On 1 September 2023, the new Data Protection Act and the new Data Protection Ordinance will come into force. There is no transition period. You can find out who the new law applies to and what the new law entails here.
The new data protection law (including ordinance) applies to the processing of personal data by private individuals and federal bodies. Consequently, private companies, associations, foundations and, in principle, private individuals are also affected by the new data protection law - although private individuals are exempt as long as they process personal data exclusively for personal use.
The term personal data includes all data relating to an identified or identifiable natural person. The new FADP (incl. Ordinance) is no longer applicable when data on legal persons is used. However, the term "process" still has a broad meaning and, just as under the current law, includes, among other things, obtaining, retaining, storing, modifying, disclosing, using, archiving, deleting or destroying data.
The revision will not significantly change the principles of data processing. As before, personal data may only be processed lawfully, processing must be carried out in good faith and must be proportionate. Data may only be processed for the purpose for which it was collected. The new data protection law will in particular improve the transparency of data processing and strengthen the self-determination of the persons concerned over their own data. The data protection law imposes numerous (new) obligations on those responsible for data processing. Below you will find a list of the most important innovations and obligations of data controllers:
Information requirements and data protection declaration
The data subjects must be informed about the scope and purpose of the data processing. This is usually done by means of a data protection declaration. Please note that the new Data Protection Act entails more extensive information obligations, which means that you may have to adapt your data protection declarations.
Only those persons who actually need the data (for example, for the performance of their work) should have access to personal data. If personal data is breached and there is a high risk to the data subjects, this must be reported to the Federal Data Protection and Information Commissioner (FDPIC).
Data subjects' rights
Data subjects whose personal data are processed have the right to obtain information about their own data. The FADP provides for the right to information, which should be provided within 30 days without incurring any costs. Data subjects also have the right to have incorrect data corrected or to request the deletion of data.
Companies with 250 employees or more must keep a register of all processing operations. If the number of employees is not met, companies are in principle exempt from this requirement, unless particularly sensitive personal data is processed on a large scale or high-risk profiling is carried out.
If data is to be disclosed abroad, the country must have equivalent data protection or additional measures must be taken to ensure security. Disclosure includes not only the active sending of data, but also remote access.
Data protection impact assessment
A data protection impact assessment must be carried out when planning new data processing that could potentially pose a high risk to data subjects. This must document the project and examine appropriate measures to protect the data subjects.
Professional secrecy according to the FADP
Secret personal data entrusted to a person in the course of his or her professional activity must be kept secret. If this is not to be guaranteed, it must be made clear in advance with whom the data may be shared.
With regard to criminal liability, it should be emphasised that the violation of certain obligations under the new data protection law gives rise to criminal liability which - in contrast to the GDPR - does not affect the company, but the natural person responsible for it. It should be noted at this point that Swiss law only sanctions the deliberate commission of such offences. In particular, the following is punishable with a fine of up to CHF 250,000:
⦁ Violation of duties to inform, provide information and cooperate.
⦁ Violation of data security
⦁ Violation of duties of care
⦁ Disclosure of personal data to countries that do not guarantee equivalent data protection without taking additional protective measures or without exceptional circumstances (e.g. consent).
⦁ Violation of the professional duty of confidentiality