The new data protection law of Switzerland came into effect on 01.09.2023. The regulations have been adjusted to accommodate technological advancements (digitalization), changes in consumer behavior (online shopping), and international data protection standards.
The new rules require, among other things, that companies adapt their privacy policies and reconfigure online offerings to comply with the regulations.
Below is an overview of some important changes.
Scope
Data protection is understood as the protection of personal rights. The data protection law safeguards the privacy of natural persons whose data is processed. It does not apply to the processing of data about legal entities (companies, associations, foundations).
The scope also includes data processing abroad if it has an impact within Switzerland (processing data about individuals within Switzerland).
Personal Data
The definition of personal data has been limited to natural persons.
Newly added to the category of particularly sensitive personal data are genetic data and biometric data, provided the latter can uniquely identify a natural person.
Privacy by design and by default
The principles of “privacy by design” (privacy protection through technology) and “privacy by default” (privacy protection through default settings) oblige data controllers to implement appropriate technical and organizational measures and integrate user privacy into the structure of their products or services when collecting personal data.
Privacy by design, for example, requires that applications be configured in a way that anonymizes or deletes data by default.
The principle of privacy by default requires that necessary data protection measures and restrictions on data usage be activated by default from the moment a product or service is launched. This must be considered during the planning phase.
These new rules particularly affect providers of online offerings.
Impact Assessments
If there is a high risk to the privacy of affected individuals, private entities must now conduct a data protection impact assessment.
Whether a high risk exists depends, especially when using new technologies, on the nature, scope, circumstances, and purpose of the processing. A high risk exists in the extensive processing of particularly sensitive personal data and in the systematic monitoring of extensive public areas, for example.
Under certain conditions, private entities may be exempt from conducting a data protection impact assessment.
Information obligations
Data Collection
Private data controllers must, in general, adequately inform affected individuals at the time of data collection (including data obtained from third parties). The identity and contact details of the controller, the purpose of processing, and, if applicable, the recipients must be provided.
There are exceptions to the obligation to provide information. For instance, the obligation may be waived if the affected person already has the corresponding information, has given consent, or if the processing is required by law.
Automated Individual Decision-Making
In cases of automated individual decision-making, individuals must be given the opportunity to be heard and to have the decision reviewed.
Data Security Breach
In the event of a data security breach that is likely to result in a high risk to individuals’ privacy, a notification obligation towards the Federal Data Protection and Information Commissioner (FDPIC) arises. The affected individuals must be informed if necessary for their protection or as required by the FDPIC.
Right of Access
The rights of affected individuals have been expanded. Among other things, all information necessary for the exercise of the rights of the affected person must be provided.
Data Disclosure and Transfer
Affected individuals now have the right to request the personal data they have provided in electronic form or to have it transferred to a third party if the data is processed automatically and either with the consent of the affected person or in connection with the conclusion or performance of a contract.
If the disclosure entails disproportionate effort, the controller may request a contribution towards the costs from the affected person.
Records
Data controllers and data processors must maintain records of their data processing activities, which must include certain minimum information.
Companies with fewer than 250 employees and natural persons are exempt from keeping records if particularly sensitive data is not processed on a large scale and no high-risk profiling is performed.
