On September 1, 2023, the government of Switzerland enforced the newly revised Federal Act on Data Protection. The revision aims to enhance the protection of individual privacy and also ensures Swiss law's compatibility with the EU-GDPR. The FADP imposes rigorous data handling requirements on business entities processing Swiss customers data regardless of their operations in Switzerland. Infringement of these regulations may result in the imposition of significant penalties on the organizations. The nFADP consists of ten chapters and seventy-eight articles (including three amendments). This article will provide a concise view, with particular emphasis on important articles related to data erasure.
Chapter 1: Purpose, Scope of Application, and Federal Supervisory Authority
Chapter 1 of the new FADP outlines its scope, exclusions, and territorial limitations. The chapter has four articles (Articles 1-4) that lay the groundwork for data protection in Switzerland. These articles establish the purpose of the act, which is to safeguard individual rights during data processing (Article 1). This act applies to both private and federal entities with certain exemptions (Article 2). It also encompasses data processing effects in Switzerland regardless of the Swiss citizens’ data origin (Article 3). Additionally, FADP act introduce the Federal Data Protection and Information Commissioner (FDPIC) as the oversight authority, with specific exemptions mentioned in Article 4.
Chapter 2: General Provisions
Chapter 2 outlines key elements of data protection in Switzerland, divided into three main sections. Here is a deeper analysis from Article 5 to 13 that forms a part of Section 1 of Chapter 2.
Article 5 outlines essential definitions within the realm of data protection:
- Personal Data: Information that identifies individuals.
- Data Subject: Individuals whose data is processed.
- Sensitive Personal Data: Includes data pertaining to health, race, and religious beliefs.
- Processing: The handling of personal data from collection to deletion stage.
Articles 6, 7, and 8 ensure responsible data handling w.r.t-
- Lawful Processing: Mandating ethical data handling, accuracy, and explicit consent for sensitive data processing.
- Planning and Compliance: Requiring organizations to handle data proactively in order to comply with data protection regulations from the planning stage.
- Data Security: Emphasizing the importance of safeguarding data against unauthorized access and preventing data leakage.
The data processing guidelines are given in Articles 9 to 13 that mentions lawful processing of sensitive data, code of conduct, record keeping, data security and rights of data subjects.
- Condition for data processing: It emphasizes the need for data processing to be lawful and in good faith, and it must be proportionate to the purpose for which the data is processed.
- Appoint DPO: Data Protection Officer needs to be appointed by organizations to act as an independent advisor for data protection compliance within the company.
- Codes of Conduct and Record Keeping: Article 11 allows associations to propose codes of conduct to protect members' interests which is subject to review by the FDPIC. Article 12 mandates record-keeping for data processing activities by controllers and processors, with reporting obligations to the FDPIC.
- Evaluation & Certification by independent bodies: Article 13 enables independent certification of data processing entities by the Federal Council to ensure compliance with international standards.
Section 2 of Chapter 2 focuses on data processing by external private controllers. It includes Article 14, mandating the appointment of a local representative for specific processing activities. Article 15 on the other hand outlines the representative's duties, including maintaining records, ensuring communication with the FDPIC and data subjects.
Section 3 of Chapter 2 addresses cross-border data disclosure through Article 16-18. Article 16 sets the conditions for international data transfer. Article 17 lists exceptions that allow data disclosure under specific circumstances. Article 18 clarifies that electronic publication of data for informational purposes does not constitute cross-border disclosure.
Chapter 3: Duties of the Controller and the Processor
This Chapter has 6 articles from 19 to 24. Here is the brief about these articles.
- Article 19 outlines controllers’ duty to inform data subjects upon data collection, citing the controller's identity, processing purpose, recipients’ detail etc.
- Article 20 allows exceptions to this duty under legal obligations or prior knowledge, and restricts information to protect overriding interests.
- Article 21 requires informing data subjects about significant automated decisions, with options for human intervention.
- Article 22 introduces the need for a Data Protection Impact Assessment (DPIA) for high-risk processing, outlining risk assessment and mitigation measures.
- Article 23 necessitates consulting the Federal Data Protection and Information Commissioner (FDPIC) on significant residual risks.
- Article 24 outlines breach reporting protocols, requiring notification to the FDPIC and possibly affected subjects, detailing breach specifics and remedial actions.
Chapter 4: Rights of the Data Subject
Chapter 4 outlines data subjects' rights across 4 articles (Article 25-29), covering the right to information, its limitations, specific exemptions for media, and data portability.
- Article 25 empowers data subjects to obtain detailed information on their personal data's processing.
- Article 26 addresses potential limitations on this right, allowing for refusal or delay under certain conditions, such as protecting third-party interests.
- Article 27 provides a media exemption, allowing journalistic entities to restrict information access to protect sources or editorial confidentiality.
- Article 28 introduces the right to data portability, enabling individuals to receive their data in a standard electronic format and request its transfer to another controller.
- Article 29 specifies conditions under which data portability requests may be restricted, mirroring limitations on the right to information.
Chapter 5: Special Provisions on Data Processing by Private Persons
This chapter is subdivided into 3 articles from Article 30 to 32. It has the guidelines for private entities on personal data processing.
- Article 30 stipulates that data processing must not unlawfully infringe upon these rights, identifying violations as processing contrary to established principles, ignoring the data subject's explicit wishes, or unauthorized sensitive data disclosure (Art. 30, Paras. 1 to 2).
- Article 31 delineates exceptions where data processing is lawful, such as with data subject consent, for overriding interests, or under legal allowance, specifying scenarios like contractual necessities, journalistic endeavors, and research activities, contingent on privacy protections.
- Article 32 bestows upon data subject’s rights to rectify incorrect data, seek prohibition on processing or disclosure, and demand data deletion or marking as disputed, offering avenues for asserting their personality rights and ensuring data processing transparency and accountability.
Chapter 6: Special Provisions on Data Processing by Federal Bodies
Chapter 6 sets forth guidelines for federal bodies on handling personal data, spanning from Article 33 to 42 that cover joint processing responsibilities, the necessity for a legal basis, pilot data processing trials, conditions for data disclosure, and data subjects' rights. Here is a detailed analysis.
- Articles 33 to 35 regulate personal data handling by federal bodies. Article 33 mandates control protocols for joint data processing. Article 34 requires a legal basis for processing, with extra safeguards for sensitive data and operations affecting fundamental rights, allowing some exceptions. Article 35 permits pilot automated data processing trials, ensuring data subjects' rights are protected.
- Article 36 dictates that federal bodies may only disclose personal data based on legal grounds or under specific exceptions such as fulfilling statutory duties, data subject consent, emergencies, public accessibility of data, or legal rights enforcement. Furthermore, disclosure is allowable for public duties or overriding public interests, and basic identification data can be shared more freely. Automated access to personal data is permitted if legally or publicly justified, with a mandate for data deletion when the public interest subsides.
- Articles 37 to 40 mentions about specific rights and obligations in personal data management. Article 37 allows individuals to object to the disclosure of their data, providing criteria for federal bodies to evaluate these objections. Article 38 mandates that federal bodies must either archive or destroy data no longer in regular use, preserving data integrity. Article 39 focuses on processing data not related to specific individuals, stressing anonymity and cautious handling. Lastly, Article 40 requires federal bodies operating under private law to adhere to the same data processing standards as private entities.
- Article 41 enables individuals to challenge unlawful data processing by federal bodies, allowing them to request termination, correction, or deletion of data, and to have these actions communicated or published. It permits limited processing in specific cases like disputed accuracy or public interest and requires disputed data to be marked accordingly. Exceptions exist for public archives, where access can be restricted. This process is governed by the Administrative Procedure Act, with some exemptions.
- Article 42 allows data subjects to exercise their rights under Article 41 during proceedings for access to official documents containing their personal data, as per the Freedom of Information Act of 17 December 2004. This provision ensures that individuals can seek to stop unlawful processing, correct, delete, or contest the accuracy of their personal data in the context of access requests to official documents.
Chapter 7: Federal Data Protection and Information Commissioner (FDPIC)
Chapter 7 details the Federal Data Protection and Information Commissioner (FDPIC)'s structure, duties, and procedures across 17 articles from 43-59.
- Articles 43-48 outline the FDPIC's election, employment terms, operational independence, budgeting process, role incompatibilities, additional occupations, recusal protocols, and self-regulation requirements.
- Articles 49-50 cover the FDPIC's authority for investigating data protection violations, including conditions for bypassing minor violations and the scope of investigative powers.
- Article 51 explains the FDPIC's power to enact administrative measures against violations, such as altering data processing practices, suspending or terminating processing, and insisting on the deletion or destruction of data. This article also allows for halting or restricting data disclosure abroad and demands various compliance measures from the entities under investigation.
- The procedural aspects of investigations and the application of the Administrative Procedure Act are specified in Article 52, while Article 53 emphasizes the importance of coordination between federal authorities on data protection issues. Administrative assistance roles are outlined in Articles 54 and 55.
- Articles 56 to 59 detail the FDPIC’s additional functions, including public reporting, advisory tasks, awareness initiatives, and the authority to levy fees for certain data protection-related services.
Chapter 8: Criminal Provisions
Chapter 8 provides criminal provisions against violations of data protection regulations, detailing penalties and enforcement mechanisms. Here is an overview.
Information and Cooperation Violations
Articles 60 and 61 set fines up to 250,000 CHF for misinformation, unauthorized data disclosure abroad, and neglecting data security.
Professional Confidentiality and Decision Compliance
Articles 62 and 63 address breaches of professional confidentiality and disregard for FDPIC or court decisions:
- Fines up to 250,000 CHF for disclosing secret data learned through professional practice or training (Art. 62).
- Similar fines for failing to comply with data protection rulings (Art. 63).
Corporate Responsibility and Legal Framework
Articles 65 and 66 outline that corporations may be fined up to 50,000 francs for data violations under the ACLA, with cantonal prosecution and a five-year statute of limitations for data-related crimes, allowing FDPIC complaint filings.
Chapter 9: Conclusion of International Treaties
In chapter 9, Article 67 allows the Federal Council to negotiate international treaties aimed at international data protection cooperation and mutual recognition of data privacy standards.
Chapter 10: Final Provisions
Chapter 10 finalizes the law, adjusting other laws in Annex 1, addressing transitional data handling rules, defining the Data Protection Commissioner's previous law role, linking to laws in Annex 2, and specifying the law's referendum and commencement by the Federal Council.
Conclusion
Business organizations operating within Switzerland or processing Swiss citizen’s data must align with the Switzerland’s Federal Act on Data Protection (FADP). Specifically, Articles 32, 36, and 41 of the FADP underscore the necessity for data wiping to a standard where recovery is infeasible. In this context, BitRaser data wiping software emerges as an ideal solution for organization to wipe data completely beyond recovery and stay complaint with FADP.
+1-844-775-0101
