30 September 2020 – On 25 September 2020, the Swiss Parliament approved the final draft of the revised Data Protection Act (rev-DPA) (in German, French and Italian). For our readers’ convenience, we have translated the final draft into English (available here). In addition, we have posted an online version of the current and the revised DPA on datenrecht.ch (here, in German).

Moreover, you may find an updated comparison chart in German of the current DPA, the Federal Council’s draft rev-DPA and the final version of the rev-DPA.

In short, the rev-DPA comes with comparatively strict constraints and requirements. The new powers of the Federal Data Protection and Information Commissioner (Article 50 et seq. rev-DPA) and the potential criminal fines of up to CHF 250,000 imposed on the individuals responsible for certain types of infringements (Article 60 et seqq. rev-DPA) further increase exposure for controllers and processors that are subject to the rev-DPA and, thereby, strengthen its enforcement.

We expect the rev-DPA to enter into force in the course of 2022. The following new requirements are likely to have an impact on most organisations:

• Creating and maintaining an inventory of processing activities, unless the SME exception applies (Article 12 rev-DPA);
• drafting or updating privacy notices for data subjects – including end customers, contact persons of customers and suppliers, and applicants and employees – to account for the new duty of information when collecting personal data (Article 19 et seqq. rev-DPA);
• carrying out a data protection impact assessment where processing is likely to result in a high risk to the rights and freedoms of the data subject, potentially including all “profiling carrying a high risk” (Article 22 rev-DPA);
• reviewing contracts with processors, joint controllers and third parties, especially those involving international data transfers (e.g. Articles 9 and 16 et seqq. rev-DPA);
• applying the principles of “data protection by design” and “data protection by default” (Article 7 rev-DPA);
• establishing codes of conduct and policies, including for notifications of data security breaches (Article 24 rev-DPA) and subject rights, for example the new right of data portability (Article 28 et seq. rev-DPA);
• for private controllers with domicile or residence outside of Switzerland: under certain circumstances, appointing a representative in Switzerland where personal data of individuals in Switzerland is processed. The name of the representative must be communicated to the FDPIC (Article 14 rev-DPA).

We encourage businesses to use the time until the rev-DPA’s entry into force to assess its impact on their activities and start implementing or elaborating processes that will comply with the rev-DPA.

Also, we recommend staying up-to-date on any developments, for example by following news published on dataprotection.ch and subscribing to datenrecht.ch.