We all are anticipating the new Swiss Data Protection Act (revDPA) to come into force on September 1, 2023. It’s a great step towards aligning the EU and Swiss legislation in the data protection sphere. Nevertheless, the regulations are not twins and differ significantly in certain respects.
Let's start by looking at what the GDPR and the revDPA have in common.
- The definition of personal data basically coincides in the both acts. And only data relating to natural persons are covered by them.
- A company must inform a user about the processing of their data in a privacy statement, as well as process data after the explicit consent of the user (but the conditions under the GDPR are much stricter).
- Analogous to the right to access data under the GDPR, revDPA gives a user the right to request the company to provide access to the user’s personal information which the company is processing within 30 days after the request. And revDPA’s right to object incorporates the rights of objection, erasure and restriction that limit data processing under the GDPR.
- A company must maintain a record of processing activities, including a list of countries and third parties to which user data is disclosed must be also mentioned.
- Both acts oblige a company to implement appropriate technical and organisational measures to meet the adequate level of data security.
- User data should be transferred to countries with an adequate level of data protection (however, data can still be transferred if sufficient safeguards have been undertaken to compensate the gap in data protection).
- Data controllers and processors are required to report data breaches (although the Swiss act doesn’t state a specific deadline, using “as soon as possible” formulation).
As we can see, the general points are quite close. And the good news is that if your company is already processing data of users from the European Union, it already has to comply with the GDPR. In this case, your IT system does not need large-scale improvements.
However, there are also significant differences in the laws, including:
- The GDPR enumerates 9 types of sensitive personal data, and the revDPA adds 2 more: data on administrative or criminal proceedings and sanctions, and data relating to social security measures.
- The revDPA is based on the principle that a private person can process personal data, while the GDPR gives this right to a private person only if a there is a special justification.
- As a result of the mentioned above principle, fines under the revDPA are aimed at natural persons (not companies, as in the GDPR) and have an upper bar of CHF 250,000. If it is not possible to identify the person responsible, the company can be fined up to CHF 50,000. The validity of this approach is yet to be assessed once the act comes into force.
- Territorial scopes of the acts differ, with the Swiss one being broader and referring to the "effects doctrine", which in short can be explained as a data processing operation that has an impact in Switzerland, regardless of where it took place.
- The GDPR requires justification for the processing of any personal data and obliges a controller to obtain user’s consent, while the revDPA requires informed and explicit user for the processing of sensitive data and profiling.
- The revDPA doesn’t state the obligation to appoint a data protection officer, this position is voluntary and is called a “data protection advisor”.
- Finally, the GDPR is a supranational regulation implemented across the EU, with independent public authorities responsible for monitoring its application in each member state. The revDPA is a federal law that obliges the federal authorities and private sector companies, but not the cantonal authorities. However, cooperation between the federal and cantonal data protection authorities is well-established and efficient.
Obviously, the differences are noticeable. Despite the fact that the GDPR served as the basis for the revDPA, the differences between the Swiss and European systems made the implementation of many points unique. We will certainly see a turbulent period after the law comes into force after which we will be able to assess its pros and cons.
Our company is committed to complying with the best data protection legislation in its activities and products, and already has extensive experience of implementing these practices in its own environment, as well as helping other companies to assess and reconfigure their IT systems in accordance with the law.
Feel free to contact us for advice on IT and data protection issues through the form on the website. Our experts will be happy to help you.