The New Data Protection Law In Switzerland From September 1st 2023 8211 What You Need To Look Out For

This article provides an overview of the most important changes brought about by the new Swiss data protection law for companies. In addition to a quick overview, we have oneChecklist for companiesput together simply for youdownloadcan.

The most important changes at a glance

The new data protection law will bring significant changes for Swiss companies as of September 1, 2023. In the following list we provide an overview of what needs to be taken into account in order to position your company securely.

1. The new data protection law only takes data into accountnatural persons, those of legal entities are excluded.
2. They are now also considered particularly worthy of protectiongeneticandbiometricDataand are therefore taken into account in the new data protection law.
3. duties to “Privacy by design” and “Privacy by default” is also taken from the GDPR and means that the person responsible not only has to comply with the data protection regulations and the principles of data processing, but also has to ensure that the processing of personal data is reduced to a minimum by means of suitable technical defaults.
4. If there are risks relating to the personality or fundamental rights of data subjects during data processing,Impact assessmentsbe realized.
5. TheObligation to provide informationbecomes more extensive: Whenever personal data is acquired, the person concerned must be informed in advance. This means that it is no longer just the so-called particularly sensitive data that is affected.
6. ADirectory of processing activitiesis now mandatory, both for the person responsible and for the person processing the order. The minimum content is listed in the law. An exception applies to SMEs (less than 250 employees), whose data processing poses less risk of personal injury to the data subjects. Large companies are no longer exempt from this directory requirement.
7. If there is oneInjuryagainst theData security(Data Breach) a quick report is necessary. The Federal Data Protection and Information Commissioner (FDPIC) must be informed in this regard.
8. The termProfiling, which refers to the automated processing of personal data, is a new part of the law. In this case, those affected must be informed and, in the case of high-risk profiling, consent must even be obtained.

Are you already prepared for the new data protection law in Switzerland?

In this webinar, our digital business consultants Sandra Wojciechowska and Lisa Weichselbaum explain what advertisers in Switzerland need to consider from now on

Find out more now

The main differences between nDSG and GDPR

The new Swiss DSG is to be understood as an approach to the GDPR. But the new GDPR is not an “imitation” of the GDPR. There are also differences between the two legal acts, namely:

• No list of legal bases
  In contrast to the GDPR, the nDSG does not provide a specific legal basis for the processing of data. It is sufficient if the processing complies with the principles of lawfulness, good faith, proportionality and purpose limitation.
• No explicit and voluntary consent
  In contrast to the GDPR, the processing of the user’s personal data does not require consent. According to the new DSG, a declaration in accordance with the principle of transparency, which provides information about the purpose for which the person responsible wants to handle personal data, is sufficient. Consent is only necessary if it involves particularly sensitive personal data or if profiling takes place with a high risk for the data subject.
• Data Breach Reporting Requirement
  As under the GDPR, a data breach must be reported to the Federal Data Protection and Information Commissioner (FDPIC). However, unlike the GDPR, which stipulates an obligation to report within 72 hours, according to the nDSG, the obligation to report must be done as quickly as possible, but only if the data breach poses a high risk to the personality or fundamental rights of the person concerned.
• Lower fines:
  If the provisions of the nDSG are violated, there is a risk of fines of up to 250,000 francs (Articles 60 to 63nDSG) compared to up to 4% or 20 million euros (whichever is higher).

The most important changes in Switzerland

at a quick overview:

Obligation to provide informationThe increased obligation to provide information ensures clear and transparent processing of data.

The data subject must be informed of the following:

• Contact and identity information of the person processing the data
• Reason for processing
• Third countries and recipients receiving the data

Obligation to provide information All persons have the right to be informed by the person responsible whether and which of their data is being processed.
EDÖBIn addition to new powers, the EDÖB also has new tasks. Its supervisory activities include both the investigation of violations of data protection rules and the imposition of administrative measures to enforce these rules.
Reforms are therefore not only available for data subjects and data processors. Penal provisions Fines of up to 250,000 francs are threatened if information or disclosure obligations are violated or due diligence obligations are violated. Impact assessment As soon as the personality or fundamental rights of data subjects are at risk, data processors must prepare a data protection impact assessment.

That concernsprivate and public data processorsequally.FeesWith the deadlineSeptember 1, 2023The FDPIC collects payments for selected services.
Previous slide
Next slide

our range

Consent Quick Check & Best practices

Although the revised data protection law is not quite as strict as the GDPR, there are a few things for companies in Switzerland to consider when handling personal data. If you are still unsure or need support, we recommend our Consent Quick Check with Head of PrivacySandra Wojciechowska, which includes the following points:

• Review of current implementation and necessary adjustments
• Changes to the nDSG and what they mean
• Consent management tool overview – which one is right?
• DSG, nDSG or DSGVO when does what apply?
• Consent as preparation for the post-cookie era

Contact us directly!

What needs to be done for Swiss companies – our checklist provides initial guidance.