The revised DPA comes into force on September 1st!
The long-awaited revision of the Federal Data Protection Act (“DPA”) comes into force this Friday. Contrary to what we often see when legislation is passed, this revision does not provide for a transitional period. This means that from September 1, 2023, a number of new obligations will apply to the processing of personal data covered by art. 2 of the DPA. But in concrete terms, what are these new features for you?
Are you concerned?
As a preliminary point, a distinction must be made between the situation of entities that were already complying with the obligations arising from the General Data Protection Regulation (“GDPR”), and entities that were not affected by it.
Indeed, for many Swiss companies, compliance with the GDPR has already been necessary, for example because they were processing personal data targeting European residents. For these companies, implementing the requirements of the DPA is not normally problematic, as the GDPR is deemed, with a few exceptions, to be more protective of personal data than the DPA.
On the other hand, for companies that have not had to comply with the GDPR, some adjustments to their processes are likely to be necessary. It should be noted from the outset that for private individuals, personal use is not covered by the scope of the DPA (art. 2 al. 2 let. a LPD).
What is “personal” data? ?
This is nothing new in the DPA, but it is worth remembering that only personal data is concerned. For data to be personal, it must relate to an identified or identifiable natural person (watch out for “pseudomnymization”). In practical terms, this could be contact details or any other personal information. The definition is extremely broad, and even includes IP addresses, for example, where these can be used to identify a user.
On the other hand, anonymous data is not covered by the DPA. However, when the data subject is identifiable, even if only with difficulty, the data is not anonymous.
What is a treatment?
The law defines processing as “any operation relating to personal data, whatever the means and procedures used, in particular the collection, recording, storage, use, modification, communication, archiving, erasure or destruction of data”. Although this is nothing new, it is worth remembering that this definition is extremely broad in scope.
Below are some of the most important changes brought by the revision of the DPA. These are just a few examples, and are not intended to be exhaustive.
Increased focus on data protection:
As in European regulations, the DPA adopts the principles of “Privacy by Design” and “Privacy by Default”(art. 7 DPA).
The “Privacy by Design” principle means that privacy concerns must be taken into account right from the design stage of a new product or service.
The “Privacy by Default” principle implies that a new product or service must be configured to respect the privacy of its users. In other words, users should not have to change their settings to protect themselves against the use of their personal data.
The collection of personal information must now be notified in advance to the persons concerned (art. 19 LPD). Until now, this has only been the case for sensitive data.
Obligation to keep a register of processing activities:
It is now compulsory to keep a register of processing activities (art. 12 LPD). Companies with fewer than 250 employees, which do not engage in large-scale processing or high-risk profiling, are exempt from this obligation.
However, even for exempt companies, there are good reasons to keep a register, so as to be better able to meet the other requirements of the DPA.
Obligation to report violations promptly:
In the event of a security breach likely to create a high risk for the personal rights and fundamental entitlements of the data subject, the company must inform the Federal Data Protection and Information Commissioner as soon as possible (art. 24 DPA).
New criminal penalties:
Under the DPA, fines of up to CHF 250,000 can be imposed for failure to comply with the law (art. 60 DPA). Unlike the RGPD, it’s the individual responsible for the damage who gets fined, not the company.
We will also mention the following points without going into them in detail:
- The DPA now provides for extraterritorial application, in a similar way to the RGPD;
- Sensitive personal data now includes ethnic, genetic and biometric data;
- The concept of profiling is introduced in the DPA, with various requirements specific to it;
- The Data Protection Impact Assessment, known under the aegis of the RGPD, is introduced in the DPA.
How can we help you?
If you’re unfamiliar with most of the above concepts, it’s likely that an assessment of your company’s situation from a data protection perspective would be beneficial. This may, if necessary, be accompanied by a strategy for implementing data protection rules.
In the absence of a transitional period, companies are advised to move quickly to comply. Indeed, in view of the revision of the DPA, the vast majority of professionals should be asking themselves a few questions about the protection of the personal data they process.
If you have any questions about data protection, please contact the author.