Close
What would you like to look for?

18 June 2023

How to avoid criminal liability under the revised Swiss DPA
  • Compliance officers should avoid decisions
  • Management should enforce reporting
  • Willful blindness will result in liability, too

The revised Swiss Data Protection Act (DPA), set to become law on September 1, 2023, is in many respects less strict and formalistic than the EU General Data Protection Regulation (GDPR). In one regard it is stricter, though: It provides for criminal liability of individuals where the GDPR simply foresees administrative fines. Not surprisingly, we are getting a lot of questions for advice on what to do to avoid such criminal liability.

Violations that can be fined

To begin with, the violations of the DPA that are subject to criminal liability are limited. There are seven:

  • Making personal data available to somebody in a country without an adequate level of data protection (e.g., the US) in violation of the DPA (e.g., without adequate safeguards);
  • Using a data processor (e.g., a cloud service provider) without having a proper data processing agreement in place, although the minimum requirements will be much lower than under the GDPR;
  • Not having implemented minimum data security as required by the Federal Council (some argue these minimum requirements have not yet been defined, others say they require the use of adequate, up-to-date technical and organizational security measures, audit trails and documentation);
  • Not providing those from whom personal data is collected with a privacy notice that contains the minimum information required by the DPA, or providing a notice that is wrong or incomplete;
  • Providing those who ask for their personal data or information related to the processing of their personal data (a so-called data subject access request; including in the context of automated individual decisions) with an incorrect or incomplete response;
  • Disclosing to an unauthorized third party confidential personal data received during work or in the course of educational activities if such personal data is required for work and has been provided with an expectation of confidentiality.
  • Non-compliance with an order of the Federal Data Protection and Information Commissioner (FDPIC) or an appellate court, or providing the FDPIC with incorrect information during an investigation or refusing cooperation.

As opposed to that, all other violations of the DPA cannot be fined under the DPA (we will not discuss other provisions of law, such as those against unfair competition). This includes the processing of personal data in violation of the processing principles (such as using personal data for a purpose not permitted or not deleting it in time) or a failure to maintain the records of processing activities or to report a data breach.

Fines up to EUR 258'000

The fines are for up to CHF 250'000 (which is about EUR 258'000). In practice, we expect most fines will be significantly lower (below CHF 50'000) and – as opposed to what we see under the GDPR – rather the exception. However, according to the prevailing view, the fines may neither be insured against nor paid by the employer; they are personal, which is why they "work". However, we see the effect of the fines primarily in getting the attention of those who have not yet dealt with data protection or found it to be irrelevant (and because Switzerland was required by European law to introduce fines into the DPA). This is in line with the rather random and hardly comprehensible selection of situations in which fines can be issued. We believe that most cases will concern the access right requests on the one hand, and incomplete or incorrect privacy notices on the other.

Fines can only be issued for an intentional violation of these provisions, although this includes situations where the responsible individual knew (or is assumed to have known) that the violation could occur and has taken this in their stride. As we will discuss below, this may include cases of willful blindness, i.e. where an individual intentionally does not want to know, for instance by willingly not investigating a matter in order not to find out about a violation. We expect these cases to play a role. If a prosecutor is informed about a violator and has not yet identified the responsible employee, it will first focus on senior management.

Prosecution will usually only occur if a data subject requests it (within three months of knowing of the violation and perpetrator); cases are pursued by state prosecutors, not the data protection authority. This is another big difference from the GDPR. Fines only apply to "private persons", which means that they only apply to those who act for the private sector and not as a public body. They can, however, apply to both employees and external advisors, if the preconditions are met.

Bad actors and the management

The most interesting aspect is, however, that not only those who commit the violations can be fined. Their superiors can be fined, too. Fines are possible on two grounds (based on Art. 6 of the Federal Act on Administrative Penal Law in combination with Art. 64 DPA):

  • For those who actually commit the violation, because they are in the lead with regard to a particular activity and decide to violate the relevant DPA obligation applicable to such activity, for example, the person who decides (i) to provide an incorrect or incomplete response to a data subject request, (ii) to use a processor without a proper data processing agreement, (iii) to make personal data available abroad in violation of the DPA or (iv) to disclose a professional secret to an unauthorized third party. Whether the violation has been committed by the individuals themselves or by giving a corresponding instruction is not relevant. Those who merely follow instructions or otherwise contribute to the violation in a subordinate role cannot be fined under the DPA.
  • For those who have a legal obligation to prevent a violation being committed and have the necessary authority but fail to do so or fail to mitigate the consequences of a violation. The legal obligation must refer directly to the prevention of the specific infringement (e.g., "responsibility for compliance with data protection law") or do so indirectly by referring to an obligation to protect the company's interests. Potential perpetrators are, depending in each case of the (lawful) delegation applied, the board of directors, management and any other formal or de facto organ person (individual), who is responsible for ensuring compliance with the DPA and has the decision-making authority to give binding instructions to prevent the violation from happening (e.g., as a compliance officer who not only monitors and reports but can also make specifications or at least intervene or is required to provide approval). It is irrelevant whether the decision-making authority has been formally assigned to them (e.g., by means of an organizational regulation) or whether they have it factually or assume it. They all can be fined in the case of a violation for having remained passive, e.g., for not having put in place adequate policies, assigned compliance responsibilities properly or obtained compliance reports or reacted to them appropriately.

Hence, the formal or de facto organ person who is an "owner" of a particular personal data processing activity can be fined under both categories, i.e.

  • for having (intentionally) taken an unlawful decision with regard to such personal data processing activity or other obligation under the DPA and, thus, committing a violation themself or by a corresponding instruction to their subordinates (e.g., having intentionally engaged a processor without a proper contract or having intentionally collected data without a proper privacy notice), and
  • for (intentionally) having breached the duties of appropriate selection, instruction and supervision of those acting, at least accepting that the personal data processing activity of their subordinates may, therefore, result in a violation.

From a legal point of view, delegating a responsibility to a subordinate means remaining (by law) liable that (i) the responsible person selects a delegate who is capable of assuming it, (ii) the delegate is properly instructed and provided with the means to comply with the instructions, and (iii) the delegate is monitored and action is taken if there are any red flags of non-compliance. Thus, the delegator remains responsible for appropriate selection, instruction and supervision of the delegate. Whether such delegations are permitted in a particular company is a company governance and policy issue. In the case of the board of directors, its members, within the statutory framework of their non-transferable and inalienable duty of superintendence over the persons entrusted with the management of the company, in any case retain ultimate responsibility for the company's compliance with all relevant law.

Strategies to protect oneself against fines

Against this background, there are two strategies for those who want to protect themselves against criminal liability in a corporate setup.

The key to both is a properly designed and defined compliance organization and governance. If the organization is large enough, in essence, it should provide for three roles:

  • Management: It is responsible for putting in place an adequate compliance organization and governance and for overseeing it. Management may also be taking risk decisions concerning those data processing activities and other decisions that subordinates in the first line of defense do not want or should not take.
  • Data Activity Owners (DAO): They are responsible as the first line of defense to take the decisions relevant for data protection compliance, i.e. decide for the organization on the purpose and means of a data processing activity and related compliance measures such as the conclusion of a data processing agreement. They are usually the business owners of the relevant activity.
  • Data Protection Compliance Officer (DPCO): They are responsible for advising, supporting and monitoring the DAO in data protection compliance, and they report issues to management when necessary. They are part of the second line of defense. We on purpose do not refer to them as the "Data Protection Officer" in order not to confuse them with the DPO role as per Art. 37 et seqq. GDPR, an equivalent of which also exists under the DPA.

This chart, which can be downloaded here, illustrates the setup:

In small companies, it will not be possible to implement such an organization and distribution of responsibilities. For example, the managing director may be the data protection compliance officer and the data activity owner at the same time. In theory, this increases the risk of sanctions for the individual concerned, but in practice, the smaller the company, the less likely it is to face a fine. They are simply not in the focus, or the law enforcement agencies are not interested. In any case, it can be assumed that they will have no particular interest in prosecuting violations of the DPA.

Of course, the best strategy to avoid fines under the DPA is to comply with the relevant provisions. To ensure compliance in a corporate environment, many technical and organizational measures can be taken. They include data protection policies, clear and understandable instructions, training and awareness programs, and well defined procedures. We see many companies nowadays going through their lists of providers in order to identify processors for which no data processing agreement has yet been concluded, or who are updating their privacy notices to conform with the new requirements of the DPA.

However, as we all know, full compliance with the DPA is not possible and every organization needs to prepare itself for cases of non-compliance, and it should adopt strategies to protect its employees.

Strategy 1: No power to decide

A good strategy to avoid the risk of criminal liability for the DPCO or any other role in the second line of defense (or in any other part of the organization) is to stay away from taking any decisions concerning the organization's data protection compliance. While this will not be possible in each and every case (because the DPCO may be involved in implementing certain data protection compliance tasks such as drafting a privacy notice or response to a data subject access request based on information from the business), it is good and standard practice for the DPCO to leave difficult decisions to the "business", i.e. the DAO or management. This can include, for instance, the use of a provider in a country without an adequate level of data protection, thus involving a foreign data transfer risk. Another example may be a far-reaching data subject access request that the company is not willing to comply with in full. The DPCO can advise on this, they can also have and voice an opinion, but they should let others decide and not give any impression to the contrary.

Equally important for a DPCO in order to protect themself is to ensure that they have no decision-making authority with regard to data processing activities. While the DPCO will – by way of its role – most likely have a legal obligation to report any non-compliance they determine to the management and eventually even the board, they should neither accept nor be given the right to give binding instructions with regard to the data processing activities at issue or even have the right to intervene in the case of non-compliant conduct. They should also not have to be asked for approval in the context of a processing activity. All these would likely qualify as decision making power and would – in combination with the legal obligation to ensure compliance – result in the DPCO becoming liable if they do not stop non-compliant conduct when confronted with it. Again, the DPCO can warn those who they believe breach the law and advise them on what the law requires them to do, but leave the ultimate decisions to them.

In practice, the foregoing can be addressed in the internal data protection policy and job description of the DPCO. In our experience, however, this aspect is often not considered when drafting policies, or DPCO's actually seek authority to decide over data processing or provide binding instructions. A DPCO should not only not be given such power, they should also not try to assume it by de facto taking decisions. Simply advising or reporting findings to the DAO and – if this bears no fruit – management is usually sufficient, and also aligns with the DPCO being a second line function.

Strategy 2: Proper reporting in place

For management, the approach to stay clear of criminal sanctions is a different one. Here, the key is supervision. Many board members and managers believe that what they need to do is give their subordinates the necessary instructions by mandating them to ensure a sufficient level of compliance, such as by issuing a corresponding data protection policy. While this is, of course, true, it is not sufficient. In practice, we regularly see two mistakes being made:

  • First, management does not properly assign responsibility for data protection compliance within their organization. While most of them understand that they need to appoint a person who takes care of data protection compliance, such a Data Protection Officer, they misunderstand that such person is, in fact, not responsible for it. When we say "responsible" here, we mean responsibility for the outcome and responsibility for giving directions, not responsibility for executing tasks. In a RACI matrix, you would use the term "accountable".

    In practice, it means designating those who take the role of the DAO described above. The data protection policy of an organization should, therefore, not only define the data processing principles that need to be complied with by everybody. They should first and above all define who is accountable to make sure that for any particular data processing activity these principles and the other requirements of data protection law are complied with. As stated above, this is not the Data Protection Officer or DPCO. While such accountability can lie with a group of people (such as a data governance board), it is usually better to have one individual be the DAO for a particular data processing activity (note: we also recommend not mixing up data owners, if they exist, and data activity owners – the same set of data within a company may eventually be used for several different purposes and in different manners, resulting in different processing activities with different owners).
  • Second, management usually applies a "fire and forget" approach with regard to data protection. Even if the instructions they give with regard to data protection compliance are proper, they often see this as a one-way-street. They forget to implement feedback and oversight procedures that will allow them to monitor whether and how their instructions are complied with and permit them to react and remedy if this is not the case. Management has three duties: Properly select those who ensure compliance, properly instruct them (and give them the necessary resources), and properly monitor them. Failure to do any one of them may leave management responsible, both criminally and otherwise, if things go wrong in their organization.

    In practice, this means that management should provide for mandatory reporting on data protection compliance by their subordinates not only upon request or for cause, but also on a regular basis. If relevant non-compliance is reported, management will, of course, have to react and take measures to avoid liability. If the organization reports that data protection compliance is mor or less under control in the relevant areas, the management will be able to call upon such a report if it later on turns out not to be true in an individual case. At the same time, such reporting means that management has to have a basic understanding of the requirements of data protection law, or have experts at hand. That said, management should only be informed at the appropriate level of detail. For instance, it is not necessary to inform management if a particular data processing agreement is not compliant, if the procedures for ensuring proper data processing agreements exist and work fine – at least in principle. Hence, management should establish a reporting mechanism to get at least a bird's eye view on the organizations' compliance status, not necessarily a complete bottom-up analysis initially. Taking a closer look will usually only become necessary if the top-down view is not satisfactory and this continues over some time.

The foregoing can, of course, result in a situation where a non-compliance within the organization falls between two stools, with it not being possible to allocate the responsibility for a particular non-compliance to a particular individual – neither in management nor elsewhere. In such cases, it is possible under the DPA for a prosecutor to fine the company instead, provided the fine is less than CHF 50'000, which we expect to usually be the case (Art. 64 para. 2 DPA).

How to assess and report data protection compliance

In early 2023, we at the VISCHER Data & Privacy team developed a model for determining the maturity of an organization's data protection compliance under both the GDPR and DPA. The "VISCHER Privacy Score" (VPS) was implemented in the form of an Excel tool, which later on was developed to create an online version; the latter is today freely available at https://privacyscore.ch in German and English. It produces a PDF report indicating the overall level of compliance, the areas with risks and non-compliance and possible steps to remedy any findings:

While "VPS" was originally designed for DPCO's, DPO's and advisors to identify and close compliance gaps, the tool also became popular for creating data protection compliance reports for management and even boards of directors, as it provides not only a top-down view on individual areas of concern in data protection compliance, but also an overall view of the maturity and risks of sanctions and compliance under both the DPA and the GDPR. Since then, we have started providing the tool to various companies, who use it for reporting to their management and board on the progress of their data protection compliance efforts, including the possibility to provide comments and track remedial efforts.

While any findings of such a report will, of course, put pressure on management to indeed remedy the issues in case of systematic or systemic non-compliance, the management and board of a company will anyhow have to put in place a proper reporting mechanism with regard to data protection compliance in order to avoid liability for failure to monitor. This is true for the board of directors of every Swiss company: The ultimate responsibility for data protection compliance always lies with the individual board members personally. It cannot be handed off to somebody else. Having at least a proper top-down oversight mechanism in place is, in our experience, a much better and easier choice to avoid liability than ignoring the issue and trusting that subordinates will take care of everything.

Let us know if we can help you on these issues, or if you would like to license VPS. More information on VPS and the Excel for reporting to management is available at https://privacyscore.ch.

Author: David Rosenthal

Categories: Data & Privacy, Blog

Author