Solution-oriented financial services lawyer with an entrepreneurial mindset.
2 minute read 15 Oct 2021 Link copiedO n 25 September 2020, the Swiss Parliament adopted the final version of the revised Swiss Federal Act on Data Protection (revFADP). In order for the revFADP to enter into force, the corresponding implementing provisions of the Ordinance on the Federal Act on Data Protection must be amended accordingly (revOFADP). The Swiss Federal Council published the draft version of the revOFADP on 23 June 2021 and opened the consultation procedure until 14 October 2021. The revOFADP is expected to come into force together with the revFADP middle of 2022.
The year in which far-reaching data protection provisions entered into force in the EU.
The revision of the Swiss privacy law regime has become necessary in light of regulatory changes in the EU as well as in the light of ongoing technological advancement in areas like big data and machine learning. One of the main purposes of the GDPR is to offer more transparency for data subjects and more control over how their personal data is being processed. The Swiss legislator, in principle, follows the same approach. Consequently, the revFADP intends to ensure better transparency and a stronger protection of personal data. It intends to be aligned with the GDPR so that Switzerland will continue to be recognized by the European Commission as a country with adequate data protection.
The revOFADP provides additional detail on certain requirements laid out in the revFADP – but leaves some room for interpretation.
The corresponding implementing provisions of the revOFADP further specify certain requirements laid out in the revFADP. For instance, the revOFADP addresses the minimum data security requirements to be ensured by a data controller and a data processor. In this context, the Federal Council does not explicitly enumerate which techniques would be regarded as a “minimum” standard, but rather defines protection goals that must be achieved (e.g. access control, memory control, use control, disclosure control etc.).
The required content of a data breach notification is now defined in the revOFADP. In addition, the data controller or processor must document any data breaches and keep records of all facts related to the incident for at least three years. For the data protection impact assessment (DPIA), it is now specified that the data controller must document the DPIA in writing and retain it for two years after the end of the respective data processing activity.
If the outcome of the DPIA shows that there is a high risk to the personality or fundamental rights of the data subjects in the automated processing of personal data despite the measures provided for by the controller, the revOFADP requires the logging of operations of storage, modification, reading, disclosure, deletion, and destruction.
The modalities under which data subjects can make use of their right to information are addressed. For example, data subjects now may have the right to inspect their data on site. Unfortunately, the revOFADP does not provide further detail as to what this “right to inspect” actually entails.
The list of countries which offer an adequate level of data protection is part of the revOFADP.
Regarding personal data transfers abroad, cross-border disclosure of personal data is permitted to countries which are recognized by the Federal Council as states that guarantee an adequate level of data protection. This list of countries - which previously was issued by the Federal Data Protection Commissioner (FDPIC) - can be now found in Annex 1 of the revOFADP.
The revOFADP also provides for additional obligations with respect to the automated decision-making. Similarly to the GDPR regime, data subjects should have a right to object or express their opinion in relation to the automated decision and a right for a manual check of the decision, whereas the exercise of this right should not cause a disadvantage to the data subjects.
The headcount threshold for the requirement to keep a register of processing activities.
The revOFADP provides an exemption from the obligation to keep a register of processing activities (ROPA). Companies or organizations with fewer than 250 employees are exempt from the obligation to maintain a ROPA. In addition, the revOFADP provides further specifics on the content of certain notification or information obligations.
We don’t expect major changes during the three-month consultation period and therefore we encourage companies to start implementing the revOFADP alongside the revFADP. Some organizations may benefit from an outside view to support their implementation project and ensure cost efficiency and a timely rollout.
Many thanks to Timea Nagy for your valuable contribution to this article.
