• Keine Ergebnisse gefunden

Revised Data Protection Act approved

N/A
N/A
Info
Herunterladen
Protected

Academic year: 2022

Aktie "Revised Data Protection Act approved"

Copied!
2
0
0

Wird geladen.... (Jetzt Volltext ansehen)

Jetzt herunterladen ( 2 Seite )

Volltext

(1)

TECH, DATA, TELECOMS & MEDIA - SWITZERLAND

Revised Data Protection Act approved

09 October 2020 | Contributed by Walder Wyss

On 25 September 2020 Parliament approved the final draft of the revised Data Protection Act (rev-DPA).(1) The rev-DPA is expected to enter into force in 2022. However, it is subject to a facultative referendum and the corresponding ordinance will be adapted accordingly – thus, the rev-DPA is still a work in progress.

The revision aims to modernise Switzerland's data protection landscape in line with the more sophisticated EU legislation, particularly the EU General Data Protection Regulation, which entered into force in 2018.

Accordingly, the rev-DPA comes with stricter constraints and requirements than those that apply under the current DPA. The new powers of the Federal Data Protection and Information Commissioner (FDPIC) (Article 49 et seq of the rev-DPA) and the potential criminal fines of up to Sfr250,000 imposed on the individuals responsible for certain types of infringement (Article 60 et seq of the rev-DPA) strengthen its enforcement by increasing exposure for controllers and processors that are subject to the rev-DPA.

In this respect, foreign controllers and processors should assess whether they are subject to the rev-DPA pursuant to Article 3 thereof, which governs the territorial scope of application of the rev-DPA following the effects doctrine. Thus, all data processing activities that have an effect on Switzerland are subject to the rev- DPA, regardless of where the respective processing is taking place.

The rev-DPA will increase companies' duties. In particular, new obligations will be imposed in relation to transparency and documentation matters, as well as specific risk-related processing activities. In particular, the following new requirements are likely to have an impact on most companies:

creating and maintaining an inventory of processing activities, unless the small and medium-sized enterprise exception applies (Article 12 of the rev-DPA);

drafting or updating privacy notices for data subjects (eg, customers, business partners, applicants and employees) to meet the new duty of information when collecting personal data (Article 19 et seq of the rev- DPA);

reviewing contracts with processors, joint controllers and third parties, considering special requirements for international data transfers (eg, Articles 9 and 16 et seq of the rev-DPA);

carrying out a data protection impact assessment where processing is likely to result in a high risk to the rights and freedoms of the data subject, potentially including all "profiling carrying a high risk" (Article 22 of the rev-DPA);

applying the principles of 'data protection by design' and 'data protection by default' (Article 7 of the rev- DPA);

establishing codes of conduct and policies providing for respective procedures in the event of data breaches and notifications of data security breaches (Article 24 of the rev-DPA) and the execution of data subjects' rights (Article 25 et seq of the rev-DPA); and

for private controllers with domicile or residence outside of Switzerland: under certain circumstances, appointing a representative in Switzerland where personal data of individuals in Switzerland is processed.

The representative's name must be communicated to the FDPIC (Article 14 rev-DPA).

Businesses are encouraged to use the time until the rev-DPA's entry into force to assess its impact on their activities and start implementing or elaborating processes that will comply with the revised act and stay up to date with ongoing developments.(2)

For further information on this topic please contact Jürg Schneider or Noémi Ziegler at Walder Wyss by telephone (+41 58 658 58 58) or email (juerg.schneider@walderwyss.com or

noemi.ziegler@walderwyss.com). The Walder Wyss website can be accessed at www.walderwyss.com.

Endnotes

(1) The rev-DPA is available in German, French and Italian. An unofficial English translation may be found

AUTHORS

Jürg Schneider

Noémi Ziegler

(2)

here. Moreover, an updated comparison chart in German of the current DPA, the Federal Council's draft rev- DPA and the final version of the rev-DPA can be found here.

(2) See here and here.

The materials contained on this website are for general information purposes only and are subject to the disclaimer.

Referenzen

Jetzt herunterladen ( PDF - 2 Seite - 117.46 KB )

ÄHNLICHE DOKUMENTE

Data Protection Ordinance pre-draft specifies private entity obligations under revised data protection law

If the controller assigns the processing of personal data to a processor, the controller remains responsible for data protection and must ensure that the data is processed in

Data Protection & Cybersecurity

With respect to the right to be forgotten, the FDPA requires any person processing personal data to erase the data when keeping the data is no longer required for the processing

Federal Act on Data Protection

The Federal Council regulates the control procedures and the responsibility for data protection if the federal body processes personal data together with other federal bodies,

Federal Council publishes draft of revised Federal Data Protection Act

On September 15 2017 the Federal Council issued a draft of the revised Federal Data Protection Act.. This draft arrives approximately nine months after the publication of

Data Protection and Cybersecurity

On the other hand, a justification is required particularly if the processing violates one of the general data protection principles of the DPA outlined above, if the personal data

The Privacy, Data Protection and CybersecurityLaw Review

42 Such as, for example, an obligation to register a data file with the Commissioner, or there may be instances where data that before its transfer or disclosure to Switzerland

SwitzerlandChanges to the Swiss Federal Data Protection Act (“SDPA”)by Ueli Sommer, Dr.iur, LL.M.

In case of cross-border data transfers to countries not providing an ap- propriate level of data protection according to the SDPA, the Federal Commissioner for Data Protection

Amendments to the Swiss Federal Data Protection Act ww&p

(i) to update the DPA and, in particular, to make the subjects of data collection and processing aware of the purposes and uses of such data collection and processing and (ii) to