Data privacy and security is a global issue that is continually evolving to meet the current demands of citizens. As such, revisions are always being made to regulations and laws to modernize them so that they are effective in the present day. In Switzerland, they have done exactly that to the Swiss Data Protection Act "Datenschutzgesetz" (DSG) which was first introduced in 1992. The revised DSG was passed on 25 September 2020 and will come into effect on 1 September 2023 with some new provisions that fundamentally aim to protect the privacy and rights of individuals’ data while it is being processed.
With the European General Data Protection Regulation (GDPR) still seen as the benchmark in data privacy and protection, there are now some noteworthy similarities between the DSG and GDPR. The main changes to the revised DSG were governance obligations, for instance the requirement to maintain records of any data processing activities. Companies will now be obligated to report data losses as well as any data security breaches to the Federal Data Protection and Information Commissioner (FDPIC) and they must carry out regular data protection impact assessments (DPIA). These three new requirements are all similar to the corresponding provisions under GDPR. Therefore, if companies are already compliant with the associated GDPR provisions, they won’t have too many other obligations to worry about to reach DSG compliance.
On top of these, the DSG will include the “right to be forgotten”, which is akin to a provision in the GDPR, stating that data may only be processed while it is necessary. Nevertheless, in DSG this provision is not absolute. Additionally, DSG now encompasses the “right to data portability” which was, in fact, copied from GDPR and enables consumers to request and obtain their data being stored with online service providers, and transfer it between competitors.
The basic principles of data processing have not changed, however the personal data of legal entities is no longer protected under DSG. Credit agencies are now required to delete any data after ten years if individual data subjects demand it. ‘Privacy by Design’ is now explicitly included within the new law, while ‘Privacy by Default’ has also been added. Additionally, companies are advised to appoint a data protection advisor (the equivalent to the GDPR data protection officer), although this is not an obligation under the provision. Even so, companies will struggle to implement adequate data protection unless they have a specific individual who is responsible for data privacy. Besides this, foreign organizations that regularly work in Switzerland must appoint a Swiss representative who will be able to regulate these activities.
Along with this, data subjects have more rights under DSG, although these are somewhat more specific. For instance, it is less complicated to request their own data from a company, but it is possible for companies to reject abusive access requests. And finally, companies must have a data protection declaration in which they list certain information with regards to the personal data they collect and store. This should be found on the company’s website.
As the value of data increases, it becomes more important to not only secure it properly, but also ensure that regulatory compliance is being met. Processing data legally and with individuals’ privacy rights in mind is necessary in this digital age and cannot be disregarded.