New DPA enters into force on September 1, 2023

What did the Federal Council decide today?

While Parliament had approved the new Swiss Data Protection Act (DPA) already in September 2020 (see our Bulletin of September 25, 2020 and the text of the DPA available here), the revision of the Data Protection Ordinance (DPO) continued until today. On August 31, 2022, the Federal Council now adopted the new DPO (available here)[1] and decided that the new DPA and the new DPO shall enter into force on September 1, 2023. At the same time, the Federal Council also adopted the new Ordinance on Data Protection Certifications. With this, the legislative work on the revision of the Swiss data protection law is complete.

What is the impact of today’s decisions of the Federal Council?

With today’s decisions by the Federal Council, it is clear which implementing provisions must be taken into account in addition to the DPA and when the revision will enter into force. Companies are now required to take the necessary steps to ensure compliance with the requirements of the new DPA and the DPO by September 1, 2023.

What are the most important regulations of the Data Protection Ordinance?

The following provisions of the DPO are to be highlighted for companies:

• In the area of data security, the DPO specifies the principle of the adequacy of data security in that the need to protect personal data and the risks to the personality and fundamental rights of the data subject must be assessed on the basis of the criteria set out in the DPO. In addition, the DPO defines the protection goals and certain technical and organizational measures that should allow these goals to be achieved.
• The obligation to log certain data processing activities, which was heavily criticized in the consultation, remains in place despite calls to the contrary. Although the obligation has been restricted compared to the draft released for consultation a year ago, the requirement has not become any clearer. Private data controllers and data processors who process sensitive personal data on a large scale by automated means or who carry out high-risk profiling must now log the storage, modification, reading, disclosure, deletion and destruction of the data if the preventive measures taken are not sufficient to guarantee data protection. The log must be kept for at least one year, separately from the system in which the personal data is stored. The scope of this requirement, which is far-reaching for both data controllers and data processors, remains unclear. In particular, it will have to be clarified when sensitive personal data is processed «on a large scale» and when «preventive measures do not guarantee data protection». In the explanatory report, the Federal Office of Justice takes the position – surprisingly and without reasoning – that the latter is only rarely the case. This is not convincing, since ensuring data protection is a fundamental premise for all data processing activities.
• Furthermore, the DPA provides for an obligation of private data controllers and data processors to issue and regularly update regulations for automated data processing if they process particularly sensitive personal data on a large scale by automated means or carry out high-risk profiling.
• For data processing through processors, the clarification that the authorization of subcontractors can be granted both specifically (i.e. in relation to a specific subcontractor) and generally is welcome. In the latter case, the DPA requires information about intended changes and a right of objection in favor of the controller.
• The DPA then specifies further obligations of the controller, in particular the modalities of the duty to inform data subjects, the duration of the retention of the data protection impact assessment, as well as the requirements for the notification of data breaches to the FDPIC. Furthermore, certain modalities of the data subject’s right to information as well as the right to data surrender and transfer are regulated.
• Finally, the DPA states that the obligation to keep a processing record does not apply to companies that employ fewer than 250 people on January 1 of any given year (whereby the level of employment should not play a role) and that neither process particularly sensitive personal data on a large scale nor carry out high-risk profiling.

Which countries does the Federal Council acknowledge to have an adequate level of data protection?

Annex 1 of the DPO lists those countries which have appropriate data protection legislation. In principle, the disclosure of personal data to these countries is permitted. In particular, the list includes all member states of the EU and the EEA and the United Kingdom, as well as Canada in certain areas. Furthermore, the list includes: Andorra, Argentina, Faroe Islands, Gibraltar, Guernsey, Iceland, Isle of Man, Israel, Jersey, Monaco, New Zealand and Uruguay.

Disclosures of personal data to other countries – including in particular to the USA – require either the application of a specific exemption set forth in the DPA or the implementation of alternative protective measures to ensure adequate data protection.

Why is there a need for the Data Protection Ordinance in addition to the DPA?

The DPA empowers the Federal Council to issue certain implementing regulations, which is why the Federal Council adopts the DPO.

Has the new Data Protection Ordinance been toned down from the June 2021 draft?

The draft of the new DPO published in June 2021 was sharply criticized in the public consultation process. This is because the draft contained numerous provisions that would have had a significant impact on the companies subject to the DPA, and which, in terms of content, went far beyond mere implementing provisions. Fortunately, the Federal Council has at least taken partial account of the criticism from the consultation. The final DPO that is now available has been toned down compared to the draft. For example, the Federal Council has considerably streamlined the regulation of the modalities of the duty to inform as well as the requirements for the role of the data protection advisor compared to the draft and has also waived certain written form requirements. However, the final DPO still appears to be excessive in the area of data security requirements, where in particular the implementation of the obligation to log certain data processing appears to be challenging.

What measures are to be undertaken in view of the entry into force of the new DPA?

Projects for implementation of the new DPA in companies should now be tackled promptly so that companies are DPA-compliant on September 1, 2023. For many companies, it will be particularly necessary to review internal processes and documentation (such as data protection declarations, processing records, data protection impact assessments, contracts regarding the processing of personal data, etc.) and, if necessary, update them or introduce new ones. A short checklist giving an overview on implementation work is available for download here.

[1]        An English translation is not yet available.