Data Privacy Day 2023

 The compliance journey is quite complex. Where should we start?

A good place to start is the Record of Processing Activities (RoPA). Not only is it a requirement of the new law to have one, but it also provides a useful insight into your organisation’s overall state of compliance. For example, it will help identify where privacy notices might be missing, what data retention period is applied (if any), how your IT systems are secured, or the third parties with whom you exchange data and the relevant contracts governing these relationships. Once you have identified these gaps, you can start bridging them.

You mentioned the RoPA. What is this?

Let me answer that question by describing what it is NOT. First, the RoPA is not a record of all your company’s data. It is a central inventory, which documents how and for what purpose personal data are processed. Second, the RoPA is not the responsibility of the IT team. Its creation requires collective effort from heads of departments, or so-called ‘Process Owners’, across the company. Finally, the establishment of the RoPA is not a ‘one-time effort’ but rather a ‘living’ document, which requires review and updating.

Must we appoint a Data Protection Advisor (Swiss counterpart to the EU Data Protection Officer)? Where should the DPA sit in the organisation?

Strictly speaking, unlike under the EU GDPR, the appointment of a DPA is not mandatory for private companies under the new law. That being said, we don’t see how the various obligations can realistically be met without one. We highly recommend appointing a DPA or a least a person who takes care of the topic of data protection in the ‘run the business’ phase.

Remember that the responsibility does not need to rest on the shoulders of one individual alone. For example, the DPA function could very well combine someone with adequate knowledge from the compliance team, the IT team, and a member of the sales team with a firm overview of the business activities. Outsourcing the DPA could also be a good alternative.

Is it already enough if a company is GDPR compliant? What needs to be done in such cases?

That’s great! It means that you have most probably already done much of the heavy lifting. Nonetheless, some adaptation work will be needed because your compliance must be addressed from a Swiss point of view, not a European one. Practically speaking, this might for example mean reviewing your data exports to third countries against the FDPIC approved list, entering into Standard Contractual Clauses with a ‘Swiss finish’, or disclosing the countries to which personal data are transferred in your privacy notices. Furthermore, you need to be mindful of the personal nature of the sanctions under the revFADP.

What is needed if a company is part of a larger international group with which personal data are exchanged?

The case of corporate groups sharing data between themselves is not uncommon. For such data transfers to be lawful, you need to set up an intra-group data sharing agreement. It will be important to identify exactly which legal entities are parties to the agreement and their respective responsibility with regard to the transfers (controller/processor). Of particular importance is the identification of what personal data are being shared and why. Also bear in mind the need for SCCs for countries that do not offer an adequate level of data protection compared to Switzerland. The establishment of Binding Corporate Rules would also be advisable. 

When would the use of a privacy management software be recommended?

You might consider investing in a privacy management software for a number of reasons. The greater the volume of personal data processed, the harder it is to keep track of them properly and the more attractive a software solution becomes. If your company processes data in multiple jurisdictions that are subject to different privacy legislations, the right technology could also be beneficial. The transparent use of a recognised tool can also be a way of building and maintaining customer trust.

There are many other legislative projects in the EU such as the AI Act, Data Governance Act, Digital Services Act (DSA) etc. To what extent are these relevant for Swiss companies?

Very much like the GDPR, the incoming EU rules and regulations have extra-territorial effect, meaning that they will apply to companies domiciled outside the EU if they offer their services there. Moreover, under some of the regulations – for instance the DSA – Swiss companies without a legal branch in the EU would have to appoint legal representatives. Beyond the direct relevance of the EU regulations for Swiss companies, the other thing to consider is that Switzerland may choose to follow the EU’s lead and implement legislation of its own to govern these hitherto unregulated areas. Those Swiss companies that had previously judged the GDPR to be irrelevant for them now need to quickly play catch-up. Closely following the development of EU regulations in this area is therefore most certainly relevant.

We want to start outsourcing to the cloud, including outside Switzerland. Can we do this, and how?

Migrating to the cloud can have significant business advantages, including greater efficiency and flexibility. However, given the legal landscape – especially where non-Swiss cloud providers are concerned – successful transition to the cloud can be complex. Indeed, until recently, especially in the banking sector, the mentality had been ‘over the border, out of control’. Today, this no longer rings true – provided that the appropriate technical, organisational and contractual measures are put in place. Indeed, before embarking on any cloud outsourcing project, whether purely infrastructure-based or an all-encompassing SaaS, it is important to undertake a thorough legal and technical vendor assessment. This requires joint effort by the legal, business, and IT departments. 

How should we deal with data retention and deletion?

Theoretically, the rule is quite simple. If you no longer need the data to fulfil the purpose for which they were collected and if there are no other obligations that require you to keep them, then you should delete them. Practically speaking, for most companies this is easier said than done because the data are saved in a fragmented, unified way across various systems. Designing a strategic, automated deletion concept is therefore very important, and not purely for compliance reasons. If a data subject comes to you asking to exercise their ‘right to be forgotten’, you won’t be able to comply with their request properly unless you know exactly where the data are saved, who needs to delete them, and how.