The revised Swiss Data Protection Act (revDPA) was passed by the Swiss Parliament in the fall of 2020 and will enter into force in 2022. The revision strengthens the protection of personal data provided by the current DPA to bring it in line with the level of protection provided by the EU General Data Protection Regulation (GDPR). It also aims to ensure that Switzerland maintains its status as a country that adequately protects personal data from an EU perspective.
But while the revDPA introduces a range of well-known instruments and obligations for controllers and processors from the GDPR, such as the obligation to maintain a record of processing activities, to provide certain minimal information to the data subjects, to conduct a data protection impact assessment in some cases, and to notify data breaches to the Swiss data protection authority (FDPIC), it also deviates from the GDPR in a number of respects and even goes beyond it in some areas.
To name just a few examples, the revDPA provides for less stringent rules with respect to consent of data subjects, data protection statements, and the exercise of data subjects' rights, while at the same time it also provides for more stringent requirements than the GDPR in some areas, particularly in relation to sanctions for non-compliance with certain provisions of the revDPA. Thus, unlike the GDPR, the hefty fines for non-compliance under the revDPA (up to CHF 250’000) are personal, i.e. they are imposed on the responsible individuals, not the company. It is also worth noting that the revDPA (like the current DPA) has a broader territorial scope than the GDPR in that, for example, it applies to foreign controllers who process personal data abroad to the extent that such processing has a relevant effect in Switzerland – if only because the server is operated in Switzerland or the data subjects are located in Switzerland.
The following table provides an overview of the differences and similarities between the provisions of the revDPA and the GDPR that are relevant to the private sector, while also commenting on the differences between the current DPA and the revDPA where relevant.
Categories: Data & Privacy