In the wake of EU’s upcoming General Data Protection Regulation (GDPR), the Swiss government has recently issued a preliminary draft of a new Data Protection Act (Draft-DPA) that aims to modernize Swiss data protection law. By doing this, Switzerland intends to maintain its adequacy status granted by the European Commission in order to ensure the free flow of personal data from the EU into Switzerland and vice versa.
Proposed new data protection obligations
Amongst others, the Draft-DPA proposes new concepts and obligations in Swiss data protection law, which in part correspond to provisions found in the GDPR:
- Privacy by design. Data controllers and data processors shall undertake reasonable measures to design their processing activities in a manner that reduce and prevent privacy risks.
Privacy by default. Data controllers and data processors must pre-configure their software so that by default it processes only as much personal data as is necessary for the purpose of processing.
- Automated decision-making. Data subjects must be informed if they are subject to a decision that is made solely by automatic processing of personal data and which has a legal effect on the data subject or otherwise significantly affects the data subject. The data subject has a right to be heard in relation to the decision and the personal data that was processed to reach that decision.
- Data protection impact assessments. Data controllers and data processors must perform data protection impact assessments if the contemplated processing activities likely result in a high risk for the privacy or human rights of data subjects. Results of such assessments need to be communicated to the data protection authority.
- Data breach notifications. Data controllers and data processors shall immediately notify the data protection authority of any unauthorized processing or loss of personal data unless the data breach is unlikely to result in a risk for the privacy or human rights of data subjects.
However, the Draft DPA stops shorts of introducing high financial penalties imposed for infringements of data protection law. The proposed fines are considerably lower than in the GDPR, namely amounting to CHF 500.000. Fines would be imposed on the employee that has infringed specified obligations of the Draft-DPA although a fine of no more than CHF 100.000 could be imposed on the company.
The Draft-DPA was open for public consultation until the beginning of April. The Swiss government is now considering the results of the consultation and will issue a final draft and submit it to Swiss parliament for consideration and legislative process.