Background.
Information technologies are changing our lives, driving megatrends and turning the world as we know it upside down. Our everyday lives are increasingly shaped by the spread of connectivity and the shift of a wide variety of activities to the internet or social networks. It is therefore all the less surprising that data is considered the new gold - data of the kind we use, generate, share, disclose or supposedly destroy by the thousands every day. On the one hand, this data-centricity is associated with many advantages, but on the other hand it poses a great challenge to the personal rights and privacy of us humans. This trend takes on particular significance when data becomes the central element of business models and the value creation of companies.
In a fast-moving world in which groundbreaking innovations regularly dominate the front pages of the media, legislators usually have a hard time passing up-to-date and effective regulations. The revised Data Protection Act (revDSG) of Switzerland had a similar fate, although the need for it is widely accepted in the Swiss political landscape. During a long consultation process, it was passed by parliament on 25 September 2020. After another three years of patience and multiple postponements, the law will enter into force on 1 September 2023.
With the new law, Switzerland wants to "adapt data protection to the changed technological and social conditions" and at the same time catch up with the European standard, the General Data Protection Regulation (EU GDPR). The revDSG therefore entails significant changes, as the following examples show.
Restriction to data of natural persons and strengthening of their rights.
The Data Protection Act now only regulates the handling of data of natural persons, i.e. data of individuals - no longer the data of legal entities. In addition, the law guarantees individuals stronger rights. These include the right to data disclosure (information), data transfer, correction, revocation or deletion.
Information obligations.
Under the revised Data Protection Act, companies are now obliged to provide prior information on the use of personal data (e.g. by stating the purpose of the processing) each time they obtain such data - no longer just data that is worthy of protection.
Directory of processing activities.
According to Art. 12 of the revised Data Protection Act, companies in Switzerland must now have a register of processing activities and thus create a kind of inventory of all processing activities of personal data that exist in the respective company. Exceptions are planned for SMEs with fewer than 250 employees and a low risk of personal data being violated. Processing" refers to all activities involving personal data, such as viewing, copying, archiving and sending.
Further amendments.
The changes mentioned are not exhaustive. An overview can be found on the federal SME portal.
Understandably, these changes are not only met with open ears by companies. In many places they mean uncertainties and challenges that can only be overcome at great expense. In order to be able to produce the delivery results required by law in the complexity of application landscapes and IT architectures, a structured approach and a few tips that I would like to share with you will help.
1. get an overview.
The internet offers many valuable and free resources to help you get an overview. Use reliable sources such as the website of the Federal Data Protection and Information Commissioner (FDPIC) or articles from reputable law firms. Get an overview of all the data protection requirements you will face and define measures to meet them. Wherever possible, use your existing processes as a guide.
2. Draw up a list of your processing activities.
Every beginning is difficult and often involves a lot of effort. However, the directory of processing activities is a good place to start. It can help you to get an overview of the processes in your company that are relevant to data protection. It is therefore worthwhile to sit down at an early stage with the relevant stakeholders in your company and work out the required information in accordance with Art. 12 of the revDSG. Bechtle Schweiz AG has designed a service to help you understand the new data protection law, define measures and, for example, draw up a processing directory.
3. Start where you need to start.
With the directory of processing activities, you have gained an overview of the personal data in your company. Now you know which personal data you process for which purpose from which persons. You have thus created the optimal prerequisite for fulfilling your information obligations, carrying out a risk and consequence assessment, defining the basis for data processing in the company (data protection concept) and concluding agreements with commissioned processors.
Conclusion.
There are still a few months left before the revised Data Protection Act comes into force and there is a lot to do. We recommend that you promptly obtain an overview and implement the requirements of the revDSG in your company. We would be happy to support and accompany you in this process.
I am very happy to be personally available to you for this purpose.
*Our data protection experts have many years of experience in all aspects of data protection. If you have more in-depth legal questions, we will be happy to refer you to specialised lawyers with whom we work closely.
Sources:
