During the summer session, Parliament failed to resolve the last differences in the revised FDPA and to help data protection in Switzerland achieve a breakthrough. Accordingly, the last differences will have to be resolved in the autumn session. Whether the FDPA can then still enter into force on 1 January 2021, as originally planned before the Covid-19 pandemic, is rather unrealistic. Nevertheless, it is advisable to use the time to prepare for the new law with appropriate projects. The references are based on the last versions of debate as per June 6, 2020.
2. Conceptual Change
With the revision of the revised FDPA, the legislator is undertaking a paradigm shift. Previously, the focus of the revised FDPA was on the existence of data collections – now the process of data processing is relevant, i.e. the entire data lifecycle, from collection and use to anonymization or deletion. For Swiss companies without any contacts abroad, this is a huge step forward.
3. Scope of Application
a) Personal scope of application
The new FDPA waives the protection of the data of legal persons. Switzerland was so fore one of two countries in the world, protecting as well legal persons personal data. In the view of the Federal Council, the protection of legal persons is already sufficiently guaranteed by other laws (e.g. unfair competition or protection of personality) and is therefore of little practical significance.
b) Territorial Scope of Application
In the revised FDPA, the principle of effect apply. This means that the DPA enshrines what was already applicable in Switzerland by virtue of case law (BGE 136 II 508). If data processing abroad has an effect on the personality of individuals in Switzerland, the Swiss Data Protection Act applies (Art. 2a revised FDPA). It is irrelevant here whether this is done in connection with goods and services provided to data subjects or indirectly by a third party, e.g. in the context of providing a B2B service. As a consequence, the territorial scope of the Swiss law is broader then under GDPR.
4. Newly introduced terms?
The revised FDPA has introduced some new terms respectively there were discussions about it in parliament. It if worth wile it to understand the potential differences to GDPR:
a) Profiling and High Risk Profiling
In the old law, the term personality profile was used to describe a “collection of data that allows an assessment of essential aspects of the personality of a natural person”. In the case of such data, the FDPA leads to higher risks level and equal treatment such as sensitive personal data respectively personal data of a special category. This term is now being replaced by the term profiling, with the old meaning. As these two terms are not identical, this might lead to confusion. The personality profile is the result of an editing process, whereas profiling describes a specific form of data processing. In profiling, personal data is automatically evaluated in order to evaluate the characteristics of a person on this basis. One example is online shops that analyze the surfing behavior of users and then make purchase recommendations to them. In addition, parliaments wants to introduce and additional term of high-risk profiling. According to the most recent parliamentary negotiations (as of 02.06.2020), high-risk profiling is profiling that involves a high risk to the personality or fundamental rights of the data subject, in that it leads to a combination of data that allows an assessment of essential aspects of the personality of a natural person and thus requires a higher level of protection. The Swiss parliament must in is its autumn session still figure it out, whether they want to keep the personality profile concept or make the switch to GDPR compliant terminology.
b) Genetic and biometric data - particularly worth protecting
In the new FDPA, in particular genetic and biometric data that uniquely identify a natural person are covered by the term “particularly sensitive personal data” (Art. 4 lit. c) chip. 4 revised FDPA. The fact that all genetic data should constitute particularly sensitive personal data gave rise to discussions in the parliamentary sessions. Certain parliamentarians fear difficulties, especially for the research sector. However, the proposal to limit this fact was rejected (as of 2.06.2020), which is why genetic data per se will be regarded as particularly sensitive. However, biometric data are only worth of special protection if a natural person can be clearly identified from them. With these definitions, Switzerland is in line with GDPR.
c) Private Person
Private person is a term, which is not defined, but means natural and legal persons. Whereas in the criminal sanctions chapters, the meaning is different. Under private person here is undersood only natural persons as under Swiss law, companies can be criminal responsible only under a very limited use cases.
d) Controller and Processor
Newly introduced are also the terms controller and processor with synonym understanding as under GDPR.
5. Processing Principles
a) General principles
There is no paradigm shift with regard to the processing principles. Swiss law continues to assume that the processing of personal data is in principle permissible as long as the processing principles are observed (Art. 5 FDPA).The processing of personal data must be lawful, in good faith and proportionate. In addition, personal data must be obtained in accordance with a recognizable purpose and be accurate.
b) Justification raisons
Beside the well known justifications reasons, one is in the revised FDPA more detailed ruled: it is the processing of data to check the creditworthiness of the data subject. The following conditions must be met:
- The personal data in question is not particularly sensitive or high-risk profiling
- The data will only be disclosed to third parties if they require the data for the conclusion or the execution of a contract with the data subject.
- The data is not older than five years
- The person concerned is of full age
6. New Obligations and Processes
a) Extended information obligation
In the former FDPA, the duty to provide information when processing personal data was only mandatory, when sensitive data was processed (Art. 14 para. 1 FDPA). In the revised FDPA, the duty to provide information when processing data is extended to all data processing activities by private data controllers.
In this context, the controller must provide the data subject with his or her identity and contact details, the purpose of processing and, if applicable, the recipients or their categories. However, the revision provides for exceptions to the obligation to provide information (Art. 18 revised FDPA) The obligation to provide information does not apply, for example, if the data subject already has the relevant information or if the processing is provided for by law (e.g. when processing social security information).
In addition, the data controller must inform the data subject of a decision based solely on automated processing – including profiling – which entails legal consequence for the data subject. In addition, the data controller must give the data subject the opportunity to express his or her point of view if he or she so requests (Art. 19 revised FDPA).
b) Privacy-by-Design + Default
As with GDPR, also in the revised FDPA the processes of privacy by design and default are now introduced into the law (Art. 6 revised FDPA). However, privacy by default and privacy by design is nothing new as it derives from the principle of proportionality.
c) Extended documentation requirements
The new FADP provides that the controller and the processor must keep a register of their processing activities (Art. 11 revised FDPA).The obligation to notify data bases under the previous law is therefore no longer applicable. For example, the register must state the name, processing purpose and categories of data subjects.
However, the Federal Counsel can define exceptions for organizations with less than 250 employees whose processing don’t bear a high risk for data subjects.
d) Data Protection Adviser
In the new law, the controller and processors can consult with an data protection advisor (Art. 9 para. 1 revised FDPA), which gives them the benefit, not to consult the commissioner (the EDÖB), when processing high risks. A DPO in the sense of the GDPR is not necessary.
e) Data Security
So far the law respectively its ordinance defined the necessary level of security in line with the exposure risk for the data subject and the state of technology. However, in the future the Federal Counsel shall define in future the minimal level of data security. This might not be in the interest of a safer place for data subjects, if the Federal Counsel himself does not connected data security to a generic undefined term or international standards. Such would be necessary due to rapidly changing technology and security attack scenarios.
f) Data protection impact assessment and consultation for high risks
A new provision introduces the obligation to prepare a data protection impact assessment if the envisaged data processing is likely to lead to a high risk to the personality or fundamental rights of the data subject (Art. 20 para. 1 revised FDPA). This brings the FDPA closer to the GDPR. A data protection impact assessment is an instrument for identifying and evaluating risks that may arise for the data subject because of the use of certain data processing operations. On this basis, appropriate measures should be defined, if necessary, to counteract these risks. The high risk results, among other things, from the type of processing and the personal data at stake. In particular, it is present in the case of extensive processing of particularly sensitive personal data, in the case of profiling, or if extensive public areas are systematically monitored (Art. 20 para. 1 revised FDPA).
If the data protection impact assessment shows that, the planned processing would entail a high risk to the personality or fundamental rights of the data subject if the controller did not take measures, the opinion of the Commissioner must be obtained in advance.
Whereas a risk assessment was necessary before as well, the documentation and the consultation to the Commissioner are new instruments.
Private persons responsible with their domicile or residence abroad designate a representation in Switzerland if they process personal data relating to persons in Switzerland and the data processing fulfils the following requirements:
- The data processing is connected with the offering of goods or services in Switzerland or with monitoring the behaviour of these persons.
- The processing is extensive.
- It is a regular processing operation.
- The processing entails a high risk for the personality of the data subjects.
The representative serves as a contact point for the data subjects and the Commissioner. The person responsible shall publish the name and address of the representative. The representative shall keep a register of the processing activities of the controller.
h) International Data Transfers
Principles for the data transfers don’t change and are in line with GDPR. Only one topic is to be aware of as a Swiss company: Binding corporate Rules must be approved by the Swiss Commissioner or by an authority responsible for data protection in a country that guarantees adequate protection. This will lead to the fact that multinational companies will seek approval from EU Commissioner of their lead supervisory authority. It would be welcomed, to have from the EU a reciprocal clause.
i) Notification Duty
The controller shall notify the Commissioner as quickly as possible of any breach of data security that is likely to result in a high risk to the personality or fundamental rights of the data subject. In the notification, he or she shall at least specify the nature of the data security breach, its consequences and the measures taken or envisaged.
The controller shall report a data security breach to the controller as soon as possible, so eventually even earlier than 72 hours.. And the controller shall inform the data subject if this is necessary for his/her protection or if the Commissioner so requests. He may restrict, postpone or waive the provision of information to the data subject. The notification might only be used against the controller for a criminal sanction against him whit his consent.
7. New Powers to the Comissioner
The Comissioner can now order administrative measures such as that the processing be adapted, interrupted or cancelled in whole or in part and that the personal data be deleted or destroyed in whole or in part. He may postpone or prohibit disclosure abroad if it violates the requirements of international personal data transfers.
The Commissioner may exchange information or personal data with foreign authorities responsible for data protection in order to fulfil their respective statutory duties in the area of data protection, provided certain conditions are met such as reciprocal rights.
8. Criminal Sanctions
Private persons, who fail to comply with their duties of information, disclosure, and cooperation or due diligence may in future be punished with fines of up to 250,000 Swiss francs. The same applies to breaches of professional secrecy or disregard of orders. The same fine applies if a private person disregards the decision of the Commissioner.
As outlined above, the critical part would is, that a private person is to be given the fine. The company can only be fined, if a fine not exceeding 50,000 francs is envisaged and if the investigation of the persons liable to prosecution would require investigative measures that would be disproportionate to the penalty imposed, the authority may refrain from prosecuting these persons and in their place order the business operation to pay the fine.
The Swiss legislator has achieved to make the gap between following GDPR and adapting the famous Swiss pragmatism. However, some topic remain open especially in connection with the EU and awaits solutions, such as the recognition of Swiss BCR’s in the EU, the further recognition of Switzerland as a third country with adequate data protection level even if the Swiss fines are not that substantial then in the EU and as well a notification process for data breaches which would recognize notification to the Swiss Commissioner sufficient, without recognition notification to all countries, especially for Swiss companies without a subsidiary in the EU.
Article provided by: Nicole Beranek (de la cruz beranek, Switzerland)
Dr. Tobias Höllwarth (Managing Director INPLP)