With the EU General Data Protection Regulation (GDPR) and the ePrivacy Regulation in full swing, the Swiss Federal Council has brought forward the total revision of the Federal Act on Data Protection (FADP). This will apply to most companies in Switzerland. Here is an overview of the five key changes to enable you to best prepare for the new legislation.
The EU seeks to better protect the personality rights and freedom of data subjects – that is, people whose data is processed. It is for this reason that the EU’s GDPR entered into force in May 2018 and its ePrivacy Regulation has been drafted (forecast to be implemented from 2020 onwards). Switzerland is following the trend in pursuing this topic. This is why the Swiss Federal Council presented its total revision draft of the Federal Act on Data Protection, or FADP, referred to in German as “E-DSG”, in September 2017. This step is intended to increase transparency and strengthen the rights of those involved to codetermine what happens to their data.
The new FADP is very broad and will affect almost every company in Switzerland. We have summarised the most important changes to enable you to best prepare for the new legislation:
1. Sanctions
Contrary to the existing Federal Act on Data Protection, the new draft defines clear sanctions. It stipulates that individuals who intentionally breach the new Swiss Federal Act on Data Protection will face fines of up to CHF 250,000.
2. Reporting data protection breaches
In the event of a data protection breach, data controllers will have to report any increased risk to the personality or fundamental rights of affected individuals to the Swiss Federal Data Protection and Information Commissioner as soon as possible. If necessary, they must also inform the affected individuals.
3. Particularly sensitive personal data
The new Federal Act on Data Protection expands the list of data that fall under the category of sensitive personal data. The new list includes genetic and biometric data (e.g. fingerprints) that unequivocally identify a natural person.
4. Technical design and default settings conducive to data protection
Data controllers and those who process data are to receive more stringent, more precisely defined due diligence obligations. As per the “privacy by design” principle, they will have to take appropriate measures to reduce the risk of privacy breaches during data processing as early as the planning stage. They will also be obligated to ensure, by means of appropriate default settings, that any required personal data is processed solely for the relevant purpose as standard, termed “privacy by default”.
5. Data protection impact assessment
Data controllers and those who process data will be obligated to conduct a data protection impact assessment if ever the data processing in planning will involve an increased risk to the personality or fundamental rights of the affected individual. This has to address both risks and suitable measures.
Summary
Data protection is long since a topic for companies that exceeds the boundaries of IT, placing it firmly on the agenda for managers and decision-makers as part of a comprehensive compliance policy. The EU GDPR, the new FADP, the ePrivacy Regulation and future guidelines require companies to develop a new sensitivity towards the handling and protection of personal data. We believe the right time to do so is now.