The measures to be taken are individual and depend on:
- the type of personal data being processed and
- the existing data protection measures that have been implemented.
The revised data protection law establishes the principles of data processing and defines the obligations of companies. Based on the inventory and the obligations outlined in the new Swiss Data Protection Law (nDSG), the measures can be defined as follows:
Obligations
- Compliance with data protection principles
- Technical and organizational measures
- Ensuring data security
- Maintenance of records
- Information obligations
- Rights of Data Subjects
- etc.
→ Obligations
Personal data should be processed lawfully. They should only be processed for the purposes that were disclosed at the time of collection. The data must be accurate and, in principle, they should be destroyed or anonymized when the purpose has been achieved.
When collecting data, data minimization and data avoidance should be considered, and the principles of privacy by design and privacy by default should be followed. This may require adjustments to the applications used to collect and process data.
Information obligations during data collection can be fulfilled through the privacy policy on the website. If data is also collected from third parties, data subjects may need to be informed separately.
The information obligations towards employees should be fulfilled through an employee privacy policy.
In general, maintaining a record of processing activities is mandatory. However, small and medium-sized enterprises (SMEs) are exempt from this requirement if they employ fewer than 250 employees and there is a low risk of infringing on individuals’ privacy.
The measures to be taken should be determined on an individual basis, taking into account the specific circumstances and needs of each case.
