Revision of the General Data Protection Regulation: What adjustments apply to Switzerland?

From 25 May 2018, the EU's General Data Protection Regulation (GDPR) will be enforceable with direct effect for Swiss companies. The Swiss Data Protection Act is currently being consulted on and the revised DPA is also due to come into force in autumn 2018 - there is pressure and a need for Swiss companies to adapt.

This article highlights some key aspects of the EU data protection law for Switzerland.

Protection of the legal person

Many new adjustments were formulated in the European Parliament in order to harmonise the GDPR with all European countries, including the Swiss workplace (recital 137). Thus, in the future, all processing directed at EU citizens and involving personal data of EU citizens or employees must comply with the GDPR.

The introduction of the European law thus puts pressure not only on German companies, but also on Swiss exporters, mail order companies, operators of online sites, and generally on sectors of the Swiss ICT, communications, legal/controlling, advertising and data economy industries. However, the protection of legal entities is to be unbundled.

The actual risk assessment will move to the data-processing staff or data protection officers from 2018.

Rights of the data subjects

The principle of "informational self-determination" remains valid. It means that the rights and obligations of the data subjects are improved. These obligations are listed under Article 7 of the EU GDPR. However, the data subject has the right to revoke consent at any time.

On the one hand, however, in the light of possible sanctions and criminal prosecution, individuals or sole traders could be confronted with more organisational handicaps in terms of the general terms and conditions, standard contracts, data protection policies and processes that have to be complied with.

Likewise, the criminal investigations of the Federal Data Protection Commissioner FDPIC will be called upon more often. The catalogue of tasks of the FDPIC has been significantly expanded (including Art. 37, Art. 5, Art. 7, Art. 16, Art. 17), which could lead to a "bureaucratisation" of the authority (source: Management & Quality 06/2017).

Obligations of the controller and processor

What is new is that certain data protection breaches must be reported to the competent supervisory authority within 72 hours of becoming known, and the person concerned must be informed without delay. The provision of a data protection officer (internal or external) will therefore also be an important issue for Swiss employers.

The responsible (data) processor must be in a position to submit data to anyone, or to correct it - and must be able to inform the data protection officer immediately if manipulation or loss of personal data is feared (Art. 17). There is now a permanent right of access to all data files and actions concerning changes to data (Art. 20). This right also explicitly relates to the retention period.

Thus, the FADP also explicitly provides for the right to erasure, which could even be exercised by the heirs of the data subject ("digital death", Art. 12).

Attention: Automated processes

A significant innovation concerns the consideration of new techniques that have become established on the Internet in recent years. This includes, for example, so-called profiling (Art. 3(1)(f)), i.e. the generation of personality profiles on the basis of publicly available data (part of "big data").

Also of great importance are so-called automatic or autonomous decisions (Art. 15). These are online decisions that are made on the basis of automatic processes (no interaction by a human being, such as fully automated credit checks). This area does not include personal data such as genetic, biometric or criminal surveys.

In general, the regulation of order data processing - subject to contractual and technical adjustments - will soon also receive increased attention in Switzerland.

For further information on which business areas are affected by the EU regulation in Switzerland, please refer to our recently published issues of "Management & Qualität" (issue 3/2018) and "Organisator" (issue 1/2 2018). This text has also been translated into French for the current print edition of Management & Quality.  

Risk analysis, testing and certification

The Europe-wide General Data Protection Regulation also obliges Swiss companies to be more risk-oriented. Companies should know every last detail of the EU GDPR by 25 May 2018, which rights and obligations the "data subjects" are subject to in transnational data processing. The official audit, called data protection impact assessment (Art. 16), is also required in case of negligent omissions in data protection processing. The Federal Data Protection Commissioner has three months to assess compliance with the law. In addition, data protection-specific certification procedures could become more relevant as proof of GDPR compliance. (mm)

http://www.edoeb.admin.ch