A more European Switzerland
The amended Swiss #DPA (Data Protection Act) has key strengthening which should prompt Swiss company to fully adopt the #GDPR. The differences are now mostly editorial and how DPA describes essentially the same rules:
Strengthened individuals' rights: data subjects must be informed about the Controller's identity and contact information; purpose(s) of processing; the identity of third party recipients; and full cross-border disclosure.
Strengthened automated decision making: data subjects must be informed of decisions solely based on automated data processing and have the decision reviewed by a person.
Strengthened data portability: data subjects have the right to receive their own personal data in a commonly used electronic format. This is even more applicable when the data treatment uses automated means and/or it is based on the consent, or when it is in direct connection with the conclusion or performance of a contract.
Strengthened of data treatment records / No more duty to register data files: Controllers and Processors must keep updated records of data processing activities under their respective responsibility. Exemptions are made for companies with less than 250 employees when processing low risk data. Incidentally, this implicitly means that companies need to perform a #DPIA (data protection impact analysis) in order to determine the low risk (see below). This new duty replaces the former one about notifying data files to (and register with) the Federal Data Protection and Information Commissioner ("FDPIC").
Strengthened use of Processors and sub-Processors: Controllers may delegate data processing to a Processor either by agreement or by law. However, a Processor may not engage a sub-Processor without the prior consent of the Controller.
Data Protection Impact Assessment ("DPIA"): Controllers must perform a DPIA whenever a data treatment potentially leads to a high risk to a the concerned data subject, personally or to individuals' fundamental rights (e.g., when dealing with sensitive data or large scale monitoring). The Controller must consult with the FDPIC prior to such processing if the DPIA indicates that indeed the data treatment can still be of a high-risk nature despite security measures, in place, or newly added.
Data breach notification: Data breaches likely to lead to a high risk to persons concerned must be notified to the FDPIC as quickly as possible. Where necessary for the protection of the individual or if requested by the FDPIC, the Controller must also notify the respective individuals.
Swiss representative: Controllers domiciled (or resident) abroad must designate a representative in Switzerland in case of personal data of Swiss persons when: (i) related to the offering of goods or services in Switzerland or monitoring of their behavior; (ii) extensive and takes place on a regular basis; and (iii) likely to result in a high risk to the data subjects' privacy.
No more protection for legal entities: Personal data pertaining to legal entities is no longer covered by the DPA.
Increased Duties of FDPIC: The FDPIC has the competence to issue extensive good practice recommendations and render binding administrative decisions. Companies, associations, etc., may submit Codes of Conduct to the FDPIC for comment and approval.
Strengthened of Fines: Fines for willful misconduct are increased from previously up to CHF 10k to up to CHF 250k for a broader catalogue of offenses. Any such fines however must be pursued in a court of law of competent jurisdiction. Note that a Swiss companies operating with personal data of EU residents are always subject to additional GDPR fines.
So, the amended DPA makes rights of individuals more in line with the GDPR and extends governance and process rules. GDPR compliance mostly covers DPA compliance, with some side rules only specific to Switzerland. The Federal Council (instead of the FDPIC as under the current regime) decides on the jurisdictions providing adequate protection (adequacy decision) for cross-border data sharing. Controllers or Processors exporting data may rely on treaties, contractual clauses notified to the FDPIC in advance or pre-approved standard contractual clauses or binding corporate rules. The Swiss-US Privacy Shield may no longer be relied upon for a transfer of personal data to the United States.
In short, Swiss companies should start now their GPDR (essentially) compliance projects without undue delay and hire truly experienced DPOs.