Which changes does the revised Data Protection Act entail?
Even though the revised Data Protection Act doesn’t have any fundamental amendments, there are still several points that will change from September 1, 2023. We show you exactly what they are.
- Data that refers to legal entities is no longer covered by the Data Protection Act. Now only data connected with natural persons falls into the act’s area of application.
- Information obligations have been expanded. For example, now when the responsible person informs affected people, they must include their identity, contact details, the processing purpose, and the recipients and categories of recipients of the data. However, the revised act does not include an exhaustive list of required information. Those responsible must therefore check for themselves whether data subjects should be provided additional information in order to meet the requirements of the Data Protection Act. This requires reporting the information that is required for affected people to be able to assert their rights. The information must also be provided in a precise, transparent, comprehensible, and easily accessible way.
- Companies are now required to conduct a data protection impact assessment if the data processing entails a high risk to the personal or fundamental rights of the data subjects. This must be documented.
- Privacy-by-design and privacy-by-default are introduced. They obligate companies to already take account of data processing principles at the planning and design stage of applications and, for example, not to use default settings to obtain data subjects’ consent for more than the data processing that is absolutely necessary.
- A directory of processing activities is mandatory for companies that have 250 or more employees. However, the ordinance on the act provides for an exception for SMEs whose data processing only entails a minor risk of violating the personal rights of data subjects.
- The revised Data Protection Act introduces a new reporting obligation for violations of data security into Swiss law: The responsible person must report every violation of data security that is likely to entail a high risk for the personal rights of the data subjects to the Federal Data Protection and Information Commissioner (FDPIC). The notification must be submitted as soon as possible. Compared with the reporting obligation under the GDPR, the threshold for the reporting obligation is higher (“high risk” vs. “risk”). If it is necessary to protect data subjects or required by the FDPIC, then the responsible person must also inform the data subjects.
- The term profiling has now been included in the act. Profiling is the automatic data processing during which aspects of the personality of those affected are rated based on the data collected.
- The revised act differentiates between the terms responsible person and order processor. This distinction already exists at least within the meaning of the current act, but will now be expressly stated in the revised act.
- The previous obligation to register data collections has been removed.
- The area of responsibility of the FDPIC is significantly expanded. Now the FDPIC is authorized on account of its office or based on a complaint to carry out investigations and collect evidence. It also been granted the authority to issue rulings. Instead of recommendations, as before, the FDPIC can now issue binding orders. These can be appealed by the affected company if it does not want to accept the order.
- The revised Data Protection Act also introduces tougher sanctions. Now a number of violations can be punished with fines of up to CHF 250,000.