New Swiss Data Protection Act

It is not yet clear when the new Swiss Data Protection Act will come into force. It is expected to come into force in mid-2022. However, its purpose is clear: it is intended to strengthen the protection of the personality and fundamental rights of natural persons.

What it basically means from an information security perspective:

Privacy by design

From the planning stage onwards, data processing must be designed in such a way that data protection regulations and processing principles are complied with. Technical and organisational measures must correspond to the state of the art.

Privacy by default

By default, only personal data that is necessary for the specific purpose of processing may be collected and processed. Default settings of the systems involved (e.g. software) must be defined accordingly.

Obligation to report

Any breach of data security that is likely to result in a high risk to the personal rights of the data subjects must now be reported to the FDPIC (Federal Data Protection and Information Commissioner).

Duty of disclosure and information

The data controller must inform the data subjects of their identity, contact details, the purpose of processing and the recipients of the data, among other things. Requests for information must be answered more comprehensively than is currently the case.

Data protection impact assessment

If the intended data processing may entail a high risk to the personality or fundamental rights of the data subject, data controllers must prepare a data protection impact assessment in advance.

Criminal liability

Intentional acts or omissions can be penalised with fines of up to CHF 250,000. In principle, the natural person responsible is liable to prosecution. Non-compliance with the minimum requirements for data security, for example, is also punishable.

Want to know more? Our GRC experts will be happy to help you.