The preliminary draft contains many novelties and departs from the present DPA in a number of ways which must be anticipated. In particular, we highlight the following essential aspects of the proposed revision:
Exclusions and Amendments regarding the Scope of Application
- Protection for data pertaining to legal entities shall be removed from the DPA. The Federal Council considers that such a protection never played a fundamental role and, more importantly, contradicts European law which grants no such protection;
- The draft DPA does not implement a right to data portability. The Federal Council considers that a right to data portability does not aim at protecting data subjects’ personality rights, but rather aims at increasing competition by allowing data subjects to reuse their personal data;
- Terminological modernisation: the concept of the “personality profile” is replaced by “profiling” and “special categories of personal data” now explicitly include genetic and biometric data;
- Various amendments to other laws shall be implemented alongside the revision of the DPA. This will in particular impact the Swiss Federal Penal Code (CP) and the Swiss Federal Code of Penal Procedure (CPP).
Stronger Data Protection Obligations
- Obligations for data controllers
- Information obligation – in particular, data subjects must be informed about the collection and processing of personal data as well as about decisions made via automated individual decision-making. Transparency in data processing is increased and data subjects can exercise their rights better;
- Reporting obligation – in particular, data breaches shall be notified to the Federal Data Protection and Information Commissioner (Commissioner) unless an exception applies and cross-border transfers might require an authorisation from the Commissioner.
- Obligations for both data controllers and data processors
- Obligation to perform an impact assessment whenever it appears that envisaged data processing may lead to an increased risk affecting the data subjects’ personality and fundamental rights. Awareness of data protection issues and compliance with data protection laws is fostered, enforcement of other data protection obligations (such as information obligations) is facilitated;
- Data protection by design and data protection by default. Hence, data protection shall be taken into consideration from the outset of a conceived data processing, in particular by implementing appropriate technical data protection measures and any data processing must be set up with privacy by default settings;
- The duty to declare files to the Commissioner shall be abolished for private persons. An obligation to document the data processing will however replace it.
- Obligations for data processors
- Data processors may only engage sub-processors with the prior written consent of the controller;
- Data breaches shall be notified to the controller.
- The Federal Council will decide about the adequacy of third countries’ data protection legislations. The Federal Council publishes a legally binding list of third countries providing for such adequacy;
- The information obligation with regard to standardised contractual safeguards and Binding Corporate Rules changes into an obligation to obtain prior authorisation from the Commissioner (if not drafted or already authorised by the latter).
Data Protection Commissioner
- Self-regulation shall be encouraged and the Commissioner shall be called upon to edict extensive good practice recommendations;
- The Commissioner shall have the competence to render binding decisions.
- Criminal sanctions for data protection misconduct shall be increased significantly. In particular, fines of up to CHF 500,000 may be levied in case of certain violations of the revised DPA.
The legislative process will follow through, with the consultation period running until 4 April 2017. Given the increasing importance of data protection issues, participation in the consultation process may be an efficient way for businesses to share their opinions and possible concerns about the draft legislation.
The final wording and entry into force of the revision depends on the outcome of the consultation process and the subsequent parliamentary debates.
We nevertheless encourage businesses to use this time to proactively assess the preliminary draft’s impact on their activities and already start implementing or elaborating processes that will comply with the expected text of the future DPA. In particular, the following steps are helpful:
- auditing the internal data protection processes;
- performing a risk assessment in anticipation of the revised DPA;
- reviewing, enhancing and/or establishing processes, practices, documentation, contracts, policies and notices, etc.
Businesses will have to appraise on a case-by-case basis the extent to which their data protection processes need to be modified.