Impact of the revised Data Protection Act on companies entrusted with federal public tasks

Korbinian Petzi

Philipp Rosenauer
Partner Legal, PwC Switzerland

The future revised Federal Act on Data Protection (FADP) introduces stricter regulations compared to the current regime. Federal authorities or services or companies entrusted with federal public tasks (e.g. pension funds within the mandatory area of the occupational pension fund system; "federal bodies") are also affected. A violation of the obligations imposed by the revised FADP may result in criminal sanctions directed against the acting persons.

The revised FADP is final and expected to enter into force mid/end 2022 with the revised implementing ordinance to the FADP (DPO). The final version of the revised DPO is not yet available. However, in order to be prepared at the time of entry into force, federal bodies should take action now.

 

The following obligations under the revised data protection law should be highlighted:

  • According to the preliminary draft of the DPO, the appointment of a data protection advisor will be mandatory for federal bodies in the future.
  • Federal bodies, regardless of size, will likely be required to maintain an inventory of their processing activities.
  • The revised FADP reinforces the existing principles of the “right to be forgotten” and storage limitation, which requires the introduction of appropriate deletion rules and a deletion concept.
  • Data security breaches must be reported to the Federal Data Protection and Information Commissioner and the affected persons under certain conditions.
  • When a third party (“processor”) is commissioned, certain aspects (e.g. data security, subcontracting) should be mandatorily regulated by contract.
Studien und Blogs zum Öffentlichen Sektor

With our public sector blogposts, we provide you with in-depth background information and practical commentary on key topics.

Learn more

What is the need for action?

Federal bodies should review their processes for compliance with the new requirements and make the necessary adjustments, taking into account the size and nature of the company, specifically:

  • Determine the need for a data protection advisor now. Federal bodies are largely free in their choice, subject to the advisor’s independence and freedom from instructions.
  • Draw up a list of processing activities. This includes, among other things, the purpose of the processing as well as the (categories of) personal data processed, the data subjects and the recipients (including the countries to which personal data are disclosed).
  • Define a concept for the retention / deletion of data as well as technical and organisational measures to ensure data security. This may also require adjustments to the IT systems, which is why swift action is particularly important here.
  • Develop a process to implement data breach notification requirements.
  • Create a list of processors and review existing agreements.

PwC supports various public sector companies in implementing data protection compliance. 

#social#