The end of the debates
Parliament has been debating for more than three years what the new Swiss data protection law could look like. The original data protection decree had been in force since 1992 and was no longer able to keep up with the technological and social changes in the country. It has been adapted to the new conditions, whereby a reference to the regulations in all of Europe can be seen. Above all, the General Data Protection Regulation of the European Union formed the basis for the debates and for the conclusions drawn from them. The GDPR has been in force since 2018.
The modernization of the data protection regulation in Switzerland had become necessary because the exchange of information with international partners should continue to be possible without restrictions and no Swiss company should experience any disadvantages as a result. With the GDPR, the EU created a standard that is now also binding for Swiss companies.
The background to the necessary revision of the regulation was also that it cannot always be very clear whether a company from Switzerland should be included in the scope of the European Union. Now two standards had developed: on the one hand the GDPR and on the other hand the Swiss data protection regulation. Legal uncertainties and additional administrative work were the result. At the same time, however, an equivalence of data protection was called for, so that Switzerland and the EU are converging on this level.
Problems and innovations with the data protection regulation
The complete revision of the Data Protection Act turned out to be problematic and it was important to all those involved that primarily intelligent and not just different solutions were found. The special features of the Swiss economy and the companies here had to be taken into account. This should prevent the economy from being burdened more than necessary in the future and at the same time ensure that the Swiss system is on a par with that of the EU.
What is new, for example, is that the scope of the Data Protection Act now relates to the data of people, i.e. natural persons. Before it was only about legal entities. In addition, the new ordinance contains a list of particularly sensitive data as well as possible legal consequences when storing and processing this data. The regulations apply here, for example:
-
- Consent to data storage
- Data protection impact assessment
- Passing on the data to third parties
- Credit checks
Data that uniquely identify a person are now considered particularly worthy of protection. There is also a new regulation on profiling, which always applies when a person's data is processed automatically and an assessment of the person concerned and his or her personality is or can be made on the basis of the data. In the case of high-risk profiling, an express declaration of consent must be available from the person concerned. For example, there is a high risk when it comes to checking a person's creditworthiness.
The new data protection regulation requires SMEs to keep a record of data processing. Exceptions apply to companies that employ up to 250 people and that only show a low risk of personal injury when processing the data.
? Privacy by Design? and? Privacy by Default? are established by law.
In the first case, this means that the data protection regulations must be complied with during data processing from the planning stage. The second variant means that the app and website defaults must be such that personal data is only processed to the minimum.
According to the new regulation, everyone has the right to data portability and so people can request the transfer of their own data to other companies. This service should be possible free of charge.
Conclusion: The new data protection law protects natural persons
It was once legal entities that were particularly protected by the data protection act in Switzerland. Due to the need to adapt own regulations to the requirements of the European Union, it is now the natural persons who have to be protected by SMEs.
Comprehensive protection of people and their data is primarily intended for high-risk data processing. Such is the case with the application for credit and the associated credit check. At the same time, people have the right to request that their data be passed on to other companies. The new regulations will probably not come into force until the end of 2021.