benefit from the legal protection under the nDPA. Legal entities will have to turn to other protective legal provisions, such as art. 28 of the Civil Code, art. 162 of the Criminal Code, the Federal Act on Unfair Competition or the Federal Act on Cartels and other Restraints of Competition.

-          Introduction of the concepts of Privacy by Design and Privacy by default (art. 7 nDPA): data protection shall be guaranteed by design (privacy is integrated into the design and operating of the IT systems and networks) and by default (default settings are defined on the most privacy-protective mode, the user being able to decide to change these settings subsequently).

-          Optional appointment of a data protection officer (art. 10 nDPA): private data controllers may appoint such an officer, internally or externally. The appointment of a data protection officer will have consequences on the obligations of the data controller, depending on his status.

-          Obligation to keep a register of processing activities (art. 12 nDPA): data controllers and data processors shall keep a register of their processing activities, the minimum requirements being specified in art. 12 para. 2 nDPA. This being said, private companies having less than 250 employees and whose data processing presents a limited risk of privacy breach would not be subject to such obligation.

-          Revised rules on cross-border transfers of personal data (art. 16 and 17 nDPA): the list of States presenting an adequate level of protection will be established by the Federal Council. If the recipient State does not present such an adequate protection, cross-border transfers of personal data are authorized under certain conditions, the list of guarantees having been modified.

-          Introduction of a general duty to inform data subjects when collecting personal data (art. 19 and 20 nDPA): the duty to inform of the collection of personal data applies to all personal data, irrespective of their qualification as sensitive data or personality profiles, as provided for under the current applicable law. Exceptions to this duty are also provided for under the nDPA. The form of the communication is not specified under the nDPA, which only provides for the type of information that shall be communicated.

-          Reinforcement of data subjects' rights: the nDPA strengthens data subject's access right (art. 25 nDPA) and introduces a right to receive and transmit personal data (right to receive personal data in electronic format) (art. 28 nDPA).

-          Duty to report data security breaches (art. 24 nDPA): if a data security breach represents a high risk for data subjects' personality or fundamental rights, the data controller shall report the breach to the Federal Data Protection and Information Commissioner (FDPIC). The data controller may also inform the data subjects in certain circumstances.

-          Role of the Federal Data Protection and Information Commissioner (FDPIC) amended (art. 49 and 50-52 nLPD): the supervisory powers of the FDPIC are strengthened and the FDPIC is empowered with a proper decision-making authority.

-          Revised sanctions in case of a breach of the nDPA: data controllers may be fined up to CHF 250'000.- in case of a breach of some obligations under the nDPA, including the duty to inform. By contrast with the GDPR, the individual responsible for the breach within the company is the principal target of the sanctions and not the company itself.

III.    Implementation of the new legal requirements

Due to the absence of transitional period from the entry into force of the nDPA, data controllers and data processors shall ensure to be compliant with the new legal requirements from September 1, 2023.

 The documentation on personal data protection shall be reviewed to ensure that it is compliant with the new legal provisions and it is likely that it will need to be updated. In particular, data controllers shall ensure that they comply with the principles of protection by design and by default, verify to which State(s) personal data are transferred and whether these States are mentioned on the Federal Council’s list, review any existing privacy policy/declaration in the light of the new legal requirements, and any existing consent forms, as well as ensure that the internal guidelines comply with the new legal requirements, in particular regarding the access right or the duty to report.

 As a consequence, the implementation of the nDPA shall be anticipated and the mandatory adjustments performed at the latest by August 31, 2023.

Back