Key provisions in the pre-draft of the revised Data Protection Ordinance

7 juillet 2021 – The pre-draft of the revised Swiss Federal Data Protection Ordinance (rev-DPO, download available in German, French and Italian) was published on 23 June 2021 (see the Data Protection News as of 23 June 2021) by the Swiss Federal Council.

The rev-DPO will specify and complement the provisions of the revised Swiss Federal Data Protection Act (rev-DPA) that the Swiss Parliament adopted on 25 September 2020 (see the Data Protection News of 1 October 2020).

The respective provisions in the pre-draft of the rev-DPO are explained in and clarified by the explanatory report of the Swiss Federal Council (download available in German, French and Italian). Further, differences between the pre-draft of the rev-DPO and the current Swiss Federal Data Protection Ordinance are illustrated in a comparison table (download available in German, French and Italian).

The rev-DPO and rev-DPA will enter into force at the same time. According to the press release of the Swiss Federal Council (available in German, French and Italian) this should happen in the second half of 2022.

Key provisions of the rev-DPO applicable to private persons

The provisions of the pre-draft of the rev-DPO particularly touch on the following areas: data security (Articles 1 to 5); processing by processors (Articles 6 and 7); cross-border disclosure of personal data (Articles 8 to 12 and Annex 1); duties of the controller and the processor (Articles 13 to 19); access right (Articles 20 to 23); data portability (Article 24); data protection advisor (Article 25); exception from maintaining an inventory of data processing activities (Article 26) and Federal Data Protection and Information Commissioner (FDPIC) (Articles 37 to 45).

We will provide some high-level information below on these key provisions as applicable to private persons.

Data security:

Article 8(3) rev-DPA requires the Federal Council to issue provisions on the minimum requirements for data security. As is the case under the current DPO, the rev-DPO does not prescribe rigid specific minimum data security requirements, as such a regulation would not be practicable. Instead, the rev-DPO takes a risk-based approach: the controller and processor must determine the appropriate measures based on the respective risk. The rev-DPO specifies which criteria (Article 1 rev-DPO) are to be considered in this assessment and provides guidelines on how these measures should be designed by listing protection objectives that have to be met (Article 2 rev-DPO). Compared to the current DPO, Article 2 rev-DPO has added additional data protection objectives.

If it results from a data protection impact assessment (DPIA) concerning an automated processing of personal data that despite the measures envisaged by the controller such processing still presents a high risk for the data subject’s personality or fundamental rights, the private controller and its processor must record certain processing activities and keep such records for at least two years separate from the system in which the processing of the personal data takes place (Article 3 rev-DPO).

Finally, the private controller and its processor must establish a processing policy for automated processing activities, if they process sensitive personal data on a broad scale or in case of high-risk profiling (Article 4(1) rev-DPO). Article 4(2) rev-DPO sets forth the minimum content of such policy. Also, the policy must be regularly updated (Article 4(3) rev-DPO).

Processing by a processor:

Article 6(1) rev-DPO specifies that the controller remains responsible for data protection if it assigns the processing of personal data to a processor and that the controller must ensure that the data is processed in compliance with contractual and statutory provisions. Article 6(2) rev-DPO further specifies that if the processor is not subject to the rev-DPA, the controller must ensure that other statutory provisions provide for an equivalent protection of personal data and that in the absence of such provisions, this must be ensured contractually. However, contrary to Article 28 GDPR, Article 6 rev-DPO does not require such contractual arrangement to meet specific formal or minimum content requirements. In its explanatory report of the rev-DPO, the Swiss Federal Council references the minimum content requirement set forth in Article 22(3) of the Directive (EU) 2016/680). However, as the aforementioned directive applies to the processing of personal data by authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, this is (in general) not relevant for the processing by private persons. This being said, due to the fact that neither the rev-DPA nor the rev-DPO require a minimum content as regards contractual arrangements with processors, compliance with Article 28 GDPR is not per se necessary from a rev-DPA perspective. However, in practice, compliance with Article 28 GDPR will in most cases allow to also satisfy the requirements under the rev-DPA and will be the preferable solution.

Cross-border disclosure of personal data

Under Article 16(1) rev-DPA, the Federal Council shall now determine which States or international bodies guarantee an adequate level of protection in case of cross-border disclosure of personal data. As a consequence, Article 8(1) rev-DPO lists the criteria that the Federal Council shall in particular take into consideration when taking its decision. Interestingly, Article 8(2) rev-DPO mentions that assessments made by international bodies or foreign authorities that are responsible for data protection may be taken into account by the Federal Council for its own determination. In its explanatory report, the Federal Council explicitly refers to assessments made by the European Commission.

According to Article 8(3) rev-DPO, the adequacy of the date protection legislation must be reassessed periodically.

Finally, the States, territories, specific sectors in a State and international bodies with an adequate data protection legislation are listed in Annex 1 to the rev-DPO. Currently, the draft (but non-final) list in particular includes all EU and EEA member states. It must be noted that if a State is not listed in this Annex 1, this does not necessarily mean that such State does not have an adequate protection of personal data (for example, the Federal Council may not yet have assessed the respective State’s legal framework). However, in the absence of a positive determination by the Federal Council and absent any exceptions pursuant to Article 17 rev-DPA, any disclosure abroad requires that adequate protection is guaranteed otherwise, for example through contractual clauses or specific safeguards, through standard contractual clauses previously approved, established or recognised by the FDPIC or by binding corporate rules on data protection previously approved by the FDPIC or by a foreign authority (Article 16(2) rev-DPA).

Article 9(1) rev-DPO sets forth the aspects that, as a minimum, must be covered by the contractual clauses or specific safeguards. Approval by the FDPIC is not required, but the contractual clauses/specific safeguards must be communicated to the FDPIC beforehand. Moreover, the specific safeguards must be developed by the competent Swiss federal authority (Article 16(2)(b) rev-DPA). Also, use of contractual clauses or specific safeguards is not sufficient as such. In fact, the controller must take adequate measures to ensure that the recipient complies with such contractual clauses or specific safeguards (Article 9(2) rev-DPO).

As regards standard contractual clauses, the FDPIC shall publish a list of standard contractual clauses, which he has approved, established or recognised (Article 10(2) rev-DPO). However, as in the case of transfers based on contractual clauses or specific safeguards, the controller must take adequate measures to ensure that the recipient complies with the standard contractual clauses (Article 10(1) rev-DPO).

Article 11 rev-DPO sets forth more detailed requirements for binding corporate rules.

Finally, according to Article 16(3) rev-DPA, the Federal Council can provide for additional adequate safeguards allowing for a transfer to States without adequate data protection. The Federal Council has used this competence by foreseeing in Article 12 rev-DPO that personal data may be disclosed abroad if through a code of conduct approved by the FDIPC or through a certification an adequate data protection is ensured, provided that certain additional requirements are met. The possibility to use codes of conduct and certification may offer additional flexibility to companies. However, codes of conduct must be previously approved by the FDPIC.

Duties of the controller and the processor

Articles 13 to 19 further specify certain duties of the controller and processor.

Controllers and processors must provide the data subject with information on the collection of personal data in a precise, comprehensible and easily accessible form (layered approach permitted). Pictograms may be used to increase transparency, but they but they may not replace the information itself. Also, if pictograms are depicted in electronic form, they must be machine-readable (Article 13 rev-DPO).

Moreover, the controller is required to inform any recipients to whom it disclosed personal data without delay of any correction, deletion, destruction as well as the restriction of the processing of personal data, unless such notification is impossible or involves a disproportionate effort (Article 16 rev-DPO).

Article 18 rev-DPO requires the controller to record in writing (including documents in electronic format) a DPIA and to safeguard such records for two years after the termination of the processing activity.

Article 19(1) and (3) rev-DPO sets forth the information the controller must provide to the FDPIC and the data subjects (as applicable under Article 24 rev-DPA) in case of a data security breach. As regards the notification to the FDPIC, Article 19(2) rev-DPO explicitly allows the controller to provide the information successively without undue delay, if the controller is not in a position to provide all the required information at the time the data security breach is discovered. Finally and very importantly, the controller must document data security breaches. Such documentation must include all facts that relate to the incidents, its consequences and the measures taken and must be kept for at least three years after the notification of the incident to the FDPIC (Article 19(5) rev-DPO).

Access right

Articles 20 to 23 rev-DPO specify the modalities, responsibilities, time limits and exceptions to the exemption from costs in respect of the access rights.

As this is currently the case, the information shall be provided to the data subject within 30 days after receipt of the access request. If the controller refuses, restricts or defers the provision of information, it must inform the data subject within the same period (Article 22(1) rev-DPO).

If the controller is not in a position to the provide the information within 30 days after the receipt of the request, it must inform the data subject thereof and communicate the period of time within which the information will be provided (Article 22(2) rev-DPO).

As a general rule, the information must be provided free of charge to the data subject. An appropriate share of the costs (up to a maximum of CHF 300) may be requested from the data subject if the provision of the information requires a disproportionate effort. However, the data subject must be informed in advance about the amount of the share and may withdraw his or her access request within ten days (Article 23 rev-DPO).

Data portability

As regards data portability, Article 24 rev-DPO simply mentions that certain requirements relating to the modalities, responsibilities, time limits and exceptions to the exemption from costs in respect of the access rights also apply to the right of data portability.

Data protection advisor

Article 25(1) rev-DPO specifies the duties of the data protection advisor of a private controller: a) the data protection advisor is required to audit the processing of personal data as well as its prerequisites and to recommend corrective measures if he or she ascertains that the data protection regulations have been infringed and b) he or she is required to participate in the preparation of the data protection impact assessment and to review it, in any case if the private controller wishes to abstain from consulting the FDPIC in accordance with Article 23(4) rev-DPA.

In its explanatory report, the Federal Council mentions that the data protection advisor, as its designation suggests, is a consulting and supporting position and that, as a consequence and based on its decision power, the controller remains solely liable for data protection compliance, in particular towards the data subject. Also, according to the Federal Council, the duties of the FDPIC under Article 25(1)(a) rev-DPO do not create a liability of the data protection advisor if the controller infringes the data protection legislation. This precision is welcome and hopefully the courts will follow this approach.

Exemptions from the duty to maintain an inventory of processing activities

According to Article 12(5) rev-DPA, the Federal Council provides for exception to the obligation to keep an inventory of processing activities for companies that have less than 250 members of staff and whose processing entails only a low risk of infringing the personality of the data subject.

Based on the foregoing, Article 26 rev-DPO foresees that companies and other private law organisations that have less than 250 members of staff at the beginning of a year as well as individuals are exempt from the duty to maintain an inventory of processing activities for companies, unless one of the following conditions is fulfilled: a) they process sensitive personal data on a broad scale; b) in case of high-risk profiling.

In its explanatory report, the Federal Council mentions that the threshold of 250 members of staff is to be understood regardless of the level of employment (i.e. full time or part time).

Data Protection and Information Commissioner

Further provisions (Articles 37 to 45 rev-DPO) concern the FDPIC, whose position and independence are strengthened by the rev-DPA. For example, the legal basis for the FDPIC's data processing is now regulated in more detail, which previously existed only in a general manner in connection with the business administration system. Also, the collaboration between the National Centre for Cybersecurity (NCSC) and the FDPIC regarding the notification of data security breaches is addressed, it being specified that the FDPIC may only transmit such information to the NCSC with the prior consent of the controller that is subject to the notification duty.

Preliminary high-level assessment

The provisions contained in the pre-draft of the rev-DPO do not come as a surprise, generally meet the “expectations” of commentators and appear quite balanced. This being said, some of the requirements appear excessive and do not appear to be absolutely necessary.

For example, the requirement to establish a processing policy prima facie exceeds the accountability requirement under Article 5(2) and Article 24(1) GDPR. Under the GDPR, the duty of documentation is of a general nature that is only selectively reinforced (e.g. the requirement to record data breaches or to maintain an inventory of processing activities). An additional processing policy, however, is not required and – in our view – not necessary. Controllers that are obliged to maintain an inventory of processing activities (Article 12 rev-DPA) will document a large part of the minimum content required for the processing policy pursuant to Article 4(2) rev-DPO (e.g. purpose of processing, categories of data processed, data security measures) already for such inventory. Moreover, in cases where the controller is required to establish a processing policy, it will generally be already required to conduct a DPIA which must be recorded in writing (Article 18 rev-DPO). It thus seems to be an unnecessary administrative burden on private controllers and their processors to additionally establish a handbook or guideline (i.e. the processing policy). It seems that the Federal Council was unwilling to let go of the processing policy obligation provided for in the current DPO.

Another example is the discrepancy to the GDPR with regard to contractual clauses (not to be mistaken for standard contractual clauses) that may be used as a guarantee for disclosure of personal data to recipients based in States without an adequate level of data protection. Whereas Article 46(3)(a) GDPR does not provide for the minimum requirements of contractual clauses but requires their prior approval by the competent data protection authority, notification of the contractual clauses to the FDPIC is sufficient (which is welcomed), provided they meet the minimum standard set out in Article 9 rev-DPO. The same applies to the specific guarantees (Article 16(2)(c) rev-DPA). Companies planning to make use of “one size fits all” contractual clauses for their EEA and Swiss cross boarder transfers will need to take the Swiss minimum requirements into account before seeking approval of the respective European data protection authority. This being said, most companies will likely – as in the past – rely on the EU standard contractual clauses for transfers to third countries and based on the assumption that the FDPIC will also recognise the recently adopted new EU standard contractual clauses for transfers to third countries, Article 9 rev-DPO may in practice be of limited effect.

Going forward and from a practical point of view, it is to be hoped that the provisions of the rev-DPO that go beyond (or contradict) the requirements under the GDPR will be re-drafted as they would create additional burdens on private persons and in particular companies subject to the DPA (and the GDPR) compared to those only subject to the GDPR. We recommend for interested companies to participate in the official consultation process on the pre-draft of the rev-DPO (ending on 14 October 2021) in order to shape the final wording of the rev-DPO.

For companies currently reviewing and adapting their data processing activities to the rev-DPA, we recommend already taking into account the pre-draft of the rev-DPO. In fact, while the final version of the rev-DPO will certainly differ on certain points from the pre-draft, variations will most likely be limited and can be addressed with little effort once the final version of the rev-DPO is known.

For more information on the revision of the Swiss data protection legislation, see https://www.dataprotection.ch/dpa/introduction. Please note that we will shortly publish a non-official English translation of the pre-draft of the rev-DPO.