The new Data Protection Act (revDSG), which comes into force on 1 September, significantly tightens data protection requirements for companies. The management and protection of sensitive data will be subject to tighter controls. Companies that work with sensitive data on a daily basis must make their processes data protection compliant or face heavy penalties for violations. Regulatory pressure to implement more secure, data protection-compliant solutions is increasing in Switzerland and worldwide.
To protect your business from any risks, it is crucial that you adapt your data protection policies by the deadline. Take a very close look at your online platforms, databases, and tools to ensure that they handle your customers‘ and partners’ data in a privacy-compliant manner and that your databases are watertight. Have you already started the audit?
Why is a revision of the Swiss Data Protection Act necessary?
The technological developments of the last 30 years make an adaptation of the 1992 Data Protection Act inevitable. In order to maintain smooth trade and data exchange between the EU and Switzerland, the revision of the Swiss Data Protection Act is essential. These changes shall ensure more transparency, increased responsibility for data providers, and improved data protection supervision.
In summary, the revision should bring the following benefits:
- Greater transparency,
- A greater sense of responsibility on the part of data providers,
- An improvement in data protection oversight,
- More comprehensive provisions on penalties.
What changes are coming?
The revision will lead to various changes for companies, such as increased protection for natural persons and modifications in data processing. Particularly large companies will have to adjust if they have not done so before. The appointment of a data protection officer is mandatory, and this person is liable for violations as a natural person. This can result in fines or even imprisonment for the person responsible. That’s why you should prepare your company adequately for the required changes.
Here is a summary of all the changes:
| Change | Explanation |
| No protection for legal entities | corporations and company with limited liability are no longer included, while natural persons will experience a much higher level of protection for their data |
| Fingerprints and Retina Scans | Biometric and genetic data will experience special protection under the new law. |
| Profiling | An anchoring of automated data processing is planned. |
| Duty of care | Every data processor is obliged to treat the data in the same way as the data controller. |
| Commissioned data processing | Commissioned data processing must be planned and processed. |
| Privacy by design | This principle is ensured by privacy by design and privacy by default to comply with the processing principles. |
| Traceability | In order to keep an overview of who has processed data, it is mandatory from 1 September 2023 to create a register of processing activities with minimum information. There are exceptions for SMEs if there is a low risk of personal data breaches. |
| More rights for data subjects | An expansion of rights enables data subjects to receive information on the processing of their personal data upon request. |
| More transparency | In the future, anyone who processes data must state their identity and provide contact details when obtaining personal data. In addition, companies have to disclose the purpose of the acquisition and all recipients in Switzerland and abroad. |
| Increased protective measures | High-risk processing operations will require a data protection impact assessment. It must include a processing description, a risk assessment, and appropriate protective measures. |
| Faster notification procedure | A data protection breach has to be reported to the FDPIC as quickly as possible. |
| Higher penalties | Penalties of up to 250,000 Swiss francs can be imposed for violations, and there is also personal criminal liability. |
What remains unchanged?
In contrast to the GDPR, data processing under Swiss data protection law remains unchanged. Private companies do not need consent or other justifications for processing personal data, provided these conditions are met:
- The data processing principles of transparency, purpose limitation, and proportionality must be complied with.
- The data subject has not objected to the processing.
- No sensitive personal data is disclosed to third parties.
Non-compliance can be expensive!
The new data protection law foresees fines of up to 250,000 Swiss francs for private individuals and up to 50,000 Swiss francs for companies on violations. Companies that process large amounts of personal data, engage in profiling, operate webshops, or transmit data outside the EU are particularly at risk. This is also where the data law differs from the GDPR, as the latter does not punish natural persons, but companies with considerably higher fines.
What should you look out for in software solutions?
As a consequence, this means that you need to take a close look not only at your internal company structures but also at your software solutions. Especially when it comes to technologies that transmit or contain sensitive data.
There are a few practices in data protection that you can look out for. Especially in digital document management, it’s important that your software uses zero-document-knowledge technology, meaning it can’t read the contents of the actual documents. In the best case, the data is processed locally and end-to-end encrypted before transmission to be illegible in the event of a hack or data leak.
Also, pay attention to the location of the servers and the company of your used software. EU-based or Swiss companies with ISO-certified servers on European soil are more familiar with Swiss data protection laws.
So when you digitize your documents and processes, switch to eSignatures and favor an eSigning solution like Certifaction, where data protection is a top priority. Thanks to state-of-the-art privacy-by-design technologies, both contracting parties benefit from data security.
More tips for implementing the data protection law
Aside from taking a close look at the software solutions you use in your company, there are a few other points you can follow to ensure a smooth transition and adapt the way you handle data in accordance with the revised data protection legislation:
- Align privacy statements: Review and align privacy statements on online platforms and in contract documents with the new law.
- Update internal policies: Bring your internal data processing policies up to date.
- Create a data processing directory.
- Establish a handling process for data subject requests.
- Establish a process for handling data breaches.
- Implement data protection impact assessment for sensitive data.
- Review contracts with processors: Ensure reporting obligations and data security.
- Ensure deletion or anonymization of data.
- Ensure transparency when transferring data to other countries.
- Take appropriate technical and organizational measures for data security.
- Ensure data portability and connection to the contract.
- Appoint a data protection officer and notify the FDPIC.
When should you start?
Create an inventory of the existing personal data before you venture into the conversion of your processes and data protection procedures. The inventory will give you an overview of processed data. Afterward, we recommend that you conduct a gap analysis. One tip: Check which data actually needs to be collected.
The time required to implement the data protection regulations varies depending on whether your company is particularly affected and the number of adjustments you need to have. Does your company already operate in accordance with the GDPR? Great! Then there’s hardly a need to change anything. However, if you have been doing business exclusively in Switzerland, you should start immediately.
#esignature #security