LPD

Osatech is dedicated to assisting its clients to be compliant with Swiss data protection regulations, as well as the European law, GDPR.

DPA - Federal Law on Data Protection

The recent introduction of the new Federal Data Protection Act (DPA) in Switzerland has placed a new emphasis on data management practices for companies.
This law, adopted in 2020 and scheduled to take effect in September 2023, has generated a number of significant changes in the way organizations must handle and protect data.

The DPA aims to strengthen the protection of personal data and the privacy of individuals by requiring companies to take strict measures to ensure security and transparency in data processing.
Among its main pillars is the strengthening of users’ consent and the right to self-determination regarding the management of their personal data.

IT changes to be made

Companies must implement major structural and organizational adjustments to comply with the DPA and avoid significant penalties and fines.
It is critical that companies start preparing early, as there is no transition period and penalties for noncompliance can be severe.

At Osatech, we understand the importance of assisting companies in complying with the DPA.
Our team of certified consultants is ready to offer advice and support to help companies understand the requirements of the law and take the necessary steps for compliance.

Since the GDPR regulations came into effect, we have been committed to helping our clients navigate the complex landscape of data protection and digital privacy.
We offer DPA consulting, internal process review, staff training, and implementation of technology solutions to ensure regulatory compliance.

As a trusted partner, we ensure that companies are prepared to meet the challenges posed by the new Federal Data Protection Act in Switzerland.
Please feel free to contact us for more information and assistance on DPA compliance.
We are here to help you protect your data and adopt secure and transparent data management practices.

Insights into the Data Protection Act

The new Data Protection Act will come into effect as of September 2023, but as there is no transition period, it is necessary for companies to put the necessary tools in place now to adapt to it, both conceptually and in terms of human resources and technology.
The importance and relevance of DPA arises from the fact that more and more data are being processed and used.
Many international organizations have tightened their data standards accordingly, starting with the EU with GDPR.
It has created a new international standard to which Switzerland, despite being a third country, has been forced to align.
The GDPR in fact has an extraterritorial scope so any Swiss company that processes and uses data of people residing in EU countries must comply with it, moreover, the same regulation states that EU nations can only transfer data to nations deemed safe in the processing of the same: hence the need for Switzerland, which has important business relations with the EU, to update its legislation.
The DPA allows for an equivalent and complementary solution to the GDPR, although it diverges from it on some points, with regulations that are stricter and others that are less so.

The DPA will take the place of the current and logically obsolete 1992 law, with an adaptation to the changed technological and social environment (Cloud Computing, Big Data, social networks, Internet of Things).
The main purpose is to allow the individual’s self-determination regarding the processing and use of his or her data and also to regulate profiling, i.e., the automated processing of data to evaluate certain personal aspects of a person, such as economic situation, health status, interests, behavior, location.
This has been necessitated by digitization, which has increased and complicated the amount of data that is exchanged and comes into the possession of companies.

The law applies to all those cases that take effect in Switzerland, even if they occur abroad, and every type of company, from SMEs to larger ones, must comply with it by the time it comes into effect.

The DPA concerns the processing of data of natural and legal persons by private persons and federal bodies.
The main consequence relates to the requirement of consent of the data subjects when it comes to data worthy of special attention, high-risk profiling or carried out by a federal body. In the event of a data security breach, including accidents, there will be an obligation to notify.

Data subjects will therefore be able to have information on how their data is collected and used.

In contrast to the previous law, private persons are made liable.
Private individuals can be punished with fines of up to CHF 250,000, companies can be punished with a fine of up to CHF 50,000 if the identification of punishable persons would entail a disproportionate burden and if a maximum fine of CHF 50,000 would be imposed on punishable persons. The intent is to hold individuals, such as board members and managers, accountable.

Foreign companies that are not based in Switzerland but process data of citizens residing here are obliged under the new law to designate a representative in our country.
For those based in Switzerland, it will be mandatory to disclose in which third countries data is disclosed, and it is necessary to make sure that they are secure in the way they process it according to the regulations (with special attention to the encryption of emails that contain personal data).

Compared to the previous legislation, the DPA narrows the scope of protected data in one sense, because it aims to protect those of natural persons and less those of legal persons as before, and in another it broadens it because it also goes to include genetic and biometric data.

Increasingly, however, companies’ obligations regarding information, since they will have to Inform data subjects adequately about any data collection (specifying the identity and contact details of the data controller, the purpose of the processing, the recipients or categories of recipients, and the recipient country in the case of exporting data abroad, whereas under the previous law the obligation covered only data worthy of protection), and Keep a record of the prescribed information (but not necessarily of collections; entities with fewer than 250 employees whose use of the data does not lead to a high danger of violating regulations are exempt).

What’s new is profiling, which is the automated processing of data to assess certain personal aspects of an individual, such as economic situation, health status, interests, behavior, whereabouts, etc.: companies will only be required to seek consent if the risk is high, just as they will have to conduct a documented data protection impact assessment if a data processing involves a high risk to the personality or fundamental rights of data subjects.

In the event of a data security breach, even accidental, a report should be made to theFDPIC.

Finally, companies will have to pay attention to privacy by design and privacy by default, also making IT efforts not to use applications that, for example, obtain according to default settings the consents of data subjects for data processing beyond what is strictly necessary.
This is an area where we at OsaTech can undoubtedly help our clients find the solutions that best suit their needs while complying with the law.

It will also be mandatory to conduct an impact analysis related to the protection of personal data when their processing presents a high risk.

The Swiss law also serves to adapt the legislation, and thus bring our country in line with the security standards required by the EU.
In fact, the EU allows data transfers only to countries it deems safe in terms of data protection.
The DPA on the whole is less formalistic than the GDPR , but in some cases it is even stricter (for example, in the fields of application, on the duty to inform when processing data and in the definitions of sensitive data).
The European Data Protection Regulation (GDPR), which came into force in 2018, provides for the introduction in companies and public administrations of a professional figure in charge of supervising the proper management of data (DPO or Data Protection Officer), obliges to process data according to “by design” and “by default,” to carry out Data Protection Impact Assessment (DPIA) for high-risk data processing, and to comply with “Data breach,” i.e., reporting to the Guarantor and the data subject of any data leaks or compromises.
It also provides for increased penalties for breaches, pseudonymization and encryption of data. All Swiss companies dealing with the EU (we are talking about both customers and suppliers) had to comply, think of those selling online with ecommerces while only those operating exclusively in Switzerland were exempted.

The main difference between LPD and GDPR is that the former punishes individuals (with fines of up to 250,000 francs), holding corporate executives accountable, while the latter provides fines in case of violation for legal entities, up to 20 million euros or equal to 4 percent of annual worldwide turnover.

The DPA does not oblige the appointment of a responsible person (DPO), while the GDPR does.
In the case of appointment according to the Swiss standard, in some cases the company obtains the exclusion of the obligation of prior consultation of the Federal Commissioner in the presence of high-risk processing. The consultant, if appointed, becomes the point of contact for data protection issues for employees, clients (in exercising their rights as data subjects) and authors.

Given that there is no transition period and that adaptation presupposes a restructuring at the level of the concept of data protection, companies should immediately begin to comply with the DPA’s requirements, working from the perspective of cybersecurity, legal aspects, and data management proper.
We at OsaTech are available for suggestions and advice on the regulations to be adapted in terms of digital privacy and internal processes , and we are also developing partnerships with law firms so that combined packages can be made. We also advise you on software and management software that will comply with the regulations and help you manage your data and comply with your obligations.
In particular, those who process a large volume of personal data such as companies specializing in online sales or import/export as well as companies that handle particularly sensitive personal data, such as those that handle personal data related to political opinions, religion, health, genetic data, racial data, social aid, criminal prosecution, profiling, etc., will have to work expeditiously to comply.
Adaptation comes through a comprehensive point on the situation, a risk assessment, raising awareness of employees and collaborators, increasing transparency in data processing, special attention to IT security, precise and detailed internal organization and procedures, the compilation of a register of activities, and if necessary from the review of contracts with employees, collaborators and suppliers as well as the data in the Internet data protection declaration and advertising and contractual documents.

The first steps necessarily come from knowing what data is being collected and processed by each individual company, which must therefore proceed to map what data is being processed, who is handling it, how, where, for what purposes, who is receiving it, and on the basis of what justifying reason the processing is taking place (law, consent, or overriding public or private interest), through computer programs.

Data must begin at this point to be processed, if not already, according to principles such as security, proportionality, fairness, privacy by design and by default.
It is also important to find and block any illicit activity while it is being adjusted or, if that is not possible, to destroy the data (which regardless should be deleted and anonymized when no longer needed).
It is incumbent on companies to have a Team and rules in place for the effective and timely handling of “data breaches” (security breaches), as well as for handling requests from data subjects such as rectification of data, blocking of processing, withdrawal of consent, data access, portability, etc.

After deciding whether or not to appoint a DPO (who may be internal or external), it is necessary for all relevant employees to be trained in data processing, with the creation of an organizational chart clearly indicating each person’s role and responsibilities. Each person must be aware of data protection risks, rights and obligations and related responsibilities in order to create internal processes that are able to fulfill what is required by law.
The data controller and processor must keep a record of its activities, identifying all processes related to activities involving personal data.

The company must inform all stakeholders, from employees to customers, of how the data they have surrendered are processed and used, and adapt consent-gathering systems to the new regulations.

It is also necessary to conduct a data protection impact assessment, using a computer tool.

Information security measures aimed at preventing events such as cyber attacks, theft or data loss should be strengthened.

ARE YOU LPD COMPLIANT? DISCOVER IT!

YOU MAY BE INTERESTED IN

INSIGHTS

REQUEST INFORMATION

Error: Contact form not found.