New data protection legislation in Switzerland: what do foundations need to bear in mind?
The latest data protection legislation will come into force in Switzerland on 1 September 2023. The new Federal Act on Data Protection (FADP) is intended to bolster data protection. Foundations’ activities always involve the processing of personal data – and consequently every foundation needs to get to grips with the new FADP.
The new data protection law is nothing revolutionary: it does not ban anything that is not banned already. The new FADP is not a copy of the European General Data Protection Regulation (GDPR), either – and irritating cookie banners are still not required in Switzerland.
Thanks to new incentives, data protection in Switzerland now has some force to it. Data protection breaches can be punished with personal fines of up to CHF 250,000 and the Federal Data Protection and Information Commissioner will be able to intervene directly in future.
Foundations are offered a particular incentive for compliance with data protection: trust. Those that neglect data protection risk serious reputational damage in the event of a data breach.
Data inventory: what data is processed – why, where and for what?
To start with, you always need to know what data is being processed, about whom, for what purpose, with what means and in which countries. As a rule of thumb, all data is personal data and any handling of personal data is processing.
This knowledge is recorded in a data inventory. Most foundations are not obliged to compile a record of their processing activities. The important thing is that a data inventory is available, no matter whether this is drawn up in an Excel table, mind map or online tool.
Outsourcing: are contract processing and data export protected?
Foundations do not process all their data themselves. Instead, they use third-party services for email communications, marketing activities, recruitment and website hosting – many of which are cloud services. The data inventory shows which outsourcing services are used for which pieces of data.
Each instance of outsourcing must be contractually protected with a data processing agreement. Established providers give their clients a contract of this nature by default.
Data is exported when overseas services are used. As the level of data protection in most countries outside the European Economic Area (EEA) is insufficient, the exported data needs to be protected in additional ways. Furthermore, a risk assessment is required. This affects the US, first and foremost – and, by extension, almost all well-known cloud services.
This additional protection can be provided by means of the European Commission’s standard contractual clauses (SCC). Established providers supply these clauses by default and take Switzerland into account, too. The freely available Excel-based method developed by David Rosenthal has become an established risk assessment approach in Switzerland. Whether this is sufficient protection is subject to debate, but there is often simply no way of avoiding US services.
Transparency: is your data protection policy complete and up to date?
The new data protection legislation introduces a general information obligation: data subjects must have the opportunity to find out how a foundation processes their data and their rights in this respect.
The simplest way to fulfil this obligation is to publish an overarching data protection policy on your website. This policy should be kept complete and up to date. Data protection generators can be a useful tool for this. Information must be provided on various topics, including data export and the rights held by data subjects, such as right to access. Transparency generates trust.
Data subjects: when are enquiries processed in a timely fashion?
When data subjects get in touch, foundations should identify and process their enquiries promptly. Often, this relates to providing information within an initial period of 30 days.
In day-to-day practice, careful checks must be undertaken to ascertain whether information can be provided to the person requesting it, and if so, to what extent. Data subjects never have absolute rights, such as the right to the immediate erasure of all data.
Data security: do technical and organisational measures pay off?
When a data breach occurs, nobody is interested in your order processing contract or your data protection policy. As a result, you should safeguard data security at all times by implementing suitable technical and organisational measures (TOMs).
Typical examples of such measures include regular data back-ups, effective password protection, access logs and the encryption of notebooks. Generally speaking, TOMs are already in place – but have not been documented.
New data protection legislation: can it be put into practice successfully?
All foundations must comply with the new data protection legislation. Data protection is not a one-off task; it’s a process. You should put it into practice with a pragmatic eye and focus on the risks. If you take data protection seriously and turn your focus to this issue on a regular basis, you will have nothing to fear when it comes to Switzerland’s new data protection legislation.