New data protec­tion legis­la­tion in Switz­er­land: what do foun­da­ti­ons need to bear in mind?

The latest data protec­tion legis­la­tion will come into force in Switz­er­land on 1 Septem­ber 2023. The new Fede­ral Act on Data Protec­tion (FADP) is inten­ded to bols­ter data protec­tion. Foun­da­ti­ons’ acti­vi­ties always involve the proces­sing of perso­nal data  – and conse­quently every foun­da­tion needs to get to grips with the new FADP.

The new data protec­tion law is nothing revo­lu­tio­nary: it does not ban anything that is not banned alre­ady. The new FADP is not a copy of the Euro­pean Gene­ral Data Protec­tion Regu­la­tion (GDPR), either – and irri­ta­ting cookie banners are still not requi­red in Switzerland.

Thanks to new incen­ti­ves, data protec­tion in Switz­er­land now has some force to it. Data protec­tion brea­ches can be punis­hed with perso­nal fines of up to CHF 250,000 and the Fede­ral Data Protec­tion and Infor­ma­tion Commis­sio­ner will be able to inter­vene directly in future.

Foun­da­ti­ons are offe­red a parti­cu­lar incen­tive for compli­ance with data protec­tion: trust. Those that neglect data protec­tion risk serious repu­ta­tio­nal damage in the event of a data breach.

Data inven­tory: what data is proces­sed – why, where and for what?

To start with, you always need to know what data is being proces­sed, about whom, for what purpose, with what means and in which count­ries. As a rule of thumb, all data is perso­nal data and any hand­ling of perso­nal data is processing.

This know­ledge is recor­ded in a data inven­tory. Most foun­da­ti­ons are not obli­ged to compile a record of their proces­sing acti­vi­ties. The important thing is that a data inven­tory is available, no matter whether this is drawn up in an Excel table, mind map or online tool.

Outsour­cing: are contract proces­sing and data export protected?

Foun­da­ti­ons do not process all their data them­sel­ves. Instead, they use third-party services for email commu­ni­ca­ti­ons, marke­ting acti­vi­ties, recruit­ment and website hosting – many of which are cloud services. The data inven­tory shows which outsour­cing services are used for which pieces of data.

Each instance of outsour­cing must be contrac­tually protec­ted with a data proces­sing agree­ment. Estab­lished provi­ders give their clients a contract of this nature by default.

Data is expor­ted when over­seas services are used. As the level of data protec­tion in most count­ries outside the Euro­pean Econo­mic Area (EEA) is insuf­fi­ci­ent, the expor­ted data needs to be protec­ted in addi­tio­nal ways. Further­more, a risk assess­ment is requi­red. This affects the US, first and fore­most – and, by exten­sion, almost all well-known cloud services.

This addi­tio­nal protec­tion can be provi­ded by means of the Euro­pean Commission’s stan­dard contrac­tual clau­ses (SCC). Estab­lished provi­ders supply these clau­ses by default and take Switz­er­land into account, too. The freely available Excel-based method deve­lo­ped by David Rosen­thal has become an estab­lished risk assess­ment approach in Switz­er­land. Whether this is suffi­ci­ent protec­tion is subject to debate, but there is often simply no way of avoi­ding US services.

Trans­pa­rency: is your data protec­tion policy complete and up to date?

The new data protec­tion legis­la­tion intro­du­ces a gene­ral infor­ma­tion obli­ga­tion: data subjects must have the oppor­tu­nity to find out how a foun­da­tion proces­ses their data and their rights in this respect.

The simp­lest way to fulfil this obli­ga­tion is to publish an over­ar­ching data protec­tion policy on your website. This policy should be kept complete and up to date. Data protec­tion gene­ra­tors can be a useful tool for this. Infor­ma­tion must be provi­ded on various topics, inclu­ding data export and the rights held by data subjects, such as right to access. Trans­pa­rency gene­ra­tes trust.

Data subjects: when are enqui­ries proces­sed in a timely fashion?

When data subjects get in touch, foun­da­ti­ons should iden­tify and process their enqui­ries promptly. Often, this rela­tes to provi­ding infor­ma­tion within an initial period of 30 days. 

In day-to-day prac­tice, careful checks must be under­ta­ken to ascer­tain whether infor­ma­tion can be provi­ded to the person reques­t­ing it, and if so, to what extent. Data subjects never have abso­lute rights, such as the right to the imme­diate erasure of all data.

Data secu­rity: do tech­ni­cal and orga­ni­sa­tio­nal measu­res pay off?

When a data breach occurs, nobody is inte­res­ted in your order proces­sing contract or your data protec­tion policy. As a result, you should safe­guard data secu­rity at all times by imple­men­ting suita­ble tech­ni­cal and orga­ni­sa­tio­nal measu­res (TOMs).

Typi­cal examp­les of such measu­res include regu­lar data back-ups, effec­tive pass­word protec­tion, access logs and the encryp­tion of note­books. Gene­rally spea­king, TOMs are alre­ady in place – but have not been documented.

New data protec­tion legis­la­tion: can it be put into prac­tice successfully?

All foun­da­ti­ons must comply with the new data protec­tion legis­la­tion. Data protec­tion is not a one-off task; it’s a process. You should put it into prac­tice with a prag­ma­tic eye and focus on the risks. If you take data protec­tion seriously and turn your focus to this issue on a regu­lar basis, you will have nothing to fear when it comes to Switzerland’s new data protec­tion legislation.

Your email address will not be published. Required fields are marked *

StiftungSchweiz is committed to enabling a modern philanthropy that unites and excites people and has maximum impact with minimal time and effort.

Follow StiftungSchweiz on