Revised Swiss Data Protection Act entered into force

Key aspects of revDPA for the private sector:

No more protection of legal entities’ data: Under the revDPA, legal entities’ personal data is no longer protected (in line with main international data protection standards, including the GDPR).

Strengthened individual rights:

• Data subjects benefit from enhanced information rights. In particular, controllers must inform data subjects of personal data collection and provide certain minimum information (e.g., identity and contact details of controller, purpose of processing, categories of recipients, data exports, etc.), with limited exemptions.
  
• Data subjects have a right to data portability (i.e., a right to receive their own personal data in a commonly used electronic format, subject to certain prerequisites).
  
• In case of automated decision-making, affected data subjects can generally require that the automated decision be reviewed by a natural person.

Extended governance & documentation rules:

• Controllers and processors must keep records of processing activities (whereby SMEs with less than 250 employees and low risk processing activities – as defined in the revDPO – may benefit from an exemption).
  
• Controllers must perform a Data Protection Impact Assessment (“DPIA”) w/r/t contemplated high-risk data processing activities and, in some cases, notify the Federal Data Protection and Information Commissioner (“FDPIC”).
  
• Data breaches must be notified (i) to the FDPIC when they are likely to create high risks for data subjects, and (ii) to the data subjects when necessary for their protection (or when the FDPIC so requests).
  
• Controllers domiciled abroad that offer goods and services in Switzerland or monitor the behavior of data subjects in Switzerland must appoint a representative in Switzerland, if they process data regularly and on a large scale and the processing entails high risks for the data subjects.

Expanded powers of the FDPIC:  Read more