Swiss Data Protection: news
Event for everyone collecting information about their customers or having a website: as of September 1st, 2023, Switzerland has a new data protection law. The Federal Act on Data Protection of June 19, 1992 (RS 235.1 - LDP) has indeed been updated, taking into account the evolving digital environment and the General Data Protection Regulation (GDPR) adopted in 2016 for EU countries.
So, what does this revision of the Swiss data protection law mean in practice? That's what we’ll explore in this article.
What is the purpose of data protection laws?
The purpose of data protection laws is to prevent the collection, storage, use, or disclosure of personal data (such as name, first name, date of birth, payment information, or IP address) of your customers or users of your website, data that can identify them, without their consent.
This is aimed at protecting the privacy and confidentiality of your customers while giving them control over the data they entrust to you.
As a result, they can request information about the data you have, ask for corrections, or even request the deletion of their data from your databases at any time.
Key Points for Self-Employed or Small Businesses of the new Swiss data protection law
Firstly, the law applies to you if you are based in Switzerland, but it also applies if your business is located outside Switzerland and you process personal data with effects in Switzerland.
Secondly, since September 1st, only the data of physical persons are covered by the law. Data of legal entities are not anymore protected by the law.
Then, this was already the case, but it's important to note that data about a person can only be collected and processed for a specific purpose. This purpose must be disclosed or, at the very least, recognizable to the person concerned before their data is processed. If the purpose changes, the individuals concerned must be informed so they can accept or not that their data keeps being used.
Also, keep in mind that personal data must be destroyed or anonymized as soon as they are no longer needed for the announced treatment.
Much has been said about the need to obtain consent from the individuals whose data is processed since the GDPR came into effect, so we will just point out that Swiss data protection law stipulates that private individuals must obtain explicit consent from the person concerned only in the following cases:
Processing of personal data deserving special protection
Processing of sensitive personal data (data about religious, philosophical, political, or trade union beliefs or activities; health data; intimate or racial or ethnic origin; genetic; biometric; data on criminal or administrative sanctions; data on social assistance measures)
High-risk profiling*
Data transfer to a country that does not provide adequate protection according to Swiss authorities
*High-risk profiling: according to Swiss law, profiling is any form of automated processing of personal data involving the use of this data to evaluate certain personal aspects related to a physical person, especially for analyzing or predicting elements related to work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements of that person. It is considered high-risk if it poses a high risk to the personality or fundamental rights of the person concerned, as it involves matching distinct data sets (data matching) that allow assessing essential characteristics of a natural person's personality.
Transparency is Key to Data Protection
Apart from the cases mentioned above where your client or website user must provide explicit consent for data collection and processing, for data collection and processing to be lawful, the following conditions must be met, without needing explicit consent:
Collection must take place without threats or deception, and the person concerned must be aware of this collection.
Processing must be honest, trustworthy, considerate, and proportionate (no unnecessary processing).
The purpose of collection and processing must be recognizable, either because it is indicated or because it emerges from the circumstances.
Processed data must be accurate.
Data security must be ensured.
Therefore, it's essential to have a policy regarding the use of your customers' and users' personal data that clearly and transparently indicates:
Why you collect their data
Where it is stored (don't forget the various services you use and to which you transfer data, such as newsletter or payment platforms)
How and where they can inquire about stored data, request corrections, or deletion
In the case of cookies, what data is collected through them and for what purposes
Note that if your website is available in multiple languages, your policy must be written in all the languages of the website.
2 interesting exceptions to the Law's Requirements
In the case of collecting and processing personal data for purely private use, you do not have to apply the rules described so far.
If your business employs fewer than 250 people, you do not have to maintain a record of processing activities.
2 More Important Details
1. Obligation to Report Violations to the FDPIC (Federal Data Protection and Information Commissioner - Préposé fédéral à la protection des données et à la transparence in Switzerland)
If you discover that the personal data you have collected has been breached, you must report it within 72 hours.
2. Sanctions for Violations of the Law
In case of violation, the penalty can go up to CHF 250,000 for a responsible person. If this person is difficult to identify, the company can be fined up to CHF 50,000.
We hope that this article has been helpful in understanding what you need to do to collect and use the data of your customers and users lawfully.
If you want to ensure that your data protection and cookies policies comply with the new Swiss data protection law, send us your request, and we will be happy to assist you promptly⤵