The time has come: The newly revised Federal Act on Data Protection adopted in September 2020, has come into force. What exactly has changed? Why has this changed? And how exactly will this affect your company?
On September 1st 2023, the revised Federal Act on Data Protection (nFADP) as well as the new Data Protection Ordinance and the new Ordinance on Data Protection Certifications will come into force. Entrepreneurs must now deal with these changes and then implement them. As always, Atlanto wants to help them through this challenge. This blog post is designed to clear up any confusion and help with implementation.
Why Is a New Federal Act on Data Protection Necessary?
Did you know that the first act on data protection in Switzerland was passed in 1992? Let us think back for a moment: In ’92, the World Wide Web was barely 3 years old, the smartphone had just been invented, still without an internet connection. It would be almost 20 years before iPhones and Android smartphones would be sold. The term “social media” was hardly known at that time.
Today, the world looks very different. By now, everyone has a mobile phone and access to the internet. Even children use social media these days! It is therefore obvious that a revision of the FADP would be necessary.
Another reason for the change is the EU. These adjustments ensure that Switzerland can be recognised by the EU as a country with an adequate level of data protection, which means that data can continue to be transferred between companies in the EU states and companies in Switzerland without any problems. Swiss entrepreneurs thus remain competitive abroad.
As you can see, it is not about making life difficult for you. The state does not have it out for entrepreneurs. Quite the opposite: The aim is to protect personal data more comprehensively.
How Has the Federal Act on Data Protection Changed?
- The Federal Act on Data Protection is now limited to the protection of natural persons – instead of legal persons as before.
- Genetic and biometric data are now also considered particularly worthy of protection.
- Companies now must inform the data subjects appropriately about any type of data collection, not only about data requiring special protection, as was previously the case.
- Companies are obliged to keep a register of processing activities. All data flows and the purpose of their processing must be documented. SMEs that take little risk with personal data are excluded from this obligation.
- Companies are obliged to carry out a data protection impact assessment if data processing entails a high risk to the personality or fundamental rights of the data subjects.
- Automatic data processing (profiling) is also newly regulated. In this regard, the consent of the natural person must be obtained if the profiling involves a high risk.
- Data security breaches must be reported immediately to the Federal Data Protection and Information Commissioner (FDPIC).
However, not everything is going to change. The basic considerations and requirements for permissible data processing remain the same as in the old Data Protection Act:
- Personal data must be processed lawfully.
- Processing must be carried out in good faith.
- Personal data may only be obtained for a specific purpose that is easily recognisable to the data subject.
- Data must be destroyed or anonymised as soon as it is no longer required for the purpose of processing.
- Anyone who processes personal data must ensure that it is accurate.
- Explicit consent is required for the processing of particularly sensitive personal data.
How Can the Federal Act on Data Protection Be Implemented?
If you operate a website, it is mandatory under Art. 19 of the new Federal Act on Data Protection to inform customers about data collection. This is usually done with a Data Protection Statement. In other words, a Data Protection Policy is now mandatory for your website.
This is particularly important as entrepreneurs face heavy sanctions, and likely reputational damage, for non-compliance. Furthermore, strong data protection and open communication promotes customer loyalty.
So how can entrepreneurs implement the new FADP? First and foremost, data protection should be given priority. But do not worry: There is no need to start from scratch. It is best to analyse the current situation first. Where are there still risks? How can you improve?
Many entrepreneurs find it helpful to appoint a Data Protection Officer (DPO) responsible for data protection within the company.
It is also recommended to keep a register of processing activities (see Article 12 of the FADP). This register should list, among other things, data subjects and personal data, as well as its recipients and the retention period.
Furthermore, it should be specified how the right to information and data protection impact assessments are to be handled in the future. All employees, but especially those who work with websites or personal data, should be informed about these processes.
It all sounds like a lot of work. But at Atlanto, no company is on its own. In our blog you will find further support in everything that has to do with business and law. In any case, we recommend visiting the website of the Swiss Confederation, where you will find further information on the revised Federal Act on Data Protection.
Do you have further questions about the new data protection act? We recommend that you seek help from YLEX. They will be happy to help you with a legally compliant data protection statement.