Revised DPA – the Council of States has completed its deliberation
19. December 2019 – The Council of States discussed the draft of the DPA (revDPA). In doing so, it largely endorsed the decisions of the National Council (see media release, available in German only), which should facilitate to resolve the differences which are expected to be discussed by both chambers of parliament in the spring session of 2020. It is therefore likely that the revDPA will enter into force in 2021.
Prima vista, the following aspects in the Council of States' version are to be pointed out:
- As proposed by the National Council, the revDPA contains a provision on the territorial scope (Article 2a revDPA).
- The term “personality profile” has been replaced by the term “profiling”. In this respect, the Council of States shares the view of its Political Institutions Committee and distinguishes between profiling as such and profiling "with high risk". This is particularly the case if the controller processes data from several sources and over different areas of life or if data is systematically and extensively processed with the aim of drawing conclusions about different areas of a person's life. Echoes of the personality profile of the current DPA are clearly discernible, which should be important for interpretation.
- Explicit consent will remain necessary for the processing of data requiring special protection, but also for high-risk profiling. This suggests that a high risk should only be assumed in clearly determined cases. However, considering the potential operational costs of obtaining explicit consent, especially for offline customers, it would be unreasonable to request from controllers to obtain explicit consent in cases of doubt.
- Further relief in the appointment of a data protection officer is not envisaged. Therefore, controllers can avoid the obligation to notify the FDPIC of high net risks after having carried out a data protection impact assessment.
- The obligation to keep a record of data processing activities does not apply to legal entities with fewer than 250 employees, provided that the respective processing is low risk only.
- Controllers located abroad (meaning outside of Switzerland) must appoint a representative in Switzerland.
- The duty to inform data subjects of a certain processing includes providing details of the controller, the purpose of processing and the categories of recipients, but also – in accordance with the Council of States’ Political Institutions Committee’s proposal – the list of data subject rights and, if applicable, the intention to process personal data for credit assessment purposes and (and/or?) to disclose them to third parties, as well as all the countries to which personal data is transferred and, if applicable, further details on the disclosure abroad.
- Exceptions to the respective duty to inform data subjects apply, inter alia, if the information requires disproportionate effort (in the case of third-party procurement). Unfortunately, however, the reference to the controller’s own overriding interests fails, as is already the case today, when the controller discloses personal data to third parties. Here, at least, a (albeit – certainly inadvertently – far too restrictively worded) group privilege applies.
- Regarding the right of access, the Council of States has unfortunately deleted the clarification that the personal data being processed is only to be released "as such". This will also fuel discussion in Switzerland as to whether the right of access confers a right to the disclosure of documents (probably not; even in Germany the tendency is in this direction).
- The exception to the right of access in the case of the controller's own overriding interests is also limited to cases where personal data is not disclosed to third parties – outside the group.
- The right of data portability will be introduced as envisaged by the National Council.
- Fortunately, the Council of States has deleted the ban proposed by its Political Institutions Committee on disclosing personal data to third parties without explicit consent.
- The Council of States has followed the National Council in the processing of personal data for credit assessment purposes. The legal presumption of overriding interest applies here if (i) data of minors is processed for this credit check, (ii) data older than five years is processed, and (iii) high-risk profiling takes place. Conversely, it follows that the credit assessment as such cannot constitute high risk profiling.
- The FDPIC is granted the power of disposition.
- In the case of certain intentionally committed infringements, fines of up to CHF 250,000 are possible. The addressee of the fines is to be determined in accordance with Article 29 of the Swiss Penal Code, e.g. in the case of a breach of the duty to inform, unauthorised disclosure abroad and insufficient security for the processing of the order. Among other things – as proposed by the Federal Council, but contrary to the National Council – the violation of data security requirements is also punishable, which the Federal Council is to specify in concrete terms by ordinance.
- Transitional periods are provided for, but only for ongoing processing, if the purpose of processing remains unchanged and no new data is procured. For such processing operations, Article 6 revDPA (data protection through technology and data protection-friendly default settings) and Article 20 revDPA et seq. (Data Protection Impact Assessment) do not apply. In addition, the duty to provide information when obtaining personal data (Article 17 revDPA) does not apply, if no new data is obtained after the revDPA has entered into force. Otherwise, however, the application of the new law is governed by the final title of the Civil Code.
Thus, even before the differences have been resolved, it is clear that the revDPA will cause considerable expense as it deviates significantly from the provisions of the GDPR in many respects, in some of which to the advantage and in many respects to the disadvantage of the companies concerned.