New Swiss data protection Act

It is expected that the totally revised Swiss Data Protection Act (nDSG) will come into force on September 1, 2023. With the revision essential provisions for the processing of personal data will change and companies will have to comply with stricter regulations in data protection in the future. 

The revision of the Swiss Data Protection Act is about adapting the data protection law to new technologies and changing social demands as well as to the EU General Data Protection Regulation (DSGVO). The alignment of Swiss data protection law with the level of the EU is of central importance, particularly in order to prevent competitive disadvantages due to inhibited data exchange with EU countries. However, the basic concept of the Swiss DPA remains unchanged and there are also deviations in various other points.

Changes due to the DSG revision

The most important changes include the fact that the scope of the FADP is now also extended to companies abroad if the data processing of personal data takes place in Switzerland. Secondly, the revised Data Protection Act is limited to data of natural persons and is thus no longer applicable to corporate data.

The revision comes without transitional provisions. This means that companies only have until the date of entry into force to adapt their policies in data protection. It is therefore crucial that companies already adapt to the new legal requirements today. For example, companies must ensure that internal guidelines are drawn up and documents such as data protection declarations and contracts with partners and data processors are adapted. Furthermore, employees must be preventively sensitized and trained on topics such as data protection and data security. Moreover, the audit is also associated with certain information and documentation obligations. For example, data protection notices on websites must comply with specific standards.

Sanctions in the event of an infringement

The nDSG provides for criminal sanctions in the form of fines of up to CHF 250,000.00. In addition to criminal prosecution, the Federal Data Protection and Information Commissioner (FDPIC) can open an administrative investigation. Thus, the FDPIC now also has the authority to initiate investigations against companies ex officio or upon notification, as well as to take far-reaching measures to ensure compliance with the FDPIC provisions. Although the FDPIC cannot impose sanctions himself, failure to comply with an order of the FDPIC can result in criminal sanctions of the same amount. Finally, civil lawsuits can still be filed.

Criminal sanctions are mainly aimed at performers. However, in certain cases, an employee without a performance function may be sanctioned. In addition, instead of the natural person, the company can also be sentenced to a fine if the fine amounts to no more than CHF 50,000.00 and the effort required to identify the person liable for the offense within the company is disproportionately high.