The revision of the Data Protection Act introduces new requirements for companies.
The main requirements are as follows:
- The definition of “sensitive personal data” has been expanded to include genetic and biometric data. However, this definition differs from the one used by the European Union’s General Data Protection Regulation (GDPR).
- The revision explicitly requires the destruction or anonymisation of data that is no longer necessary.
- The revision enshrines the principles of data protection “by design” and “by default”.
- The duty to provide information when collecting data. This includes adopting a privacy policy and disclosing at least the following information: the identity and contact details of the data controller, the purpose of the processing, the recipients or categories of recipients, and the states to which the data is being sent and the applicable protection guarantees.
- The ability – rather than obligation – to appoint a Data Protection Officer (DPO) whose role is to provide training and advice on the application of data protection rules and ensure their application.
- The introduction of inventories of processing activities, which is mandatory in the event that the company undertakes risky processing activities or if it has more than 250 employees.
- The introduction of a mandatory impact assessment in high-risk cases.
- The introduction of an obligation to report data security breaches in high-risk cases.
- The increase in criminal sanctions with fines of up to CHF 250,000 for individuals (and CHF 50,000 for companies).
Meanwhile, the following items have been taken out of the law:
- Protection of the data of legal persons – the nFADP applies only to natural persons.
- the obligation to declare files to the Federal Data Protection and Information Commissioner (FDPIC).
