Revised Swiss Data Protection Act — next steps
The Federal Administration has announced that a revised data protection law will most probably enter into force on September 1, 2023. The final decision on entering into force will be taken by the Federal Council.
The revised DPA (Data Protection Act) is not a replacement for existing Swiss data protection law but an adaptation. It ensures that Switzerland’s “basic principle” of data privacy remains untouched but will be in line with the European General Data Protection Rules (GDPR).
The rev DPA aims to harmonize Swiss law with the European General Data Protection Rules, which came into force on 25 May 2018 and therefore to remain adequate with regards to GDPR. The corresponding adequacy decision to be renewed by the European Commission is still pending. Switzerland will therefore close the loop between the existing FDPA (Federal Data Protection Act) and the revised one to correspond with GDPR.
The revised act law will introduce several data protection reforms, including:
- Right to transparency
- Right to data portability,
- The introduction of a “right to be forgotten”
- Records of processing activities
- Notification obligation for violations of data protection (data security)
- The revised FDPA will apply to all future EU data protection regulation
The new data protection law will help companies in Switzerland and other member states transfer data freely within the limits of the Swiss and European regulations. It will also allow Swiss companies to offer their services in other member states hence strengthening the internal market within the EU.
The revised Swiss FDPA will introduce penal rules linked to personal fines up to CHF 250’000 similar to the GDPR for non-compliance but addressed to natural persons where GDPR holds companies responsible. It will involve a risk assessment process, a notification and response procedure, damages, rights for data subjects, penalties, and a binding decision mechanism.
Not only can a natural person be fined, but it can also be penalized for failure to comply. Companies can choose to use a service provider to help them comply with the law. It may require companies to put in place a data protection officer, may appoint data protection.
The FDPA will become directly applicable in Switzerland once it is published. However, the GDPR remains directly applicable in Switzerland even after the new FDPA comes into force as is the case for the revised FDPA for foreign companies doing business but without domicile in Switzerland. Thus, companies should continue to comply with the GDPR. Companies that are subject to the GDPR should determine whether they are also subject to the FDPA, in which case they will have to comply with both sets of rules.