In Switzerland, the new Federal Act on Data Protection comes into force on 1 September. The new Data Protection Act replaces the previous one: DSG becomes nDSG or revDSG – without a transition period. But what exactly does this mean? What is the overarching aim of the new Swiss Data Protection Act? What specific changes will be made? And what does this mean for your company? We have taken a closer look at the topic.
Contents
Reasons for the revision of the FADP
nDSG: the most important changes at a glance
MOXIS: guaranteed nDSG-compliant
Why introduce a new data protection law? Background to the revision of the DPA
By definition, the Data Protection Act serves to protect the personality and fundamental rights of natural persons whose personal data is processed. The current Swiss Federal Act on Data Protection (FADP) dates back to 1992, but it is clear that this law is no longer up to date in the age of cloud computing, big data and all the rapid developments in social networks.
The total revision of the FADP in 2023 will adapt the legislation to social and technological developments. The declared goal: a data protection law that can keep pace with digital change. And a data protection law that meets the standards of European law. To ensure that Switzerland continues to be recognised by the EU as a third country with an adequate level of data protection and that cross-border data collection remains possible, the new DPA will also bring Switzerland significantly closer to the EU General Data Protection Regulation (GDPR).
nDSG that's new: The most important changes at a glance
1. New scope of application & extended scope
The nDSG is limited to the data of natural persons – instead of legal entities as before.
For the first time, genetic data and biometric data are now also considered to be particularly worthy of protection in the revDSG.
2. Extended duty to provide information when obtaining personal data
To ensure transparent data processing, the following information must be provided:
Processing purpose
The identity and contact details of the person responsible
Where applicable, the recipients or categories of recipients to whom personal data will be disclosed
If data is exported abroad, the recipient country or international organisation must also be disclosed
3. Improved right to information
Anyone can request details of the data that a company collects and stores about them.
Discover MOXIS for your company.
Find out more about the leading eSignature platform, enjoy the benefits of legally secure digital signatures, save time and costs.
4. Stricter sanctions and high fines
Companies can be fined up to CHF 250,000 if they violate their duty to provide information or to cooperate or disregard the rules for disclosing data abroad.
5. Data protection impact assessment
Responsible parties are obliged to carry out and document an impact assessment before the start of any planned data processing. This is necessary if the data processing entails a high risk to the personality or fundamental rights of data subjects.
The impact assessment must include a description of the planned data processing, an assessment of the risks to the personality or fundamental rights of the data subject and appropriate protective measures.
6 Obligation to notify the FDPIC
In the event of a breach of data security* and where there is a high risk, the FDPIC (Federal Data Protection and Information Commissioner) must be notified as quickly as possible. The person concerned must also be informed accordingly.
However, only violations of personality or fundamental rights that have occurred must be reported to the FDPIC, not cyberattacks that have been successfully defended against or proven ineffective.
*A cyberattack is when personal data is deleted, destroyed, altered or disclosed to unauthorised persons.
7. Privacy by design AND privacy by default
By design: data protection based on technology design. Technical and organisational measures must be taken at the planning stage of a processing system in order to guarantee the security of the data. Data protection standards must already be taken into account during the development of software and hardware.
By default: Data protection as a standard setting in all IT systems: suitable default settings must be used to ensure that only data required for the respective purpose is processed. The processing of personal data is limited to the necessary minimum.
In the event of a breach of data security* and where there is a high risk, the FDPIC (Federal Data Protection and Information Commissioner) must be notified as quickly as possible. The person concerned must also be informed accordingly.
However, only violations of personality or fundamental rights that have occurred must be reported to the FDPIC, not cyberattacks that have been successfully defended against or proven ineffective.
