New Data Protection Act in Switzerland

On September 1, 2023, a new Data Protection Act (“DPA”) will come into effect in Switzerland. The DPA will apply to such data protection cases with “an effect in Switzerland even if they are initiated abroad”. Consequently, the law will affect German businesses if these process an individual’s data in Switzerland as so-called controller, for example, because they offer goods or services to individuals in Switzerland, or if they come into contact with personal data as service provider (“processor”) for Swiss companies. 

The DPA resembles the General Data Protection Regulation (GDPR) in many respects; however, some points must be observed: for example, contrary to the GDPR, where the responsible company is liable in case of a data protection breach, the DPA provides for a primary personal liability of the responsible person. Such liability may affect not only the managing director, but the relevant decision maker. Fines of up to CHF 250,000 may be imposed. 

Companies processing personal data in Switzerland should therefore ensure data protection compliance and absolutely avoid any data protection breach, not least with regard to the personal liability. 

What’s new?
In structural terms, the permissibility of data processing is based on a quite pragmatic approach: In Switzerland, the processing of data is – unlike under the GDPR – generally admissible and prohibited only in exceptional cases. However, data processing must not unlawfully violate the data subject’s personality (Art. 30 DPA). Insofar, the requirements to compliance with Swiss data protection law are comparably strict to those of the GDPR.

The already mentioned personal liability of the decision-maker in case of a data protection breach also significantly differs from the GDPR’s liability provisions. According to the DPA, it is possible to sentence the company to pay the fine instead of the individual only in case of violations involving a fine of no more than CHF 50,000 and if the efforts to identify the offending person within the business would be unreasonable. 

Apart from that, similar requirements to the GDPR apply. The fact that the DPA’s implementation requires a careful review despite its GDPR compliance is to be demonstrated by the following examples: 

Information requirements (data protection notices)

• Due to the multitude of official languages in Switzerland, these are to be provided in the relevant languages depending on the target group of your offer.
• All recipient countries and the guarantees must also be indicated if data is transferred abroad.

Conclusion of a processing agreement

• The Swiss Data Protection Act imposes fewer requirements on the processing agreement than the GDPR, yet you do not have to comply with the DPA but can generally use your previous template in accordance with the GDPR.
• There is an exception in the case of an assignment by a federal authority, which are regularly subject to stricter requirements.

Representative in Switzerland
You must appoint a representative in Switzerland if the following data processing requirements are cumulatively met:

• The processing is related to the offer of goods and services or the observation of any person’s behavior in Switzerland.
• The processing is extensive.
• The data is processed on a regular basis.

The processing involves a high risk for the personality of the persons concerned.

Companies that process data of individuals in Switzerland should definitely ensure their data protection compliance in order to prevent a data protection breach in any case, not least with regard to personal liability.

We will be happy to support you in implementing these requirements!