The revDPA continues to be based on the basic premise that processing of personal data is lawful as long as it is in keeping with general principles. In other words, where personal data is processed in a fair, transparent and proportional manner for a defined purpose, it is presumed to be lawful.
If processing violates any of these principles, the controller must either act on the basis of consent or establish prevailing public or private interest as a justification. As a result of this approach, many processing activities (including profiling for marketing purposes based on event data) do not require consent under Swiss law where consent would be required under the GDPR.
Yet, the revDPA contains many novelties and departs from the present DPA in a number of ways which must be anticipated. In particular, we highlight the following essential aspects of the revDPA:
Scope of Application
- No further protection for data specifically pertaining to legal entities. Different from today’s DPA, legal entities as such are no longer protected as data subjects as the Federal Council considered that such a protection never played a fundamental role and, more importantly, contradicts European law which grants no such protection;
- The territorial scope is effect-orientated. In practice, companies may be subject to the revDPA where they process personal data (i) relating to a data subject with their ordinary residence in Switzerland and/or (ii) through a Swiss establishment.
- The revDPA regulates both profiling and individual decision-making. Different from the GDPR, the revDPA introduces the concept of “high-risk profiling”. The definition is based on the concept of “personality profiles” in the current DPA and triggers several obligations of the controller, e.g. to carry out a data protection impact assessment.
- “Sensitive personal data” now explicitly include genetic and biometric data.
- Obligations for data controllers
- Obligations for both data controllers and data processors
- Obligations for data processors
- The Federal Council will decide about the adequacy of third countries’ data protection legislations. The Federal Council publishes a legally binding list of third countries providing for such adequacy;
- Standardised contractual safeguards and Binding Corporate Rules need to be approved by the Federal Data Protection and Information Commissioner (whereby such approval may also be a general recognition of e.g. the EU model clauses).
- Self-regulation shall be encouraged. Professional and business associations may elaborate codes of conduct and submit them to the Federal Data Protection Commissioner for delivery of an opinion;
- The Federal Data Protection and Information Commissioner shall have the power to issue binding decisions.
- Criminal sanctions for data protection misconduct are increased significantly. In particular, fines of up to CHF 250,000 may be levied in case of intentional violations of certain provisions of the revDPA.
Stronger Data Protection Obligations
Information obligation – in particular, data subjects must be informed about the collection and processing of personal data as well as about decisions made via automated individual decision-making. Transparency in data processing is increased and data subjects can better exercise their rights.
Reporting obligation – in particular, certain data security breaches shall be notified to the Federal Data Protection and Information Commissioner .
Swiss representative – under certain circumstances, controllers are required to designate a Swiss representative in case they are established outside Switzerland.
Data subjects now have an explicit right to data portability. Under certain circumstances, however, the controller may refuse, restrict or defer such data portability.
Obligation to perform an impact assessment whenever it appears that envisaged data processing may lead to a high risk affecting the data subjects’ personality and fundamental rights, although exceptions apply.
Data protection by design and data protection by default. Data protection shall be taken into consideration from the outset of a conceived data processing, in particular by implementing appropriate technical data protection measures and any data processing must be set up with data protection by default settings.
Both data controllers and data processors are obliged to keep an inventory of their respective processing activities, unless the respective company has less than 250 employees and its processing activities entail a low risk of infringing the data subjects’ personality. In turn, controllers are no longer required to declare files to the Federal Data Protection and Information Commissioner.
Data processors may only engage sub-processors with the prior written consent of the controller;
Data breaches shall be notified to the controller.
Federal Data Protection and Information Commissioner