Swiss data protection law is largely based on the GDPR. However, some deviating terminology and requirements must be implemented in Swiss data protection law.
The Swiss Data Protection Act (DPA) standardizes the information obligations of the controller vis-à-vis the data subject (Art. 19 DPA). In the GDPR, the catalog of information to be provided is formulated conclusively. However, this is not the case in the DSG. The controller must at least inform the person requesting information about the identity of the controller and the purpose of the processing. However, further information is only defined as mandatory in individual cases. Thus, the information obligations of the controller under the DPA are less extensive than under the GDPR. The controller is obliged to provide the data subject with the information required to enable the data subject to enforce his or her rights under the DPA and to ensure transparent data processing. The scope of the information obligations may be indicated by Art. 13, 14 DPA. The DPA also provides for a comprehensive catalog of exceptions where the obligation to provide information does not apply. This is particularly the case in the case of overriding interests of the controller or a third party (Art. 20 DPA). Overall, therefore, only a limited duty to inform can be said to exist. The FADP does not contain any specifications as to how the data subject is to be informed of the aforementioned information. The legal term “in an appropriate manner” is used, which needs to be filled in. Here, too, the GDPR can serve as a guide. The person concerned must only have the opportunity to take note of the information, e.g. in text form. Consent to this information is not required.
Although the FADP contains a legal basis for data processing within a corporate group and exceptions apply to the duty to inform and the right to information, the disclosure of personal data within a corporate group can violate personal rights. Therefore, a legal justification is required as a legal basis for the transfer of personal data within a corporate group. However, the justification for the intra-group transfer of personal data only applies if the personal data of the data subjects and the nature of their processing are relevant and necessary for economic competition. Therefore, the intra-group data processing must be carefully examined and assessed in each individual case. The DPA grants the controller a limited group privilege. However, the GDPR does not recognize such a group privilege and this is completely rejected by the GDPR.
Directory of all data processing
The DPA requires the controller and the order processors to create a directory of processing activities (Art. 12 DPA). This means that the FADP is the same as the GDPR and, as in the GDPR, a list of all data processing activities is required.
Mandatory information in the processing directory is at least the following:
Companies in Switzerland are therefore confronted with the task of recording and documenting all data processing within the company. This can be done within the framework of a data mapping. This inventory is now required for the implementation of the DPA and can lead to an increased initial effort in many companies, as this documentation was not created in the past.
Role of the data protection advisor
The DPA standardizes the role of the data protection advisor, whose tasks are similar to the data protection officer under the GDPR. However, the DPA does not provide for an obligation to appoint the data protection advisor, but recommends the appointment of a data protection advisor pursuant to Art. 10 DPA. According to the DPA, the appointment of a data protection advisor leads to facilitations in case of data processing with a high risk for the personality or the fundamental rights of the data subject. The data protection advisor may be consulted to implement appropriate measures to mitigate the high risks to the data subjects. If appropriate IT security measures to mitigate this risk are possible and are implemented, consultation with the Swiss Federal Data Protection and Information Commissioner (FDPIC) is not required. This is in line with the requirements of the data protection impact assessment of the GDPR.
Data protection representation
In the case of data processing by a controller based abroad, a representative in Switzerland must be appointed if the controller processes personal data of individuals in Switzerland and the data processing is related to the offering of goods and services or the monitoring of the behavior of individuals in Switzerland. If the processing of personal data of individuals in Switzerland is extensive or regular, or if it involves a high risk for the data subjects, a representative in Switzerland must also be appointed. This provision also exists in the GDPR, so a Swiss company is also required to appoint a representative in the EU if the Swiss company processes personal data of individuals who are located in the EU and goods or services are offered to these individuals or their behavior is monitored (Art. 3 GDPR).
Sanctions and fines
The DPA provides for much milder fines than the GDPR. If a person, e.g. an employee, violates regulations of the DPA, this person faces a fine of up to CHF 250,000, – (approx. EUR 234,740). The limitation period in this case is 5 years. The difference to the GDPR is that the penalty is not linked to the responsible company, but explicitly to the natural person concerned. Should the identification of the responsible persons mean a disproportionate effort for the supervisory authority, in such a case the company instead of the responsible person can be fined CHF 50,000 (approx. EUR 46,940) (Art. 64 DPA).
Services of the law firm
We can support your company, organization or institution in the implementation of the DPA legally, as well as technically in all questions and problems. Our law firm offers the following services for this purpose: