As of September 1st, 2023, the entry into force of the revised Swiss Data Protection Act (hereafter “nFADP”), requires Swiss companies to immediately be compliant and strengthen data protection obligations.
If you suspect your business is behind on its data protection compliance responsibilities, rest assured, it is not (yet!) too late. Whether your company is a beginner when it comes to data protection or already has a solid foundation in place, this high-level roadmap will help you conduct your business in compliance with the nFADP. In addition, if you would like to know more about the main changes introduced by the nFADP, please check our latest article on this subject.
Now let’s focus on the high-level roadmap we propose to you:
1. Prepare/update your privacy notice
With the extension of the duty to inform data subjects of the processing of their personal data (art. 19 and seq nFADP), it is now mandatory for the data controller to establish a privacy notice or update the one you already have.
In terms of content, a privacy notice needs to contain at least the company’s identity and contact details, the personal data processed and the reason for its collection, the recipient(s) of personal data and the countries to which it may be transferred, as well as the safeguards used to transfer this personal data to a third country.
Once your privacy notice is ready, make sure it appears on anything used to collect personal data, such as terms & conditions, apps, forms and websites, as this notice should be easily accessible to the data subjects.
2. Keep/update an inventory of your processing activities
Swiss companies are now required to keep an internal register of their data processing activities (art. 12 nFADP). Companies that have fewer than 250 employees and whose data processing poses a negligible risk of harm to the person of the data subjects are, however, exempted from this obligation.
In practical terms, the inventory can consist of a simple Excel or Word document, which contains at least the following information:
- Your identity as data controller (note, however, that if you are a data processor, you are subject to less content requirements, according to art. 12. para. 3 nFADP);
- Purpose of processing;
- Categories of data subjects (e.g., suppliers, employees, clients, etc.) and the categories of personal data (e.g., personal data, sensitive data, etc.);
- Categories of recipients (e.g., internal recipients, banks, IT services, etc.);
- Storage period;
- Security measures taken to guarantee data security;
- Recipient countries (and, depending on the country, grounds for exportation of data).
All the above is the hardest part but be sure to regularly update the inventory. For the sake of efficiency, we recommend, for instance, assigning the person in charge of each department responsibility for monitoring its data processing activity.
3. Define an internal process for handling data subjects’ requests
The nFADP grants data consumers the right to access, correct, delete or transfer their personal data (art. 25 and seq nFADP). Ensuring that these rights are guaranteed means implementing in advance an internal process (e.g., assigning a person in charge) to address these requests efficiently and swiftly. Your inventory (see above 2.) will be a valuable help in completing this task, as it should contain the information you will need in such cases.
4. Prepare a data protection impact assessments (“hereafter DPIA”) process and template
The nFADP now provides for a duty to conduct a DPIA before starting a data processing activity which presents a high risk to data subjects’ privacy or fundamental rights (art. 22 nFADP). The DPIA shall include a description of the processing activity and an evaluation of the risks and existing measures to prevent such risks. If a high risk remains despite these measures, the FDPIC must be consulted.
An effective way to comply with this requirement is to draft a DPIA template and to define an internal process (e.g., when is a DPIA required? who oversees the DPIA? etc.).
5. Define an internal process for notification of a data breach
The nFAPD provides for an obligation for companies to promptly notify the Federal Data Protection and Information Commissioner (hereafter “FDPIC”) of any data security breach (e.g., hacking, loss of data, wrong email recipient, etc.) that has a high risk of negative consequences for individuals (art. 24 nFADP). In some cases the revised law requires the affected data subject to be notified, particularly if such notification would ensure his/her protection.
To comply with this new obligation, companies shall have an internal process in place (e.g., a checklist), indicating the person responsible for notifying the FDPIC, the period of time within which the notification must be made and the criterion for determining if such notification is necessary.
Please note that a reporting portal is at your disposal on the Confederation’s website to notify the data breach.
6. Implement data security measures
According to art. 8 nFADP, data controllers and processors must ensure, through appropriate organisational (e.g., trainings, as detailed below under 8.) and technical measures (e.g., firewalls, MFA, encryption, etc.), adequate security of personal data. Such measures shall protect personal data against unauthorised access, loss or leak.
7. Review and update existing data processing agreements with third parties
nFADP compliance duties require you to review your company’s contracts with third parties (i.e., clients, suppliers, services providers and employees) and check whether they provide for complete data protection clauses which comply with the revised law. In addition, as the nFADP requires that the processing of personal data can only be assigned by a contract or by the law, you should ensure that a proper data processing agreement is in place with your data processor(s) (art. 9 nFADP). Contractual relationships with your cloud service providers, IT providers, marketing agencies and payroll providers, for example, should be verified.
8. Review and map your cross-border data transfers
The admissibility of cross-border transfers of personal data depends on the country to which the personal data is to be transferred (art. 16 and seq. nFADP). When the recipient country offers an adequate level of data protection (e.g., EU. See Annex 2 to the Ordinance to the FADP for the complete list), personal data may be transferred. However, if this is not the case, the data transfer can only be permitted on restrictive conditions (e.g., conclusion of EU “Standard Contractual Clauses”, “SCC”).
An intentional breach to cross-border transfers rules exposes your company to a fine of up to CHF 250,000. We therefore strongly suggest checking whether the countries concerned by your existing business relationships offer sufficient guarantees of protection, replacing any previous SCC and keeping a strong knowledge of where the personal data goes.
9. Consider appointing a data protection advisor
Under the nFADP, companies can decide to appoint a data protection advisor (hereafter “DPA”), to advise the company and act as intermediary for data subjects and data protection authorities (art. 10 nFADP). In particular, this possibility offers the advantage of exempting entities from their obligation, when applicable, to consult the FDPIC.
We therefore advise carefully assessing whether your business could benefit from the presence of a DPA. If so, your internal policies should clearly define each person’s responsibilities (i.e., employees’ duties vs. DPA’s duties).
Deloitte Legal would be pleased to propose its services to be appointed and act as your company’s DPA (see contact details below).
10. Train your employees
Lastly, bear in mind that all employees, regardless of their position, need to be made aware of their data protection compliance duties. This step is all the more important as the revised law now provides for criminal sanctions in case of non-compliance.
To raise awareness among your staff, consider, for example, implementing training sessions (e.g., e-learning courses), keeping them updated on data protection developments through newsletter emails, and drawing their attention to existing internal processes.
The nFADP marks an important step in the Swiss Confederation’s goal to increase personal data protection and ensure transparency in a world becoming more and more digital. More than compliance duties, the above rules are paramount for a business to maintain trust with its co-contractors and contribute to ensuring a transparent and safe environment for each data subject.
If you would like to discuss this topic or need assistance to assess your current compliance with the nFADP and prepare the relevant procedure and agreements, please do reach out to our key contacts below:
Key contacts
Paul de Blasi
Partner, Deloitte Legal
Audrey Soutter
Senior Manager, Deloitte Legal
Lise Morin
Senior Consultant, Deloitte Legal
