New Data Protection Act: What do I need to know as an HR manager?

The new Data Protection Act (nDPA) will come into force on September 1, 2023. Within the scope of the employment relationship, employee data is also regularly processed. This article provides an overview of what HR managers need to know with regard to the new provisions.

Data processing in the employment relationship

In principle, employers may only process an employee's data if it relates to the employee's suitability for the employment relationship or is necessary for the performance of the employment contract (Art. 328b CO). However, further processing of data may be justified in particular in the case of overriding interests of the employer or with the express consent of the employee concerned. However, the data processing principles of the DPA must be observed. These remain unchanged with the revision of the law. Thus, data processing must be lawful, in good faith and proportionate, i.e. in accordance with the purpose stated when processing the data and in compliance with the other provisions of data protection law. Data processing that was permissible under the old law is also likely to be permissible under the new law.

Information obligations

The nDPA expands the information obligations. HR managers are now obliged to inform employees whenever they obtain personal data – and no longer only in case of sensitive personal data – about, among other things, the purpose of the data processing, the indirectly collected data, the categories of recipients of the data and the countries in which the data will be processed.  The information is usually provided in the form of a data protection declaration or privacy statement. In view of the new requirements, it is also advisable for HR managers to have their existing data protection declarations/ privacy statements reviewed to ensure that they are up to date. 

Register of processing activities

Companies with more than 250 employees must now keep a register of processing activities. The register of processing activities must contain the following minimum information (Art. 12 nDPA): 

• the identity of the person responsible for the data processing;
• the purpose of the processing;
• a description of the categories of data subjects and the categories of personal data processed;
• the categories of recipients;
• the retention period of the personal data or criteria for determining this period (if possible);
• a general description of the measures taken to ensure data security (if possible);
• in the case of disclosure of data abroad: specification of the country and guarantees by which data is to be protected.

Companies with fewer than 250 employees are exempt from the obligation to maintain this directory, provided that the data processing involves only a low risk of personal injury.

Data protection impact assessment (DPIA)

Furthermore, the nDPA makes a data protection impact assessment mandatory if data processing entails a high risk for the personality and fundamental rights of the persons concerned. Since personal data requiring special protection, such as health data, is often processed within the scope of an employment relationship, HR managers will also have to conduct a data protection impact assessment for specific processes. The DPIA must explain what negative consequences data processing is likely to have for the data subject and what organizational and technical measures can be taken to prevent or mitigate these negative effects. 

Requests for information

In addition to the expansion of the information obligations, the right to information has also been expanded with the amendment to the law. Art. 25 para. 2 nDSG specifies the minimum information that must be provided to the data subject. It is also stipulated that the information must generally be provided within 30 days and that the data subjects cannot waive their rights in advance. Against this background, it is advisable for employers to clearly structure their internal procedures with regard to employee requests for information on personal data. 

Data transfer abroad

As before, employers in the context of an employment relationship must also ensure under the nDPA that if personal data is to be transferred to countries without an adequate level of protection, that it is otherwise secured or justified. However, the Federal Council now provides a binding list of countries that "adequately" meet this requirement, which provides clarity.

Notification to the FDPIC

HR managers must report breaches of data security to the Federal Data Protection and Information Commissioner (FDPIC) immediately if this results in a high risk of harm to the personality of employees. Such a breach is assumed if personal data is unintentionally or unlawfully deleted, destroyed, modified or disclosed or made accessible to unauthorized persons. If this is necessary to protect the employees concerned, they must also be informed.

Criminal liability

The nDPA is also expanded with regard to the punishability of violations of certain duties. The persons responsible for processing, and thus also HR managers, who process personnel data within the scope of the employment relationship can be punished with a fine of up to CHF 250,000.00, in particular if they intentionally violate the information obligation and certain disclosure obligations. 

Do you have further questions on this topic?

Our employment law team will be happy to assist you at any time. Further information from our data protection team can be found here.
 

Categories: Employment Law, Data & Privacy