Switzerland is catching up!  

Konstantin Steger

10 November 2023

Switzerland is catching up!  

Is this the new Swiss GDPR? 

Well, it's finally here. Switzerland is introducing its new Data Protection Act (DSG). And inside it, you'll find some articles borrowed from the EU's GDPR.  

Swiss Data Protection Act 

Switzerland's Data Protection Act, coming into force on 01.09.2023, forms the backbone of data protection in the country, regulating the handling of personal data in various contexts. From collection to processing, storage, and deletion – every company and organization covered by the scope of application and working with personal information is obligated to adhere to the provisions of the Data Protection Act, much like the GDPR does in Europe. 

The protection of privacy is a human right, enshrined in Swiss data protection law as well. An important aspect of the law is the enhancement of individuals' rights concerning their personal data. People have the right to know what data is being collected about them and, in many cases, can request the deletion or correction of this data. 

However, the Data Protection Act doesn't only concern individuals but also businesses. It sets clear guidelines on how companies may collect, store, and use personal data. This not only safeguards individuals' rights but also fosters consumer trust in companies that handle their data responsibly. 

Compliance with data protection regulations is crucial for businesses. Violations can result not only in legal consequences but also in long-term damage to a company's reputation and trust among its customers. A comprehensive understanding of the Data Protection Act and proactive implementation of relevant measures are essential to meet these requirements. 

Switzerland's Data Protection Act represents a milestone in securing privacy and data protection. It establishes clear structures for handling personal data and strengthens individuals' rights. Companies must be aware that data protection is not just a legal requirement but also a fundamental element for earning the trust of their customers and partners. 

Data Protection Act 2023: The Updates 

The revised DSG introduces several significant changes that businesses and organizations in Switzerland should closely monitor.  

Provision of comprehensive information on data processing 

One prominent aspect concerns the obligation to provide information, which now applies to all controllers, not just for the processing of highly sensitive data or federal authorities. This duty includes disclosing contact details of the controller, the purpose of processing and if applicable, the recipients to which personal data is disclosed. 

Data Protection Impact Assessment 

The introduction of Data Protection Impact Assessments (DPIA) is also announced. According to Article 22, it is clearly stipulated that the controller must, in the case of data processing likely to result in a high risk to the rights and freedoms of natural persons, conduct an assessment of the impact of the planned data processing on the protection of personal data beforehand. Should significant risks with adverse consequences arise nevertheless, additional steps are required. 

Notifications of data security breaches 

As in the GDPR, the Swiss Data Protection Act now includes an obligation for the controller to report certain data security breaches to the FDPIC - the Swiss data protection authority. 

This reporting obligation applies to data security breaches that are likely to result in a high risk to the personality or fundamental rights of the data subject. 

Records of Processing Activities 

Requirements for documenting processing activities have also been expanded. Similar to the GDPR, both controllers and processors are now required to maintain such records under the Data Protection Act (DSG). This record must include information about the controller's identity, the purpose of data processing, recipients of the data, retention periods, and data security measures implemented. 

Privacy by Default 

The concept of Privacy by Design is also incorporated in the revised Data Protection Act under Article 7. This means that when designing technical data processing processes, attention must be given to minimizing data collection. "Privacy by Design" entails developers integrating data protection and respect for users' privacy into the structure of products or services that collect personal data. The principle of "Privacy by Default" ensures that when a product or service is launched, it already has the highest possible level of security activated. This means that all necessary measures for data protection and limiting its use are activated by default, without user intervention. In other words, all software, hardware, and services must be configured to securely store data and ensure user privacy. 

Technical and Organizational Measures (TOMs) 

Data processing security has been given increased importance. Controllers and processors must take appropriate technical and organizational measures (also known as "TOMs") to ensure data security, as per the new regulations. According to the new provisions, both controllers and contracted data processors must take suitable technical and organizational measures to ensure a level of security appropriate to the risk. These measures aim to prevent security breaches. 

Conclusion and outlook for the future 

Although it was inspired by the GDPR and replicates key provisions, the DPA is significantly less detailed than the GDPR, which is why it can also be regarded as "GDPR Light". As a result, Swiss companies that already had to comply with the GDPR will find it easy to comply with the new data protection law in Switzerland. For the rest, however, the revised law does entail some new tasks in order to be able to continue to act in compliance with the data protection law. 

Finally, it should be expressly mentioned at this point, that EU companies may also be affected by the revised Swiss data protection law, especially if they have business relationships, branches or activities in Switzerland. The Swiss Data Protection Act applies to the processing of personal data within Switzerland, regardless of whether the data is processed by Swiss companies or by foreign companies. If an EU company processes personal data of individuals in Switzerland or offers services to Swiss customers, they must comply with the provisions of the Swiss Data Protection Act. Although EU companies will be familiar with many of the regulations, as already discussed, the differences between the two sets of regulations must still be taken into account, in order to be well equipped in terms of data protection law in the future.