We are a Swiss law firm, dedicated to providing legal solutions to business, tax and regulatory matters.
SWISS LAW AND TAX
Services
Intellectual Property
Life Sciences, Pharma, Biotech
Litigation and Arbitration
Meet our team
Our knowledge, expertise & publications
View all
Events
Blog
In the VISCHER Innovation Lab, we not only work in the field of law, we also develop our solutions ourselves as far as possible from a technical point of view.
VISCHER Legal Innovation Lab
Red Dragon
Careers
Categories: Employment Law, Data & Privacy
The new Data Protection Act (nDPA) will come into force on September 1, 2023. Within the scope of the employment relationship, employee data is also regularly processed. This article provides an overview of what HR managers need to know with regard to the new provisions.
In principle, employers may only process an employee's data if it relates to the employee's suitability for the employment relationship or is necessary for the performance of the employment contract (Art. 328b CO). However, further processing of data may be justified in particular in the case of overriding interests of the employer or with the express consent of the employee concerned. However, the data processing principles of the DPA must be observed. These remain unchanged with the revision of the law. Thus, data processing must be lawful, in good faith and proportionate, i.e. in accordance with the purpose stated when processing the data and in compliance with the other provisions of data protection law. Data processing that was permissible under the old law is also likely to be permissible under the new law.
The nDPA expands the information obligations. HR managers are now obliged to inform employees whenever they obtain personal data – and no longer only in case of sensitive personal data – about, among other things, the purpose of the data processing, the indirectly collected data, the categories of recipients of the data and the countries in which the data will be processed. The information is usually provided in the form of a data protection declaration or privacy statement. In view of the new requirements, it is also advisable for HR managers to have their existing data protection declarations/ privacy statements reviewed to ensure that they are up to date.
Companies with more than 250 employees must now keep a register of processing activities. The register of processing activities must contain the following minimum information (Art. 12 nDPA):
Companies with fewer than 250 employees are exempt from the obligation to maintain this directory, provided that the data processing involves only a low risk of personal injury.
Furthermore, the nDPA makes a data protection impact assessment mandatory if data processing entails a high risk for the personality and fundamental rights of the persons concerned. Since personal data requiring special protection, such as health data, is often processed within the scope of an employment relationship, HR managers will also have to conduct a data protection impact assessment for specific processes. The DPIA must explain what negative consequences data processing is likely to have for the data subject and what organizational and technical measures can be taken to prevent or mitigate these negative effects.
In addition to the expansion of the information obligations, the right to information has also been expanded with the amendment to the law. Art. 25 para. 2 nDSG specifies the minimum information that must be provided to the data subject. It is also stipulated that the information must generally be provided within 30 days and that the data subjects cannot waive their rights in advance. Against this background, it is advisable for employers to clearly structure their internal procedures with regard to employee requests for information on personal data.
As before, employers in the context of an employment relationship must also ensure under the nDPA that if personal data is to be transferred to countries without an adequate level of protection, that it is otherwise secured or justified. However, the Federal Council now provides a binding list of countries that "adequately" meet this requirement, which provides clarity.
HR managers must report breaches of data security to the Federal Data Protection and Information Commissioner (FDPIC) immediately if this results in a high risk of harm to the personality of employees. Such a breach is assumed if personal data is unintentionally or unlawfully deleted, destroyed, modified or disclosed or made accessible to unauthorized persons. If this is necessary to protect the employees concerned, they must also be informed.
The nDPA is also expanded with regard to the punishability of violations of certain duties. The persons responsible for processing, and thus also HR managers, who process personnel data within the scope of the employment relationship can be punished with a fine of up to CHF 250,000.00, in particular if they intentionally violate the information obligation and certain disclosure obligations.
Do you have further questions on this topic?
Our employment law team will be happy to assist you at any time. Further information from our data protection team can be found here.
Attorney at Law
Prinz, Marc Ph. / Özcan, Ilknur, Überblick über die Urlaubsformen, in: WEKA Arbeitsrecht Newsletter,...
Prinz, Marc Ph / Jeannine Dehmelt, Was tun bei Konflikten am Arbeitsplatz?, in: Personal SCHWEIZ,...
OCHSNER SPORT and DOSENBACH concluded agreements with MIGROS according to which OCHSNER SPORT and...