New developments in data protection
BSL The Guide to banking in Switzerland – November 2023
Today, data collection is a key development tool for businesses but it is also a source of great concern for individuals. In such an environment, data protection has become a major issue. The Federal Data Protection Act (DPA), which came into force in 1993, is a safeguard against abuse. Its purpose is to regulate the processing and disclosure of data both in the public and private sectors. It also confers a fundamental right on individuals: the right to access their own data.
At the same time as companies are increasingly attracted by data, legislators are seeking to protect the people whose data is used, usually without their knowledge. Switzerland launched the revision of the Data Protection Act in 2017. The result is a reform that will come into force on 1st September 2023. The aim of this reform is to guarantee better protection of the private sphere of people concerned by the processing of their personal data by improving, on the one hand, the transparency of this processing and, on the other hand, the right of access to this data, but also to maintain the compatibility of Swiss law with European law and thus preserve the free circulation of data, while guaranteeing Switzerland’s competitiveness.
Main changes introduced by the new content of the Data Protection Act
The revised DPA provides for immediate application, i.e. without any transition period for compliance with the new obligations. As a result, companies affected by the new provisions – i.e. the majority of Swiss companies for a certain number of provisions – have had to adjust to the new provisions very quickly.
The first major change introduced by this revision is that the legislator has abandoned the rules on data protection for legal entities. However, this will have little impact in practice, since the data of legal entities is otherwise protected by Articles 28 et seq. of the Swiss Civil Code and by the laws on unfair competition and copyright.
Another more significant change is the definition of “sensitive” data. The definition of sensitive data is fundamental to the DPA system, as this type of data is subject to enhanced protection on the grounds that its disclosure may have harmful consequences for the privacy of the individuals concerned. Sensitive data under the revised DPA includes data relating to religious, philosophical, political or trade union opinions or activities, data relating to health, privacy or racial or ethnic origin, genetic data, biometric data where it uniquely identifies a person, data relating to criminal or administrative proceedings or sanctions and, lastly, data relating to social welfare measures. One of the aims of extending the definition of sensitive data is to include fingerprints or voice prints, where these can be used to identify a person.
As a result of technical progress and the emergence of new data processing methods capable in particular of recording large quantities of data, linking them together and analysing them in order to derive information about individuals using mathematical and statistical processes, the revision of the DPA replaces the term “personality profile” with the term “profiling”. This new term now includes any type or method of data processing, in particular automated assessments of certain personal aspects of a natural person; the “personal aspects” referred to here include “work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements” of the natural person in question. In addition to “profiling”, the law now also defines “high-risk profiling”, i.e. any profiling that entails a high risk for the personality or fundamental rights of the data subject in that such profiling makes it possible to “assess the essential personal characteristics” of a natural person. Thanks to these new qualifications, all profiling by federal bodies will require authorisation with a legal basis.
The principles of “Privacy by design” and “Privacy by default” have been introduced in the new law. From now on, companies will be required to put in place, by default and right from the design stage, technical and organisational measures to comply with data protection regulations.
Transparency in data processing has been improved by consolidating the right of data subjects to access their data and the right to be informed as to whether or not personal data is being collected. The new provisions lay down an obligation to provide prior information to any person whose data is to be collected. The data controller is obliged to provide data subjects with the information they need to exercise their rights. The right of all data subjects to receive their data in electronic format is also guaranteed. Lastly, anyone may also request that their data be rectified or deleted. It is therefore recommended that companies establish a procedure for responding rapidly to any request for information or deletion of data.
Where data is transferred abroad, the information on data collection must mention the countries to which the data is transferred and the level of protection offered or the safeguards that have been put in place to ensure adequate protection. The list of countries offering an adequate level of protection is now set out in the ordinance implementing the Act; for countries that are not on the list, personal data may only be transferred to them if there is an adequate level of protection in the country of destination, which may result, in substance, from an international treaty, contractual data protection clauses communicated in advance to the Federal Data Protection and Information Commissioner (FDPIC), specific guarantees drawn up by a federal body and communicated to the FDPIC, standard data protection clauses previously approved, drawn up or recognised by the FDPIC, or binding company rules previously approved; derogations are possible in certain specific cases, which are listed exhaustively. As a result, companies will have to determine to which countries the data is transferred (in the case, for example, of storage on a cloud), determine the level of protection offered by that country, determine – if the country in question is not on the Federal Council’s list – whether other guarantees are in place, or determine whether an exception is justified in the light of the restrictive catalogue provided by law.
In the age of robot advisors, there is also a new obligation to inform data subjects of any decision taken exclusively on the basis of fully automated processing of personal data. In other words, the revised DPA imposes a duty to inform when a decision is taken exclusively by a software.
Finally, companies will have to establish and maintain a register of data processing activities, which will have to be regularly updated. Companies with fewer than 250 employees, whose data processing presents a low risk of damage to personality, are exempt from this measure. This exemption is only possible if the data processing carried out by the company does not involve large-scale sensitive data or constitute high-risk profiling. For exempted companies, the appropriateness of keeping a register of data processing activities must be analysed in order to determine the usefulness of such a register – even in the absence of a legal obligation – and the conditions for exemption.
The revision encourages those responsible for data processing to take responsibility for their actions, in particular by allowing professional and business associations to draw up their own code of conduct and submit it to the FDPIC. The latter’s approval will establish the legal presumption that the behaviour defined in the code complies with data protection.
The revision introduces a genuine obligation to carry out impact assessments, along the lines of those already provided for federal bodies. These analyses are only compulsory in the case of data processing likely to entail a high risk for the personal rights or fundamental rights of the data subjects. However, such impact analyses may be waived if the system, product or service used is certified by an approved or independent certification body, or if the approved code of conduct is complied with. Where it must be carried out, the impact assessment will include a description of the processing envisaged, an assessment of the risks to the data subject’s personality or fundamental rights, and the measures planned to protect the data subject’s personality and fundamental rights. As no specific methodology is laid down in the law, it is advisable to follow the recommendations of the European supervisory authorities.
Finally, the revision introduces a general obligation to inform the FDPIC and the data subject, as soon as possible, of any breach of security that is likely to result in a high risk to the personality or fundamental rights of the data subject. Until now, this duty to report existed only for institutions subject to the supervision of the FINMA.
The aim of the new version of the DPA is to strengthen consumer confidence in the processing of their personal data. However, this comes at a cost to the data controllers, i.e. generally the companies. However, Swiss companies offering services in European Union member states subject to the EU Regulation 2016/679 have already made the greatest effort, as the implementation of this regulation essentially already involves compliance with the new provisions of the DPA.