The Swiss government has adopted the revised revDPO (Data Protection Ordinance) and the Ordinance on Data Protection Certifications. The revised DPO sets out new legal obligations for companies that process personal data. It also provides more detailed rules regarding storage periods and retention periods. The goal is to strengthen individuals' rights and ensure they can exercise them effectively.
Swiss revDPO will commence on 1 September 2023
The adoption of the Ordinance on Data Protection Certifications (the "Ordinance") is an important step in implementing the new Swiss Federal Data Protection Act (the "Act"), which Parliament voted for.
The main objective of the Ordinance is to ensure that companies with a significant amount of personal data comply with their obligations under the Act. The legal requirements will be implemented through a qualification scheme and thus help improve compliance efforts.
Enforcement of the RevDPO will commence on 1 September 2023. It's all about giving organizations enough time to get their houses in order before they are held accountable for any breaches of data protection law.
The sooner an organization can demonstrate compliance with revDPO, the better its prospects will be when (not if) a regulator or other enforcement body investigates its operations.
Federal Council clarified and specified obligations of the revDPA
There are many reasons for the Federal Council to clarify and specify the obligations of revDPA. First and foremost, the new law is intended to ensure a high level of data protection in Switzerland.
In addition, clarifying requirements is important for companies subject to the revDPA and can help them in their planning processes when implementing the new law.
The Federal Council's provisions concerning data processing agreements, transparency obligations, or compliance with former regulations provide more legal certainty for companies operating in Switzerland and help them prepare for changes under revDPA.
Data Protection Security Measures
To protect data against unauthorized or unlawful processing, you must implement security measures to maintain your processing systems' confidentiality, integrity, and availability.
The Swiss Data Protection Authorities have published guidance on how to do this. They recommend that the following measures are taken:
To ensure that access to your system is restricted to authorized persons (i.e., those who have a legitimate reason for using it)
To secure any physical device containing personal data against theft or damage (e.g., through encryption)
To regularly review your security arrangements
Information And Documentation Obligations
In addition to the requirements for processing, the new law also describes several additional information and documentation obligations.
The controller is obligated to document its data processing activities, including processing for marketing purposes. They must inform users appropriately regarding the collection of their personal data. They should provide storage and usage information precisely, transparently, comprehensively, and in the most accessible manner.
Rights To Access and Data Portability
Users should be able to request access to your data at any time in a machine-readable format. You may also request your data's correction, integration, or deletion.
As a rule, you have a right to object to processing based on legitimate interests (see below) and profiling based on automated decision-making, including profiling for direct marketing purposes. In some cases, you also have the right to data portability (see below).
Companies should not charge any fees for this service except in certain very specific situations when it is required by law or if users require an express service rendered that does not fall under a company's usual services (e.g., urgent requests).
This is a very interesting topic that needs to be studied in detail. It is important to understand the new Swiss Data Protection Law and its implications for businesses operating in the country.