Swiss data protection law (DSG)

Swiss data protection law is largely based on the GDPR. However, some deviating terminology and requirements must be implemented in Swiss data protection law.

Information requirements

The Swiss Data Protection Act (DPA) standardizes the information obligations of the controller vis-à-vis the data subject (Art. 19 DPA). In the GDPR, the catalog of information to be provided is formulated conclusively. However, this is not the case in the DSG. The controller must at least inform the person requesting information about the identity of the controller and the purpose of the processing. However, further information is only defined as mandatory in individual cases. Thus, the information obligations of the controller under the DPA are less extensive than under the GDPR. The controller is obliged to provide the data subject with the information required to enable the data subject to enforce his or her rights under the DPA and to ensure transparent data processing. The scope of the information obligations may be indicated by Art. 13, 14 DPA. The DPA also provides for a comprehensive catalog of exceptions where the obligation to provide information does not apply. This is particularly the case in the case of overriding interests of the controller or a third party (Art. 20 DPA). Overall, therefore, only a limited duty to inform can be said to exist. The FADP does not contain any specifications as to how the data subject is to be informed of the aforementioned information. The legal term “in an appropriate manner” is used, which needs to be filled in. Here, too, the GDPR can serve as a guide. The person concerned must only have the opportunity to take note of the information, e.g. in text form. Consent to this information is not required.

Group privilege

Although the FADP contains a legal basis for data processing within a corporate group and exceptions apply to the duty to inform and the right to information, the disclosure of personal data within a corporate group can violate personal rights. Therefore, a legal justification is required as a legal basis for the transfer of personal data within a corporate group. However, the justification for the intra-group transfer of personal data only applies if the personal data of the data subjects and the nature of their processing are relevant and necessary for economic competition. Therefore, the intra-group data processing must be carefully examined and assessed in each individual case. The DPA grants the controller a limited group privilege. However, the GDPR does not recognize such a group privilege and this is completely rejected by the GDPR.

Directory of all data processing

The DPA requires the controller and the order processors to create a directory of processing activities (Art. 12 DPA). This means that the FADP is the same as the GDPR and, as in the GDPR, a list of all data processing activities is required.
Mandatory information in the processing directory is at least the following:

• the identity of the person responsible;
• the purpose of the processing;
• a description of the categories of data subjects and the categories of personal data processed;
• the categories of recipients;
• if possible, the period of retention of the personal data or the criteria for determining this period;
• if possible, a general description of the measures taken to ensure data security (appropriate technical and organizational measures to prevent breaches of data security);
• if the data is disclosed abroad, an indication of the country and the guarantees by which appropriate data protection is ensured.

Companies in Switzerland are therefore confronted with the task of recording and documenting all data processing within the company. This can be done within the framework of a data mapping. This inventory is now required for the implementation of the DPA and can lead to an increased initial effort in many companies, as this documentation was not created in the past.

Role of the data protection advisor

The DPA standardizes the role of the data protection advisor, whose tasks are similar to the data protection officer under the GDPR. However, the DPA does not provide for an obligation to appoint the data protection advisor, but recommends the appointment of a data protection advisor pursuant to Art. 10 DPA. According to the DPA, the appointment of a data protection advisor leads to facilitations in case of data processing with a high risk for the personality or the fundamental rights of the data subject. The data protection advisor may be consulted to implement appropriate measures to mitigate the high risks to the data subjects. If appropriate IT security measures to mitigate this risk are possible and are implemented, consultation with the Swiss Federal Data Protection and Information Commissioner (FDPIC) is not required. This is in line with the requirements of the data protection impact assessment of the GDPR.

Data protection representation

In the case of data processing by a controller based abroad, a representative in Switzerland must be appointed if the controller processes personal data of individuals in Switzerland and the data processing is related to the offering of goods and services or the monitoring of the behavior of individuals in Switzerland. If the processing of personal data of individuals in Switzerland is extensive or regular, or if it involves a high risk for the data subjects, a representative in Switzerland must also be appointed. This provision also exists in the GDPR, so a Swiss company is also required to appoint a representative in the EU if the Swiss company processes personal data of individuals who are located in the EU and goods or services are offered to these individuals or their behavior is monitored (Art. 3 GDPR).

Sanctions and fines

The DPA provides for much milder fines than the GDPR. If a person, e.g. an employee, violates regulations of the DPA, this person faces a fine of up to CHF 250,000, – (approx. EUR 234,740). The limitation period in this case is 5 years. The difference to the GDPR is that the penalty is not linked to the responsible company, but explicitly to the natural person concerned. Should the identification of the responsible persons mean a disproportionate effort for the supervisory authority, in such a case the company instead of the responsible person can be fined CHF 50,000 (approx. EUR 46,940) (Art. 64 DPA).

Services of the law firm

We can support your company, organization or institution in the implementation of the DPA legally, as well as technically in all questions and problems. Our law firm offers the following services for this purpose:

• Assumption of the function of the external data protection advisor
• Support of the internal data protection advisor
• Carrying out an as-is analysis or an audit on data protection
• Preparation of an action plan for implementing the DSG according to liability risk
• Annual planning meeting on data protection with management, commercial management
• Derivation of the measures required by the DSG for the following year in order to ensure an appropriate level of data protection in the company, organization or institution
• Creation of a data mapping as part of the recording of the most important IT applications
• Preparation of the data protection documents required under the Data Protection Act (DSG)
• Creation of a data workflow as part of the legal safeguarding of international and intra-group data transmission
• Fulfillment of requirements for international data transfer and group data processing (HR systems, ERP systems, etc.)
• Data protection and IT security for cloud applications
• Data protection in hospitals, medical practices, medical care centers and pharmacies
• Data protection in social institutions (addiction counseling, family counseling, child and youth welfare, care facilities, residential homes, daycare centers, etc.)
• Preparation and conclusion of agreements on commissioned processing
• Creation of a directory of all data processing activities
• Data protection compliant handling of the topic “mobile working (agreement on mobile working, work instructions on mobile working)
• Creation of visitor form with questions on the pandemic
• Creation of a corporate policy on the pandemic
• Creation of documents to fulfill information obligations
• Conducting the necessary data protection impact assessments (MS Office 365, video surveillance, electronic personnel file, applicant management)
• Review of technical and organizational measures (IT security measures)
• Implementation of employee data protection requirements (electronic personal file/ paper file, applicant management)
• Review of the company website (privacy policy, imprint, cookie alerts, tracking tools)
• Creation and negotiation of policies in the company, organization or institution (email/internet use, access control/time recording, video monitoring, MS-Office 365, cloud solutions, electronic personnel file, etc.)
• Creation of training materials and delivery of data protection training (general classroom training, special training for executives, HR, IT, branding, sales, and public relations)
• Creation of training materials on data protection as e-learning
• Creation of training videos on data privacy and IT security
• Introduction of a process for handling data protection violations
• Implementation of data subject rights requirements (information, deletion, correction, etc.)
• Preparation of consent forms, especially for filming and photographs
• Data protection in public relations, press, marketing and sales
• Data protection in social media (social media guideline, implementation of the ECJ’s Facebook ruling, WhatsApp)
• Regulation of legal conditions for video surveillance (IT security, product assessment, contract for order processing, pictogram)
• Fulfillment of legal requirements for access control and time recording
• Advice on the use of drones
• Assessment of new IT systems (system data protection)
• Workshops on data protection issues (data protection forum)
• Creation of work and organizational instructions (mobile working, systems for video conferencing, dealing with social media, etc.)