The draft contains many novelties and departs from the present DPA in a number of ways which must be anticipated. In particular, we highlight the following essential aspects of the proposed revision:
Exclusions and Amendments regarding the Scope of Application
- Protection for data specifically pertaining to legal entities shall be removed from the DPA. The Federal Council considers that such a protection never played a fundamental role and, more importantly, contradicts European law which grants no such protection;
- The draft DPA does not implement a right to data portability. The Federal Council considers that a right to data portability does not aim at protecting data subjects’ personality rights, but rather aims at increasing competition by allowing data subjects to reuse their personal data;
- Terminological modernisation: the concept of the “personality profile” is replaced by “profiling” and “special categories of personal data” now explicitly include genetic and biometric data;
- Various amendments to other laws shall be implemented alongside the revision of the DPA. This will in particular impact the Swiss Federal Code on Civil Procedure (CCP), the Swiss Federal Penal Code (CP) and the Swiss Federal Code of Penal Procedure (CPP).
Stronger Data Protection Obligations
- Obligations for data controllers
- Information obligation – in particular, data subjects must be informed about the collection and processing of personal data as well as about decisions made via automated individual decision-making. Transparency in data processing is increased and data subjects can better exercise their rights;
- Reporting obligation – in particular, data breaches shall be notified to the Federal Data Protection and Information Commissioner (Commissioner) unless an exception applies and cross-border transfers might require an authorisation from the Commissioner.
- Obligations for both data controllers and data processors
- Obligation to perform an impact assessment whenever it appears that envisaged data processing may lead to an increased risk affecting the data subjects’ personality and fundamental rights, though exceptions apply. Awareness of data protection issues and compliance with data protection laws is fostered, enforcement of other data protection obligations (such as information obligations) is facilitated;
- Data protection by design and data protection by default. Hence, data protection shall be taken into consideration from the outset of a conceived data processing, in particular by implementing appropriate technical data protection measures and any data processing must be set up with privacy by default settings;
- The duty to declare files to the Commissioner shall be abolished for private persons. However, the data controller shall keep an inventory of its processing activities.
- Obligations for data processors
- Data processors may only engage sub-processors with the prior written consent of the controller;
- Data breaches shall be notified to the controller.
- The Federal Council will decide about the adequacy of third countries’ data protection legislations. The Federal Council publishes a legally binding list of third countries providing for such adequacy;
- The information obligation with regard to standardised contractual safeguards and Binding Corporate Rules changes into an obligation to obtain prior authorisation from the Commissioner (if not drafted or already authorised by the latter).
Data Protection Commissioner
- Self-regulation shall be encouraged. Professional and Business Associations may elaborate codes of conduct and submit them to the Federal Data Protection for delivery of an opinion;The Commissioner shall have the power to issue binding decisions.
- Criminal sanctions for data protection misconduct shall be increased significantly. In particular, fines of up to CHF 250,000 may be levied in case of intentional violations of certain provisions of the revised DPA.
This draft act is now set to go through the parliamentary process (and eventual referendum) before entering into force as the new DPA.
The final wording and entry into force of the revision depends on the outcome of the aforementioned process. There is currently no date for the entry into force, though it can be expected that this may take place on 1 August 2018, das the Swiss Federal Council wishes to implement the new legislation as soon as possible in line with international engagements. We encourage businesses to use this time to proactively assess the draft’s impact on their activities and already start implementing or elaborating processes that will comply with the expected text of the future DPA. In particular, the following steps are helpful:
- auditing the internal data protection processes;
- performing a risk assessment in anticipation of the revised DPA;
- reviewing, enhancing and/or establishing processes, practices, documentation, contracts, policies and notices, etc.
Businesses will have to appraise on a case-by-case basis the extent to which their data protection processes need to be modified.