We are a Swiss law firm, dedicated to providing legal solutions to business, tax and regulatory matters.
SWISS LAW AND TAX
Services
Intellectual Property
Life Sciences, Pharma, Biotech
Litigation and Arbitration
Meet our team
Our knowledge, expertise & publications
View all
Events
Blog
Careers
Categories: Data & Privacy, Blog
The revised Swiss Data Protection Act (DPA), set to become law on September 1, 2023, is in many respects less strict and formalistic than the EU General Data Protection Regulation (GDPR). In one regard it is stricter, though: It provides for criminal liability of individuals where the GDPR simply foresees administrative fines. Not surprisingly, we are getting a lot of questions for advice on what to do to avoid such criminal liability.
To begin with, the violations of the DPA that are subject to criminal liability are limited. There are seven:
As opposed to that, all other violations of the DPA cannot be fined under the DPA (we will not discuss other provisions of law, such as those against unfair competition). This includes the processing of personal data in violation of the processing principles (such as using personal data for a purpose not permitted or not deleting it in time) or a failure to maintain the records of processing activities or to report a data breach.
The fines are for up to CHF 250'000 (which is about EUR 258'000). In practice, we expect most fines will be significantly lower (below CHF 50'000) and – as opposed to what we see under the GDPR – rather the exception. However, according to the prevailing view, the fines may neither be insured against nor paid by the employer; they are personal, which is why they "work". However, we see the effect of the fines primarily in getting the attention of those who have not yet dealt with data protection or found it to be irrelevant (and because Switzerland was required by European law to introduce fines into the DPA). This is in line with the rather random and hardly comprehensible selection of situations in which fines can be issued. We believe that most cases will concern the access right requests on the one hand, and incomplete or incorrect privacy notices on the other.
Fines can only be issued for an intentional violation of these provisions, although this includes situations where the responsible individual knew (or is assumed to have known) that the violation could occur and has taken this in their stride. As we will discuss below, this may include cases of willful blindness, i.e. where an individual intentionally does not want to know, for instance by willingly not investigating a matter in order not to find out about a violation. We expect these cases to play a role. If a prosecutor is informed about a violator and has not yet identified the responsible employee, it will first focus on senior management.
Prosecution will usually only occur if a data subject requests it (within three months of knowing of the violation and perpetrator); cases are pursued by state prosecutors, not the data protection authority. This is another big difference from the GDPR. Fines only apply to "private persons", which means that they only apply to those who act for the private sector and not as a public body. They can, however, apply to both employees and external advisors, if the preconditions are met.
The most interesting aspect is, however, that not only those who commit the violations can be fined. Their superiors can be fined, too. Fines are possible on two grounds (based on Art. 6 of the Federal Act on Administrative Penal Law in combination with Art. 64 DPA):
Hence, the formal or de facto organ person who is an "owner" of a particular personal data processing activity can be fined under both categories, i.e.
From a legal point of view, delegating a responsibility to a subordinate means remaining (by law) liable that (i) the responsible person selects a delegate who is capable of assuming it, (ii) the delegate is properly instructed and provided with the means to comply with the instructions, and (iii) the delegate is monitored and action is taken if there are any red flags of non-compliance. Thus, the delegator remains responsible for appropriate selection, instruction and supervision of the delegate. Whether such delegations are permitted in a particular company is a company governance and policy issue. In the case of the board of directors, its members, within the statutory framework of their non-transferable and inalienable duty of superintendence over the persons entrusted with the management of the company, in any case retain ultimate responsibility for the company's compliance with all relevant law.
Against this background, there are two strategies for those who want to protect themselves against criminal liability in a corporate setup.
The key to both is a properly designed and defined compliance organization and governance. If the organization is large enough, in essence, it should provide for three roles:
This chart, which can be downloaded here, illustrates the setup:
In small companies, it will not be possible to implement such an organization and distribution of responsibilities. For example, the managing director may be the data protection compliance officer and the data activity owner at the same time. In theory, this increases the risk of sanctions for the individual concerned, but in practice, the smaller the company, the less likely it is to face a fine. They are simply not in the focus, or the law enforcement agencies are not interested. In any case, it can be assumed that they will have no particular interest in prosecuting violations of the DPA.
Of course, the best strategy to avoid fines under the DPA is to comply with the relevant provisions. To ensure compliance in a corporate environment, many technical and organizational measures can be taken. They include data protection policies, clear and understandable instructions, training and awareness programs, and well defined procedures. We see many companies nowadays going through their lists of providers in order to identify processors for which no data processing agreement has yet been concluded, or who are updating their privacy notices to conform with the new requirements of the DPA.
However, as we all know, full compliance with the DPA is not possible and every organization needs to prepare itself for cases of non-compliance, and it should adopt strategies to protect its employees.
A good strategy to avoid the risk of criminal liability for the DPCO or any other role in the second line of defense (or in any other part of the organization) is to stay away from taking any decisions concerning the organization's data protection compliance. While this will not be possible in each and every case (because the DPCO may be involved in implementing certain data protection compliance tasks such as drafting a privacy notice or response to a data subject access request based on information from the business), it is good and standard practice for the DPCO to leave difficult decisions to the "business", i.e. the DAO or management. This can include, for instance, the use of a provider in a country without an adequate level of data protection, thus involving a foreign data transfer risk. Another example may be a far-reaching data subject access request that the company is not willing to comply with in full. The DPCO can advise on this, they can also have and voice an opinion, but they should let others decide and not give any impression to the contrary.
Equally important for a DPCO in order to protect themself is to ensure that they have no decision-making authority with regard to data processing activities. While the DPCO will – by way of its role – most likely have a legal obligation to report any non-compliance they determine to the management and eventually even the board, they should neither accept nor be given the right to give binding instructions with regard to the data processing activities at issue or even have the right to intervene in the case of non-compliant conduct. They should also not have to be asked for approval in the context of a processing activity. All these would likely qualify as decision making power and would – in combination with the legal obligation to ensure compliance – result in the DPCO becoming liable if they do not stop non-compliant conduct when confronted with it. Again, the DPCO can warn those who they believe breach the law and advise them on what the law requires them to do, but leave the ultimate decisions to them.
In practice, the foregoing can be addressed in the internal data protection policy and job description of the DPCO. In our experience, however, this aspect is often not considered when drafting policies, or DPCO's actually seek authority to decide over data processing or provide binding instructions. A DPCO should not only not be given such power, they should also not try to assume it by de facto taking decisions. Simply advising or reporting findings to the DAO and – if this bears no fruit – management is usually sufficient, and also aligns with the DPCO being a second line function.
For management, the approach to stay clear of criminal sanctions is a different one. Here, the key is supervision. Many board members and managers believe that what they need to do is give their subordinates the necessary instructions by mandating them to ensure a sufficient level of compliance, such as by issuing a corresponding data protection policy. While this is, of course, true, it is not sufficient. In practice, we regularly see two mistakes being made:
The foregoing can, of course, result in a situation where a non-compliance within the organization falls between two stools, with it not being possible to allocate the responsibility for a particular non-compliance to a particular individual – neither in management nor elsewhere. In such cases, it is possible under the DPA for a prosecutor to fine the company instead, provided the fine is less than CHF 50'000, which we expect to usually be the case (Art. 64 para. 2 DPA).
In early 2023, we at the VISCHER Data & Privacy team developed a model for determining the maturity of an organization's data protection compliance under both the GDPR and DPA. The "VISCHER Privacy Score" (VPS) was implemented in the form of an Excel tool, which later on was developed to create an online version; the latter is today freely available at https://privacyscore.ch in German and English. It produces a PDF report indicating the overall level of compliance, the areas with risks and non-compliance and possible steps to remedy any findings:
While "VPS" was originally designed for DPCO's, DPO's and advisors to identify and close compliance gaps, the tool also became popular for creating data protection compliance reports for management and even boards of directors, as it provides not only a top-down view on individual areas of concern in data protection compliance, but also an overall view of the maturity and risks of sanctions and compliance under both the DPA and the GDPR. Since then, we have started providing the tool to various companies, who use it for reporting to their management and board on the progress of their data protection compliance efforts, including the possibility to provide comments and track remedial efforts.
While any findings of such a report will, of course, put pressure on management to indeed remedy the issues in case of systematic or systemic non-compliance, the management and board of a company will anyhow have to put in place a proper reporting mechanism with regard to data protection compliance in order to avoid liability for failure to monitor. This is true for the board of directors of every Swiss company: The ultimate responsibility for data protection compliance always lies with the individual board members personally. It cannot be handed off to somebody else. Having at least a proper top-down oversight mechanism in place is, in our experience, a much better and easier choice to avoid liability than ignoring the issue and trusting that subordinates will take care of everything.
Let us know if we can help you on these issues, or if you would like to license VPS. More information on VPS and the Excel for reporting to management is available at https://privacyscore.ch.
Author: David Rosenthal
Team Head
Many banks, insurance companies and other Swiss financial institutions are currently working on...
Switzerland follows suit with a one-year delay after the EU Swiss professional and official...
Anyone who is obliged to maintain professional or official secrecy must take additional precautions...