We are a Swiss law firm, dedicated to providing legal solutions to business, tax and regulatory matters.
SWISS LAW AND TAX
Services
Intellectual Property
Life Sciences, Pharma, Biotech
Litigation and Arbitration
Meet our team
Our knowledge, expertise & publications
View all
Events
Blog
In the VISCHER Innovation Lab, we not only work in the field of law, we also develop our solutions ourselves as far as possible from a technical point of view.
VISCHER Legal Innovation Lab
Red Dragon
Careers
Category: Data & Privacy
The revised Swiss Data Protection Act (revDPA) was passed by the Swiss Parliament in the fall of 2020 and will enter into force in 2022. The revision strengthens the protection of personal data provided by the current DPA to bring it in line with the level of protection provided by the EU General Data Protection Regulation (GDPR). It also aims to ensure that Switzerland maintains its status as a country that adequately protects personal data from an EU perspective.
But while the revDPA introduces a range of well-known instruments and obligations for controllers and processors from the GDPR, such as the obligation to maintain a record of processing activities, to provide certain minimal information to the data subjects, to conduct a data protection impact assessment in some cases, and to notify data breaches to the Swiss data protection authority (FDPIC), it also deviates from the GDPR in a number of respects and even goes beyond it in some areas.
To name just a few examples, the revDPA provides for less stringent rules with respect to consent of data subjects, data protection statements, and the exercise of data subjects' rights, while at the same time it also provides for more stringent requirements than the GDPR in some areas, particularly in relation to sanctions for non-compliance with certain provisions of the revDPA. Thus, unlike the GDPR, the hefty fines for non-compliance under the revDPA (up to CHF 250’000) are personal, i.e. they are imposed on the responsible individuals, not the company. It is also worth noting that the revDPA (like the current DPA) has a broader territorial scope than the GDPR in that, for example, it applies to foreign controllers who process personal data abroad to the extent that such processing has a relevant effect in Switzerland – if only because the server is operated in Switzerland or the data subjects are located in Switzerland.
The following table provides an overview of the differences and similarities between the provisions of the revDPA and the GDPR that are relevant to the private sector, while also commenting on the differences between the current DPA and the revDPA where relevant.
Authors: David Rosenthal, Samira Studer
Team Head
Attorney at Law
Numerous Swiss companies as well as public organizations rely on Microsoft's cloud services. In...
Which law applies where and how? What needs to be done? Seven short training videos Some like...
Many banks, insurance companies and other Swiss financial institutions are currently working on...