According to the revFADP, a DPIA must be conducted whenever the intended data processing may lead to a high risk for the data subject’s personality or fundamental rights; in such case the controller must conduct a DPIA before beginning with the processing. If a DPIA reveals that the processing results in a high risk, despite safeguarding measures being taken, the controller must obtain an opinion from the FDPIC. While the FDPIC’s opinions do not need to be published, they are subject to the Freedom of Information Act and thus may partially become public knowledge. However, as already mentioned, this consultation may be dispensed with if the organization has appointed a DPA.
Further, data breaches must now be reported to the competent supervisory authorities. Accordingly, all data breaches must be documented, and it should be further assessed whether the breach results in a high risk for data subjects. If that is the case, the controller must report the breach to the FDPIC as soon as possible. Compared to the GDPR, this is a lowered threshold, as simple risks must be reported too, and the breach must be notified within 72 hours under GDPR. In light of the revFADP, it is recommended to update internal data breach incident management policies and procedures to reflect the additional requirements.
Under the revFADP profiling is now explicitly regulated. Profiling is defined as any form of automated processing of personal data to assess personal aspects about a natural person. When involving a high risk, or, if done by a federal body, consent must be given explicitly. Data subjects may be informed about (high risk) profiling in privacy notices in order to ensure transparency. A separate communication or FAQs on a website can further increase trust.
The revFADP fines responsible private persons up to CHF 250,000 for willful acts or omissions violating the act. Breaching the duty to provide information as well as violations of professional confidentiality are fined upon complaint. Failure to comply with the FDPIC’s decisions are prosecuted ex officio.
What does the revFADP mean for cross-border data transfers? Same as under the GDPR, data may only be transferred abroad when an adequate level of data protection is guaranteed. The Swiss Federal Council publishes a periodically reviewed list of countries guaranteeing an adequate level of data protection. If a country is not placed on that list, data can still be transferred if adequate protection is guaranteed by other means, such as standard contractual clauses. Where data is transferred abroad, a list of these countries should be added to the privacy notice. It is advisable to review data processing agreements with external suppliers in order to determine whether the data processing agreements reflect the updated requirements.
Privacy efforts remain a top priority on the agenda in 2023 – the regulatory landscape is further evolving, and customer expectations too are shifting. While new business models and technologies are emerging - we are ready to support you. Just get in touch with us.