On 31 August 2022, the Federal Council officially adopted the revised Data Protection Ordinance (revDPO") as well as the Ordinance on Data Protection Certifications and confirmed that the Ordinances together with the revised Data Protection Act (revDPA") will enter into force on 1 September 2023. As a result, companies and other persons processing personal data have one year to implement the new requirements in their organisations. There will be no further grace period, and companies should get ready now.
AT A GLANCE
With the newly adopted revDPO, the Federal Council exercised its competence to clarify and specify certain obligations of the revDPA. In particular, the revDPO provides implementing provisions on data security, information and documentation obligations, the rights to access and data portability, the outsourcing of data processing to third parties, cross-border data transfers, the data protection advisor (i.e., data protection officer), data protection impact assessments and the notification of data breaches. In the following, we have summarised the most important provisions for private companies:
DATA SECURITY MEASURES
The provisions concerning the required level of data security specify article 8 revDPA and are generally based on the current provisions of the DPO. The revDPO does not opt for rigid minimal standards but follows an individual risk-based approach: The controller and processor need to determine the necessary level of protection, assess the risk and based on their assessment decide which measures should be taken to ensure an adequate level of data security. To determine the required level of protection, the kind of data, purpose, scope and means of processed data should be taken into account. For the risk assessment, the causes of the risk, the main hazards, measures taken or planned to reduce the risk and the likelihood and severity of a breach of data security despite the measures taken or planned should in particular be accounted for.
When determining the technical and organisational measures, state of the art and implementation costs should also be considered. However, data controllers and processors cannot exempt themselves from the obligation to provide appropriate data security measures on the grounds that this would entail excessive costs; rather, they must in any case be in a position to ensure adequate data security.
INFORMATION AND DOCUMENTATION OBLIGATIONS
The revDPA stipulates the duty of information for the controller, subject to certain exceptions. The revDPO specifies how controllers must provide such information: The controllers have an obligation to inform data subjects appropriately about the collection of personal data; ,appropriately' is specified as meaning that information should be provided in a precise, transparent, comprehensive and easily accessible form. The duty of information addresses the controller alone and not the processor, but the controller is obliged to inform the data subject about the fact that data will be disclosed to a processor and to provide information about the processor.
If an intended data processing activity potentially bears a high risk for the rights of the person whose data is processed, the controller may need to perform a data protection impact assessment (DPIA) beforehand. The controller must store this assessment for at least two years after termination of the processing.
RIGHTS TO ACCESS AND DATA PORTABILITY
Several provisions concerning the right to access remain unchanged. Access requests can be made in writing or electronically and, with the consent of the controller, also orally. The provisions concerning the deadline and exceptions as to when the information does not need to be provided free of charge remain unaltered to a large extent. In the past, a controller could levy a fee if the data subject had received the information in the past twelve months and did not have a legitimate interest in requesting access again. This provision was removed in the revDPO, as – under the revDPA – such requests now constitute a reason to refuse access altogether.
With the revision of the DPA, a new right of data portability was introduced. Under certain conditions, individuals have the right to receive their data in a commonly used and machine-readable format so that they can transmit it to a different company or otherwise use the data. The right to data portability only applies to personal data that has been disclosed by the data subject to the controller. Such data is data that the data subject provided to the controller knowingly and willingly as well as data that the controller collected about the individual and his or her behaviour when using a device or service. However, data deduced by the controller from the provided or observed data does not fall under the right to data portability. The time limit, form and further modalities of the right to data portability shall be determined in accordance with the provisions on the right to access. The revDPO also clarifies that commonly used and machine-readable formats" are formats that enable the personal data to be transferred with a reasonable effort and to be further used by the data subject or another controller. Examples of these are XML, JSON, or CSV.
Download - The New Swiss Data Protection Law – Implementing Provisions Adopted
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
