{"id":23685,"date":"2023-12-04T18:49:16","date_gmt":"2023-12-04T17:49:16","guid":{"rendered":"https:\/\/www.fbt-avocats.ch\/?p=23685"},"modified":"2025-10-20T11:12:04","modified_gmt":"2025-10-20T10:12:04","slug":"new-developments-in-data-protection","status":"publish","type":"post","link":"https:\/\/www.fbt-avocats.ch\/en\/new-developments-in-data-protection\/","title":{"rendered":"New developments in data protection"},"content":{"rendered":"<div  data-size='featured_large'  data-lightbox_size='large'  data-animation='slide'  data-conditional_play=''  data-ids='23995'  data-video_counter='0'  data-autoplay='false'  data-bg_slider='false'  data-slide_height=''  data-handle='av_slideshow'  data-interval='5'  data-class=' avia-builder-el-0  el_before_av_heading  avia-builder-el-first   '  data-css_id=''  data-scroll_down=''  data-control_layout='av-control-default'  data-custom_markup=''  data-perma_caption=''  data-autoplay_stopper=''  data-image_attachment=''  data-min_height='0px'  data-default-height='42'  class='avia-slideshow avia-slideshow-1  av-control-default av-default-height-applied avia-slideshow-featured_large av_slideshow  avia-builder-el-0  el_before_av_heading  avia-builder-el-first    avia-slide-slider '  itemprop=\"ImageObject\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><ul class='avia-slideshow-inner ' style='padding-bottom: 52.333333333333%;' ><li  class=' av-single-slide slide-1 ' ><div data-rel='slideshow-1' class='avia-slide-wrap '   ><img src='https:\/\/www.fbt-avocats.ch\/wp-content\/uploads\/2024\/01\/7.jpg' width='1200' height='628' title='7' alt=''  itemprop=\"thumbnailUrl\"   \/><\/div><\/li><\/ul><\/div>\n<div style='padding-bottom:10px; font-size:26px;' class='av-special-heading av-special-heading-h1  blockquote modern-quote  avia-builder-el-1  el_after_av_slideshow  el_before_av_hr   av-inherit-size '><h1 class='av-special-heading-tag '  itemprop=\"headline\"  >New developments in data protection<\/h1><div class ='av-subheading av-subheading_below  ' style='font-size:15px;'><p>BSL The Guide to banking in Switzerland &#8211; November 2023<br \/>\nFr\u00e9d\u00e9rique Bensahel<\/p>\n<\/div><div class='special-heading-border'><div class='special-heading-inner-border' ><\/div><\/div><\/div>\n<div style='height:30px' class='hr hr-invisible   avia-builder-el-2  el_after_av_heading  el_before_av_button  '><span class='hr-inner ' ><span class='hr-inner-style'><\/span><\/span><\/div>\n<div class='avia-button-wrap avia-button-left  avia-builder-el-3  el_after_av_hr  el_before_av_hr  '><a href='https:\/\/www.fbt-avocats.ch\/wp-content\/uploads\/2023\/11\/BSL-2024-nLPD.pdf'  class='avia-button   avia-icon_select-no avia-color-theme-color avia-size-large avia-position-left '  target=\"_blank\"   ><span class='avia_iconbox_title' >Download pdf<\/span><\/a><\/div>\n<div style='height:30px' class='hr hr-invisible   avia-builder-el-4  el_after_av_button  el_before_av_textblock  '><span class='hr-inner ' ><span class='hr-inner-style'><\/span><\/span><\/div>\n<section class=\"av_textblock_section \"  itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock  '   itemprop=\"text\" ><p><strong>Today, data collection is a key development tool for businesses but it is also a <\/strong><strong>source of great concern for individuals. In such an environment, data protection <\/strong><strong>has become a major issue. The Federal Data Protection Act (DPA), which came into <\/strong><strong>force in 1993, is a safeguard against abuse. Its purpose is to regulate the processing and <\/strong><strong>disclosure of data both in the public and private sectors. It also confers a fundamental right <\/strong><strong>on individuals: the right to access their own data.<\/strong><\/p>\n<p>At the same time as companies are increasingly attracted by data, legislators are seeking to protect the people whose data is used, usually without their knowledge. Switzerland launched the revision of the Data Protection Act in 2017. The result is a reform that will come into force on 1st September 2023. The aim of this reform is to guarantee better protection of the private sphere of people concerned by the processing of their personal data by improving, on the one hand, the transparency of this processing and, on the other hand, the right of access to this data, but also to maintain the compatibility of Swiss law with European law and thus preserve the free circulation of data, while guaranteeing Switzerland\u2019s competitiveness.<\/p>\n<\/div><\/section>\n<div style='padding-bottom:10px; font-size:20px;' class='av-special-heading av-special-heading-h2  blockquote modern-quote  avia-builder-el-6  el_after_av_textblock  el_before_av_textblock   av-inherit-size '><h2 class='av-special-heading-tag '  itemprop=\"headline\"  >Main changes introduced by the new content of the Data Protection Act<\/h2><div class='special-heading-border'><div class='special-heading-inner-border' ><\/div><\/div><\/div>\n<section class=\"av_textblock_section \"  itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock  '   itemprop=\"text\" ><p>The revised DPA provides for immediate application, i.e. without any transition period for compliance with the new obligations. As a result, companies affected by the new provisions \u2013 i.e. the majority of Swiss companies for a certain number of provisions \u2013 have had to adjust to the new provisions very quickly.<\/p>\n<p>The first major change introduced by this revision is that the legislator has abandoned the rules on data protection for legal entities. However, this will have little impact in practice, since the data of legal entities is otherwise protected by Articles 28 et seq. of the Swiss Civil Code and by the laws on unfair competition and copyright.<\/p>\n<p>Another more significant change is the definition of \u201csensitive\u201d data. The definition of sensitive data is fundamental to the DPA system, as this type of data is subject to enhanced protection on the grounds that its disclosure may have harmful consequences for the privacy of the individuals concerned. Sensitive data under the revised DPA includes data relating to religious, philosophical, political or trade union opinions or activities, data relating to health, privacy or racial or ethnic origin, genetic data, biometric data where it uniquely identifies a person, data relating to criminal or administrative proceedings or sanctions and, lastly, data relating to social welfare measures. One of the aims of extending the definition of sensitive data is to include fingerprints or voice prints, where these can be used to identify a person.<\/p>\n<p>As a result of technical progress and the emergence of new data processing methods capable in particular of recording large quantities of data, linking them together and analysing them in order to derive information about individuals using mathematical and statistical processes, the revision of the DPA replaces the term \u201cpersonality profile\u201d with the term \u201cprofiling\u201d. This new term now includes any type or method of data processing, in particular automated assessments of certain personal aspects of a natural person; the \u201cpersonal aspects\u201d referred to here include \u201cwork performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements\u201d of the natural person in question. In addition to \u201cprofiling\u201d, the law now also defines \u201chigh-risk profiling\u201d, i.e. any profiling that entails a high risk for the personality or fundamental rights of the data subject in that such profiling makes it possible to \u201cassess the essential personal characteristics\u201d of a natural person. Thanks to these new qualifications, all profiling by federal bodies will require authorisation with a legal basis.<\/p>\n<p>The principles of \u201cPrivacy by design\u201d and \u201cPrivacy by default\u201d have been introduced in the new law. From now on, companies will be required to put in place, by default and right from the design stage, technical and organisational measures to comply with data protection regulations.<\/p>\n<p>Transparency in data processing has been improved by consolidating the right of data subjects to access their data and the right to be informed as to whether or not personal data is being collected. The new provisions lay down an obligation to provide prior information to any person whose data is to be collected. The data controller is obliged to provide data subjects with the information they need to exercise their rights. The right of all data subjects to receive their data in electronic format is also guaranteed. Lastly, anyone may also request that their data be rectified or deleted. It is therefore recommended that companies establish a procedure for responding rapidly to any request for information or deletion of data.<\/p>\n<p>Where data is transferred abroad, the information on data collection must mention the countries to which the data is transferred and the level of protection offered or the safeguards that have been put in place to ensure adequate protection. The list of countries offering an adequate level of protection is now set out in the ordinance implementing the Act; for countries that are not on the list, personal data may only be transferred to them if there is an adequate level of protection in the country of destination, which may result, in substance, from an international treaty, contractual data protection clauses communicated in advance to the Federal Data Protection and Information Commissioner (FDPIC), specific guarantees drawn up by a federal body and communicated to the FDPIC, standard data protection clauses previously approved, drawn up or recognised by the FDPIC, or binding company rules previously approved; derogations are possible in certain specific cases, which are listed exhaustively. As a result, companies will have to determine to which countries the data is transferred (in the case, for example, of storage on a cloud), determine the level of protection offered by that country, determine \u2013 if the country in question is not on the Federal Council\u2019s list \u2013 whether other guarantees are in place, or determine whether an exception is justified in the light of the restrictive catalogue provided by law.<\/p>\n<p>In the age of robot advisors, there is also a new obligation to inform data subjects of any decision taken exclusively on the basis of fully automated processing of personal data. In other words, the revised DPA imposes a duty to inform when a decision is taken exclusively by a software.<\/p>\n<p>Finally, companies will have to establish and maintain a register of data processing activities, which will have to be regularly updated. Companies with fewer than 250 employees, whose data processing presents a low risk of damage to personality, are exempt from this measure. This exemption is only possible if the data processing carried out by the company does not involve large-scale sensitive data or constitute high-risk profiling. For exempted companies, the appropriateness of keeping a register of data processing activities must be analysed in order to determine the usefulness of such a register \u2013 even in the absence of a legal obligation \u2013 and the conditions for exemption.<\/p>\n<p>The revision encourages those responsible for data processing to take responsibility for their actions, in particular by allowing professional and business associations to draw up their own code of conduct and submit it to the FDPIC. The latter\u2019s approval will establish the legal presumption that the behaviour defined in the code complies with data protection.<\/p>\n<p>The revision introduces a genuine obligation to carry out impact assessments, along the lines of those already provided for federal bodies. These analyses are only compulsory in the case of data processing likely to entail a high risk for the personal rights or fundamental rights of the data subjects. However, such impact analyses may be waived if the system, product or service used is certified by an approved or independent certification body, or if the approved code of conduct is complied with. Where it must be carried out, the impact assessment will include a description of the processing envisaged, an assessment of the risks to the data subject\u2019s personality or fundamental rights, and the measures planned to protect the data subject\u2019s personality and fundamental rights. As no specific methodology is laid down in the law, it is advisable to follow the recommendations of the European supervisory authorities.<\/p>\n<p>Finally, the revision introduces a general obligation to inform the FDPIC and the data subject, as soon as possible, of any breach of security that is likely to result in a high risk to the personality or fundamental rights of the data subject. Until now, this duty to report existed only for institutions subject to the supervision of the FINMA.<\/p>\n<\/div><\/section>\n<div style='padding-bottom:10px; font-size:20px;' class='av-special-heading av-special-heading-h2  blockquote modern-quote  avia-builder-el-8  el_after_av_textblock  el_before_av_textblock   av-inherit-size '><h2 class='av-special-heading-tag '  itemprop=\"headline\"  >Conclusion<\/h2><div class='special-heading-border'><div class='special-heading-inner-border' ><\/div><\/div><\/div>\n<section class=\"av_textblock_section \"  itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock  '   itemprop=\"text\" ><p>The aim of the new version of the DPA is to strengthen consumer confidence in the processing of their personal data. However, this comes at a cost to the data controllers, i.e. generally the companies. However, Swiss companies offering services in European Union member states subject to the EU Regulation 2016\/679 have already made the greatest effort, as the implementation of this regulation essentially already involves compliance with the new provisions of the DPA.<\/p>\n<\/div><\/section>\n<div style='height:10px' class='hr hr-invisible   avia-builder-el-10  el_after_av_textblock  el_before_av_textblock  '><span class='hr-inner ' ><span class='hr-inner-style'><\/span><\/span><\/div>\n<section class=\"av_textblock_section \"  itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock  '   itemprop=\"text\" ><p style=\"text-align: right;\"><a href=\"https:\/\/www.fbt-avocats.ch\/en\/portfolio-item\/frederique-bensahel\/\">Fr\u00e9d\u00e9rique Bensahel<\/a><br \/>\nPartner, Geneva<\/p>\n<\/div><\/section>\n<div style='padding-bottom:10px; font-size:20px;' class='av-special-heading av-special-heading-h3  blockquote modern-quote modern-centered  avia-builder-el-12  el_after_av_textblock  el_before_av_hr   av-inherit-size '><h3 class='av-special-heading-tag '  itemprop=\"headline\"  >Share on LinkedIn<\/h3><div class='special-heading-border'><div class='special-heading-inner-border' ><\/div><\/div><\/div>\n<div style='height:50px' class='hr hr-invisible   avia-builder-el-13  el_after_av_heading  el_before_av_one_fifth  '><span class='hr-inner ' ><span class='hr-inner-style'><\/span><\/span><\/div>\n<div class=\"flex_column av_one_fifth  flex_column_div av-zero-column-padding first  avia-builder-el-14  el_after_av_hr  el_before_av_one_fifth  \" style='border-radius:0px; '><\/div>\n<div class=\"flex_column av_one_fifth  flex_column_div av-zero-column-padding   avia-builder-el-15  el_after_av_one_fifth  el_before_av_one_fifth  \" style='border-radius:0px; '><\/div>\n<div class=\"flex_column av_one_fifth  flex_column_div av-zero-column-padding   avia-builder-el-16  el_after_av_one_fifth  el_before_av_one_fifth  \" style='border-radius:0px; '><div class='av-social-sharing-box  avia-builder-el-17  avia-builder-el-no-sibling   '><div class='av-share-box'><ul class='av-share-box-list noLightbox'><li class='av-share-link av-social-link-linkedin' ><a target='_blank' href='https:\/\/linkedin.com\/shareArticle?mini=true&amp;title=New%20developments%20in%20data%20protection&amp;url=https:\/\/www.fbt-avocats.ch\/en\/new-developments-in-data-protection\/' aria-hidden='true' data-av_icon='\ue8fc' data-av_iconfont='entypo-fontello' title='' data-avia-related-tooltip='Share on Linkedin'><span class='avia_hidden_link_text'>Share on Linkedin<\/span><\/a><\/li><\/ul><\/div><\/div><\/div>\n<div class=\"flex_column av_one_fifth  flex_column_div av-zero-column-padding   avia-builder-el-18  el_after_av_one_fifth  el_before_av_one_fifth  \" style='border-radius:0px; '><\/div>\n<div class=\"flex_column av_one_fifth  flex_column_div av-zero-column-padding   avia-builder-el-19  el_after_av_one_fifth  el_before_av_hr  \" style='border-radius:0px; '><\/div>\n<div style='height:50px' class='hr hr-invisible   avia-builder-el-20  el_after_av_one_fifth  avia-builder-el-last  '><span class='hr-inner ' ><span class='hr-inner-style'><\/span><\/span><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Today, data collection is a key development tool for businesses but it is also a source of great concern for individuals. <\/p>\n","protected":false},"author":26,"featured_media":25510,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[655,85],"tags":[276],"datespeciale":[],"yst_prominent_words":[1413,1416,1415,952,957,953,946,1083,948,949,925,956,1414,954,1412,947,951,945,955,950],"class_list":["post-23685","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","category-publications","tag-bsl-banking-in-switzerland-and-liechstenstein-en","competences-banking-and-finance","auteurs-frederique-bensahel-en","date-publication-2023-en","diffusion-groupe-bancaire-en","diffusion-publications-en"],"_links":{"self":[{"href":"https:\/\/www.fbt-avocats.ch\/en\/wp-json\/wp\/v2\/posts\/23685","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.fbt-avocats.ch\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fbt-avocats.ch\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fbt-avocats.ch\/en\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fbt-avocats.ch\/en\/wp-json\/wp\/v2\/comments?post=23685"}],"version-history":[{"count":0,"href":"https:\/\/www.fbt-avocats.ch\/en\/wp-json\/wp\/v2\/posts\/23685\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.fbt-avocats.ch\/en\/wp-json\/wp\/v2\/media\/25510"}],"wp:attachment":[{"href":"https:\/\/www.fbt-avocats.ch\/en\/wp-json\/wp\/v2\/media?parent=23685"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fbt-avocats.ch\/en\/wp-json\/wp\/v2\/categories?post=23685"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fbt-avocats.ch\/en\/wp-json\/wp\/v2\/tags?post=23685"},{"taxonomy":"datespeciale","embeddable":true,"href":"https:\/\/www.fbt-avocats.ch\/en\/wp-json\/wp\/v2\/datespeciale?post=23685"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/www.fbt-avocats.ch\/en\/wp-json\/wp\/v2\/yst_prominent_words?post=23685"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}