Privacy and security are long-standing Swiss values, dating back more than a century, and Swiss privacy laws are more protective of individual privacy than anywhere.
Privacy and data security are given prime consideration in Switzerland, and this article will take a look at the Swiss data protection laws for 2021.
Which laws govern data processing in Switzerland?
Security is dependent on more than just the technologies used; it also depends on where the servers storing data are hosted. As a result, robust technology defends enterprise data from cyber threats, but strict federal laws and regulations add yet another layer of protection.
Swiss privacy law supports Switzerland’s data protection methods. Because of this, Switzerland has grown in popularity as a destination for companies who want to keep their data private and secure.
Switzerland privacy laws – overview
Personal data processing in Switzerland is governed by two separate data protection laws. The regulations are Article 13 of the Swiss Federal Constitution and the Federal Act of Data Protection (revDPA). Each of these laws will be discussed in order to see how they affect you, the user, when dealing with a Swiss company.
To begin with, let’s look at the law of the land itself – Switzerland’s Constitution. The Swiss Constitution contains data processing regulations, one of the very few in the world to do so. Swiss citizens are protected by article 13 of the constitution in regards to online communications, email, and the processing of personal data. Among the protections:
- Every individual is entitled to privacy in his or her private life, in their family and at home, in their correspondence and in activities related to their home.
- Data protection refers to protecting people from the misuse of their personal information.
The Swiss Constitution requires that all companies that could process data must expressly request permission from the individuals they are serving. This is all conditional, though. Swiss law only applies to Swiss residents, as people who do not reside in Switzerland will not be protected by it.
Swiss Data Protection Act (revDPA)
The Swiss Federal Data Protection and Information Commissioner (FDPIC) published its Position Paper on the revised Swiss Data Protection Act (revDPA) on March 5, 2021.
Many of the duties under the EU General Data Protection Regulation (GDPR) will be incorporated into Swiss law courtesy of revDPA, although sometimes with a Swiss-style.
Switzerland’s data protection law extends beyond its borders as well. Swiss data subjects are guaranteed a right to privacy, but the scope of its protection goes beyond the constitution itself. This law protects Swiss citizens from foreign companies misusing their personal information, while also preventing Swiss companies from mishandling their customers’ information.
RevDPA’s basis in the Swiss constitution for data protection means that any data subject who interacts with a Swiss company must authorize such processing of their own personal information. No matter where you are from, you can be assured that your data will be protected under revDPA, which unlike Article 13 of the Swiss Constitution, is extraterritorial.
Using most of the principles of the GDPR, the revDPA has recently been updated in accordance with the EU’s GDPR. The overhauled law should be implemented by 2021 or early 2022 after being approved by legislators.
Is GDPR applicable for Switzerland?
Since Switzerland is not a member of the EU or EEA, the reform of European data protection law does not affect Swiss businesses directly. However, GDPR still applies to companies that conduct business with a group entity based in the EU or a Swiss company based there. They will be governed by the EU’s new data protection regime.
A few significant new requirements are obligatory in this context, such as:
- 72-hour notice for data breaches
- Requirements for data protection officers
- Sanctions reaching 4% of a company’s total worldwide revenue or up to 20 million EUR
- Consent that is unambiguous and explicit
Data privacy is a fundamental right of European residents that is protected by the GDPR, which is the main European data protection law. Its reach, like the revDPA, exceeds the boundaries of Europe.
GDPR must be observed by all controllers and processors of personal data operating in the EU, including those intending to provide services to EU citizens in non-EU countries. Most online businesses have no choice but to amend their data protection processes to comply with EU data protection laws, or they will lose their access to the European market.
It’s still illegal to transfer personal data about a customer without the consent of the customer, even if the business follows an opt-in policy for handling personal data. Moreover, when a company suffers a data breach, they are required to notify all of the individual data subjects.
Among the biggest differences between the revDPA and the GDPR is the sanction regime under the revised revDPA. Private persons (not the company) may face criminal sanctions in the form of fines up to CHF 250,000 if they intentionally violate the revised revDPA (Article 54).
Identifying the private individual responsible within the company may lead to a fine of CHF 50,000, but the fine cannot exceed this amount. Contrary to GDPR, fines are not imposed by the FDPIC.
Nonetheless, cantonal authorities remain in charge of these prosecutions. These authorities can be notified of any non-compliance with the revDPA that needs to be sanctioned. A fine will be applied in the future based on how these authorities work together.
Swiss federal act on data protection – FAQ
Specifically, are there any special privacy laws that apply to certain sectors (banking, insurance, telecommunications, healthcare, ad-words) or to certain data types ( i.e. biometrics)?
Data concerning the health of individuals is treated differently under the revDPA as it is considered sensitive personal data. In some cases, additional provisions to the revDPA, such as the Federal Act on DNA Profiling and the Ordinance on Biometric Identification Data Processing, may apply to biometric data.
Bank-client confidentiality is provided for in Swiss banking secrecy guidelines, which protects private financial data and any other information (including personal evaluation results) that can be linked to an individual bank client. Therefore, the confidentiality of bank clients extends beyond the data protection law.
The Federal Act on Financial Services (FinSA) also requires that financial service providers retain and process data according to certain standards. As a result, both the FinSA and the Financial Institutions Act have been focused on closely aligning themselves with the EU Second Markets in Financial Instruments Directive through the incorporation of similar, although not completely identical provisions.
As well, Swiss Criminal Code Article 321 contains an obligation of secrecy regarding patient and attorney data, which appears to affect the processing of such data.
Regulations regarding the storage and processing of data are specific to the telecommunications industry. Additionally, Swiss labor law provides special provisions regarding the processing of employee data.
Which bodies are responsible for enforcing data privacy laws and to what extent do they have authority?
A federal agency, the Federal Data Protection and Information Commissioner (FDPIC), supervises federal and private organizations and advises them on privacy and data security issues. Among its duties is to publish the Register for Data Files.
The FDPIC can serve as a mediator in conflicts between private parties or between private persons and federal entities, and as well as commenting on federal legislative drafts that could affect data privacy, it can also draft its own legislation. As well, it engages in interaction and cooperation with the Swiss and foreign data protection authorities.
As part of its responsibilities, the FDPIC can investigate facts on its own initiative, as well as on request by third parties. Once it finishes these investigations, it can issue recommendations. FDPIC, however, lacks the authority to enforce national laws, particularly sanctions.
What entities are covered by the data privacy regime?
Data pertaining to natural persons and legal persons is protected by the Federal Act on Data Protection (revDPA) by private persons (individuals and legal entities) and federal agencies. Therefore, the data protection law applies to all types of companies.
Are there any exemptions from the data privacy regime?
A revDPA is not applicable to:
- An individual’s personal information that is solely used for their own purposes and is not released to others;
- Federal Assembly meetings and parliamentary committee hearings;
- The process of civil and criminal proceedings, the process of international mutual assistance, and the process of administrative law and constitutional law, with the exception of first-instance administrative proceedings;
- Registries governed by private law; and
- The International Committee of the Red Cross processes personal data.
Do data privacy rules apply extraterritorially?
Generally, Switzerland’s data protection legislation applies to situations that take place there due to its territoriality. As a result, it is mandatory that data processing take place locally as the main factor to determine the geographic scope.
The use of extraterritorial legislation may, for example, occur when an outsourcing project is handled by a foreign company. Additionally, Switzerland must observe the principle of impact when circumstances abroad have an impact on Switzerland, for example, through websites that allow the business to be conducted in Switzerland.
How are data transfers abroad governed? Are there any restrictions? Do they vary by destination?
As provided for in Article 6 of the Federal Data Protection Act (revDPA), personal information shall not be disclosed outside the country if it poses a serious threat to the privacy of the data subject, especially if adequate protection abroad is not existent. The data subject’s privacy must therefore be protected either by adequate protection in the country of destination or by other means, such as:
- Contractual clauses;
- Data subject consent;
- A set of binding rules governing the transfer of data among a group of companies.
Transfers of data abroad include access to the data in the country of origin when the data remains there. A list of countries that provide adequate data protection is maintained by the Federal Data Protection and Information Commissioner. The list is accessible to the public. Accordingly, all European countries governed by the General Data Protection Regulation guarantee data protection equivalent to or superior to that offered by the United States, so the transfer of personal data to EU countries is not problematic.
In terms of data security, what obligations do data controllers and processors have?
Data protection standards require that technical and organizational measures be taken to prevent unauthorized processing of personal information as stipulated in Article 7(1) of the Data Protection Act (revDPA).
A further article of the Federal Act on Data Protection provides detailed provisions on data security: privacy of personal data, confidentiality, availability, and integrity of data communication networks must be guaranteed by anyone processing or providing data communication networks. This includes an overall level of data protection that is correspondent to the integrity of the data. This includes controlling risks such as:
- The accidental or unauthorized destruction of documents;
- Loss due to accident;
- Faults in the technology;
- Theft, forgery, or unlawful use;
- Unauthorized modifications, copies, accesses, or other usage.
Data controllers themselves are subject to even more extensive obligations. Automated personal data processing requires controllers to take the necessary technical and organizational measures for attaining the following goals, in particular:
- Unauthorized persons should not be permitted access to facilities in which personal data is processed.
- Unauthorised persons must not be able to read, copy, alter or remove personal data carriers.
- The transmission of personal data, as well as the transport of data carriers, should be protected against unauthorised reading, copying, altering, and deletion of data.
- Information disclosure control: Data recipients to whom personal data is disclosed by means of data transmission devices must be identified.
- Data storage control: Unauthorized storage, modification or deletion of data stored in a computer must be avoided.
- Controlled usage: unauthorised persons may not use automated data processing systems.
- Data access control: Authorised persons should have access to only the personal data they need to perform their duties.
- Data input control: In automated systems, it must be possible to examine retrospectively the data that was entered at what time by whom and by whom.
In order to effectively enforce the right to access and correct data, data files must guarantee data subjects’ right to access and use.
How InCountry can help you get complaint with revDPA
Partnering with InCountry is the fastest way to comply with data residency regulations and unlock new territories.
- Simplify international expansion by complying with location-specific data regulations
- InCountry can be integrated directly into Salesforce, ServiceNow, and other popular SaaS applications
- An easy-to-use, cost-effective solution without requiring new hardware or Salesforce instances
- We store and process information in multiple countries and meet all law and audit requirements simultaneously
- Integration with internal and SaaS apps such as Salesforce
- Making it easy for you to store data in other countries while ensuring compliance with local data security laws. Unlike our competitors, we help you maintain guaranteed compliance with local data security laws
- Only a few countries are supported by Hyperforce, and you can only process and store data in the one country where the instance is located.