We are a Swiss law firm, dedicated to providing legal solutions to business, tax and regulatory matters.
Life Sciences, Pharma, Biotech
Litigation and Arbitration
Our knowledge, expertise & publications
21 October 2022
Switzerland has less than a year to prepare for the new Data Protection Act (DPA), which will enter into force on September 1, 2023. But what needs to be done to be ready for this new set of rules?
The answer: At least for most SMEs, the effort will remain manageable, as long as they are already somewhat compliant with the current DPA. No one can fully comply with data protection, as we have repeatedly pointed out, but a company can already achieve a lot by putting the necessary structures and processes in place and promoting awareness for data protection.
In order to help SMEs, but also larger companies, VISCHER has now summarised what needs to be done to comply with the current and the revised DPA – all on a single page, short and to the point, without legalese. The handout is available free of charge, can be distributed and used freely, and can also be used as an internal data protection policy if a company does not yet have one in place.
The handout can be downloaded here (and in a German version here). We have put together a lot of information in this "one-pager":
Companies can, of course, also get external support of their choice, but we believe that this is often not necessary, or only in difficult or complex cases. Neither the current nor the revised DPA requires a data protection officer (or data protection advisor, as it is called in the revised DPA). However, it is advisable to appoint someone who takes care of data protection internally and has the necessary capacity (and desire) to do so – the necessary knowledge can be acquired relatively easily with content from public sources, tutorials and, of course, further training.
The new Data Protection Ordinance (DPO) is already taken into account in the handout. For example, the Federal Council has decided that most companies with less than 250 employees do not have to create an inventory of processing activities. This will be very convenient for many SMEs, although the effort required for such an inventory is overestimated by many and creating one in itself provides a good starting point for data protection compliance. The knowledge thereby gained is also necessary for the creation of the privacy notice, which most companies need to develop (many only cover the data collected on the website in their current privacy notice, which is not sufficient).
The main challenge in data protection compliance is and remains the disclosure of personal data abroad, as the requirements here have been raised to an unrealistically high level since 2020 (notably not because of the law, but because of the way it has been applied, in particular by European data protection authorities) and there are no reasonable answers, even for those who want to do it "well". The main issue is the risk that, when data is transferred to countries without an adequate level of data protection (which cannot be ruled out even with most cloud solutions), the authorities abroad might be able to intercept the data (so-called foreign lawful access) if they wanted to. While this risk is often only theoretical, it nevertheless causes great concern for data protection authorities. For companies, it means that a lot of time and effort must be spent on compliance, or that the requirements of the data protection authorities are simply not adhered to. We have also published several tools to this end, which are now used far beyond Switzerland (including an FAQ on the EU Standard Contractual Clauses, an FAQ on the risk of foreign lawful access by authorities, and a method for standardised assessment of this risk). The Association for Corporate Data Protection (www.vud.ch) has also published anFAQ on the topic of "cloud" (in German), in which it addresses the question of whether the use of cloud services is permissible against the background of the foregoing discussion and how such projects can be implemented.
A certain amount of work can be involved in checking the agreements with providers and other so-called processors. Here, the revised DPA provides for fines if the contracts do not comply with the law. In practice, most data processing agreements, at least those of the large providers, meet the requirements, provided that the necessary Swiss amendments have been entered into (for Microsoft, for example, a Swiss addendum is required, but Microsoft provides it without discussion).
The greatest effort is, of course, the review of existing data processing activities to see whether they comply with the principles of data protection. However, the revised DPA hardly changes anything here, i.e. the way in which data can be processed remains largely the same as under the current law. Many companies have not really dealt with these requirements in a systematic way so far, and have instead used their "gut-feeling" to decide what is and is not ok (which is not the worst advisor here). The revision of the DPA could be a good opportunity to make some improvements in this area, for example by training employees and then having them take a close look at their own data processing. In this way, the effort can be distributed across the company.
We also offer a detailed commentary on the new Data Protection Act (in French and German) free of charge and a recording of a webinar on how to implement the revised DPA in ten steps and highlighting the differences to the GDPR. We also have a separate overview on the latter.
We also offer an automated gap analysis that can be used free of charge at https://privacyscore.ch/en. On the site, you can complete questionnaire and will receive a PDF report that shows where you still have issues under the revised Data Protection Act and what needs to be done to fill these gaps. Furthermore, we offer you here (in German) an overview of the documents that are necessary or useful under the revised DPA.
Finally, if you want to know how to protect yourself from criminal liability under the new data protection law, you should also read our special blog post on this topic.
David Rosenthal and his Data & Privacy Team will be happy to answer any questions as well as provide coaching or other support.
Category: Data & Privacy
Date: 27. February 2024 at 3 .00 p.m. (CEST) Speakers: David Rosenthal, Rolf A. Becker Location:...
The flip side of the coin: Where we need to protect AI from attackers
The use of artificial...
AI governance in our company – who is responsible?
Have you, following the DPO and CISO, already...
Opt-in for our regular updates, news, views, insights and more.