Main changes and main difference with the GDPR
On 25 September 2020 and after lengthy debates, the Swiss Parliament has enacted a complete revision of the 1993 Swiss Data Protection Act. The new, revised Swiss Data Protection Act (DPA) will enter into force on 1 September 2023 without any grace period.
The totally revised Swiss DPA is based on principles analogous to the GDPR. However, it has material deviations. Although the DPA is overall slightly less stringent than the GDPR, compliance with the GDPR not also covers the requirements of the Swiss DPA; additional actions will be required. In the following, we point out some of the main deviations.
The Swiss DPA has a sanction system completely different from the GDPR. Whereas the GDPR has a concept of administrative sanctions against the legal entity or the organisation, the Swiss DPA, in the first instance, punishes in penal proceedings the individuals responsible for data protection within the business or the organization.
As from 1 September 2023 and upon the filing of a complaint, violations of the revised DPA can be fined up to CHF 250,000. In particular, the violation of various information and disclosure obligations, as well as violations of data security, are punishable. The persons responsible for a business or an organisation are primarily subject to the penalty. In the case of a public limited company, in particular the members of the board of directors, and potentially also members of the management. If the violation is marginal and a fine of no more than CHF 50,000 is probable, the prosecutor may renounce to investigate who are the responsible persons and instead sanction the company or organisation to pay the fine.
Consequently, investigations are led by the police and not data protection authorities, which might make the cases more unpredictable. Contrary to the administrative sanctions in the EU, the penal fines in Switzerland can not be covered by insurance (including D&O insurance of the board of directors).
Strengthened Information Duties
The violation of information duties upon collection of personal data is under penal sanctions under the revised Swiss DPA. Similar to Article 13 GDPR, various information has to be provided where personal data are collected from the data subject.
Differences to the fair processing notices in the EU will mainly arise from a different concept of the lawfulness of the processing of personal data within the territory of Switzerland. Whereas the processing of personal data in the EU is forbidden if there is no a legitimate reason, in Switzerland, the processing is, as a rule, allowed, except the processing would constitute a violation of an individual’s personality. Although the result may not be very divergent from the result in the EU, the rationale behind a valid justification and the argumentation for the lawfulness is completely different.
A further deviation is that the Swiss DPA requests the listing of the individual countries to which personal data are transferred to. Contrary to the GDPR, collective terms for whole areas are not permitted based on the wording of the DPA.
No principle of accountability?
Contrary to the GDPR, the revised Swiss DPA needs to know an explicit principle of accountability. However, based on the Swiss concept of sanctions, a business or organisation will be well advised to document and retain proper documentation with regard to its duty of care under the requirements of the Swiss DPA. Data incidents and other gaps might occur and are imminent and inevitable in a compliance concept. Only proper documentation that requirements were diligently observed and seriously pursued will effectively mitigate penal sanctions.
Designation of a Representative analogous to Article 27 GDPR
Similar to Article 27 GDPR, the Swiss DPA requires foreign undertakings to appoint a representative in Switzerland if they process personal data in the Swiss market. The requirement in the Swiss DPA is less extensive and only requires the appointment of a representative, if the processing is frequent and significant.
Like with the GDPR, such stipulations will typically lead to a so called “positive conflict of law”, i.e., two jurisdictions claim their laws apply to the same facts. The appointment of such a foreign representative will typically result in a foreign venue and, thus, in a positive conflict of law case, also result in the applicability of the foreign law of that foreign venue. Obviously, there is usually a strong preference to aim for the applicability of the less stringent law. For EU countries, this will be Swiss law.
Thus, contrary to the case with the EU, where an appointment of a representative was typically omitted (as no direct sanctions are bound to such omission), in the Swiss case, an applicability of the Swiss law might be advantageous. Thus an appointment of a Swiss representative should be well considered.
Further deviations from the GDPR
The Swiss DPA has a long list of further deviations from the GDPR when going into detail:
- Additional special categories of sensitive personal data
- A data incident must be notified as soon as possible
- The list of jurisdictions recognised to have an equivalent level of data protection is not identical to the list of the EU
- Generally deviating language, less detailed stipulations, some would call it more pragmatic, some deem it just to be less clear
Will our GDPR documentation also cover the requirements of the Swiss DPA?
No, it will not. Unfortunately, the terms used by the Swiss DPA are not identical to the terms in the GDPR. Thus, a transformation of GDPR documentation will be necessary.
Furthermore, any reference to concrete Articles of the GDPR will make your documentation invalid, as such reference is just a reference to a wrong legal basis, even if the material content of such stipulations of that legal basis should be congruent with the Swiss DPA. It is a clear formal default.
What is the same as the GDPR?
The good news is that all your GDPR work will be a good basis also for Switzerland. Notwithstanding all the deviations mentioned above, the main concepts under the revised Swiss DAP are analogous to the GDPR:
- Your register of processing activities will need only minor amendments, if any
- Your GDPR based Data Processing Agreements can be used as a basis for the development of the Swiss standard agreement and will be identical in the concept, however, with changes in the language and references
- In the same way our internal policies and regulations will need only limited updates
- Your privacy statement on the website of EU-countries will be a solid basis to implement a Swiss compliant version
Our experts will be more than happy to assist you with any queries related to the above.