The daily use for private and professional purposes of the internet, cloud, PCs, smartphones, programs and software, which has become almost indispensable, exposes people to risks related to the use of their personal data. For this reason, during the fall 2020 session, Parliament adopted the new Federal Data Protection Act (nFADP), aimed at improving the processing of personal data and granting new rights to Swiss citizens. The total revision of the nLPD will come into force on September 1, 2023, with no adjustment periods.
In Switzerland, a substantial number of companies had already adapted to the EU General Data Protection Regulation (GDPR), and now need to undertake few changes. For the remaining companies, the adaptation of Swiss law with European law is a central issue. Indeed, the new law should allow the free movement of data with the European Union (EU) to be preserved and thus ensure the competitiveness of Swiss companies.
What to know about nFADP?
The nLPD and its ordinance apply to the processing of personal data by private individuals and federal agencies. It therefore affects private companies, both Swiss and foreign, operating in the Swiss market, associations and private individuals in general (who remain exempt from compliance with data protection requirements as long as they process personal data exclusively for private purposes).
The legislation covers the processing of all data relating to an identified or identifiable natural person, including the acquisition, storage, retention, use, modification, disclosure, archiving, deletion or destruction of data.
The revision does not foresee any significant changes in processing principles, therefore currently permitted data processing activities should generally remain so under the new law:
- Personal data may only be processed lawfully, in good faith and in accordance with the principle of proportionality
- It is important that data are processed only for the purposes for which they were collected and that these are also recognizable to the data subject (bound purpose)
In contrast, cases in which data processing is considered unlawful are:
- Violation of treatment principles
- Express objection of the data subject
- Disclosure of personal data worthy of special protection to third parties
New data protection act: what obligations for companies?
This major legislative change comes with a number of obligations for companies and data controllers. For the former, the following obligations apply:
- The programs and processes implemented must protect the fundamental rights of individuals (employees, customers, suppliers, online users) whose data are the objects of processing
- Technical and organizational measures must be appropriate to ensure security for the data
- Duty to inform (transparency as a cardinal principle)
- Personal data may be collected only for a purpose determined and recognizable to the data subject
- The purpose is recognizable if the data subject has been informed, if the processing is required by law, or when it is clear from the circumstances
- The data must be processed in accordance with the initial purposes, so further processing is not permissible if the data subject can legitimately regard it as unexpected, inappropriate, and objectionable
- To fulfill the obligation, the data subject must be able to actually take note of the information in an easily accessible manner
- Technical and organizational measures (accountability principle)
- In order to prevent and mitigate risks to the fundamental rights of data subjects, data controllers must substantiate, document and illustrate the implementation of an appropriate process to protect data subjects
What happens if a company does not comply with nFADP?
- Administrative consequences
The powers of the Federal Data Protection Commissioner to enforce the nFADP have been expanded. He can, ex officio or upon report, initiate an investigation against a company and, if there are violations of data protection requirements, order extensive measures including modification or suspension of data processing or even deletion of data
- Civil consequences
Under the nFADP, data subjects have civil law remedies available to enforce their claims
- Penal consequences
Tightening of penal provisions in case of violation or non-compliance against the data controller and, in particular, against managers, directors and decision-makers within companies:
- Intentional violations of certain obligations are sanctioned
- It will be individuals who will be liable for fines, except if the applicable fine does not exceed CHF 50,000.00 and if identifying the perpetrators would require disproportionate measures. In such cases, it would be the company that would be liable. The fine can range up to CHF 5 million.
How to mitigate risks?
Errors or failures in the proper handling of data can be avoided by several solutions:
- GDPR- and nFADP-compliant data processing programs that enable adherence to legal requirements (accessibility, security, purpose)
- Attention toward the choice of passwords, authentication credentials (MFA: multi-factor authentication), authorization systems, employee education
- Antivirus, firewall (updated frequently)
- Frequent and protected data backups: encrypted (password-protected) backups
- Cyber risk policies
Taking out this type of policy protects the company from damages resulting from the loss or damage of data, such as in case of cyber attacks, negligence, etc.
- Rely on professionals to ensure compliance of your business practices and safeguard your operations by providing the right tools. At NFS Group, we stay up-to-date not only on current regulations, but also on the best ways to comply with the laws and not incur risks.
There are only a few months left to arrange the necessary measures to implement the new law, so don't be caught unprepared.
Disclosing information: an event for our clients
We are committed to offering our customers highly qualified service at all times.
At NFS Group we want our clients to be up-to-date on the most important business issues, and we regularly organize events designed for sharing and exchange. The last one, on Friday, June 23, was dedicated specifically to the new data protection law, and we made sure that everyone had the information they needed to comply and protect themselves and their business.
Do you want to know our approach and values?