Everyone is impacted by the revised data protection law now in force. Dominic Mueller, a director at Fidinam, discusses what small and medium-sized companies need to be doing.

The revised Swiss data protection law came into force on September 1, 2023. There was no transition period, meaning all the requirements needed to be in place at the time of enactment. The Fidinam Group has been successfully supporting companies, entrepreneurs, and individuals for over 60 years in managing these kinds of changes.

We have an excellent understanding of the needs of small and medium-sized companies. This article should simply be seen as a prompt to help their thinking along, providing an impulse for businesses that aren't yet fully prepared for the new law.

In Short

The law predating the current one was more than 30 years old and Switzerland has been increasingly under pressure in recent years as a result of the revised EU GDPR law introduced in 2018. It ran the risk of being recognized by the EU as a country with insufficient data protection.

The principles of the revised Swiss data protection law remain unchanged. But, in contrast to the GDPR, every single data processing operation does not need explicit consent. Data processing activities are allowed as long as they are legal, undertaken in good faith, proportionate, and undertaken for a specific purpose.

All data processing activities need to be conducted within a limited timeframe and on the basis of correct information. Against this background, it is also important to note the wider implications, which we go into greater detail below.

Key for SMEs

Any approach has to start with an internal analysis of the new law and how it processes data. We recommend creating a complete directory as the basis from which the subsequent measures are derived:

  1. Overview of personal data processing activities in the company
  2. Drafting of a data protection declaration
  3. Overview of data transfers to third parties
  4. Overview of international data transfers
  5. Creation of a processing directory
  6. Review and update of technical and organizational measures
  7. Implementation of internal processes that are compliant with the new data protection law
  8. Appointment of an individual internally for data protection issues
  9. All eight points of the law should be taken into account in order to comprehensively manage all the risks in connection with data protection. There are three central areas that smaller companies that have very limited data processing activities have to pay close heed to. These should be seen as a bare minimum.

Three Areas

Companies that already pay close attention to their data processing activities should also look at the same three areas of the revised law, which they should review, update, and implement.

These are the data protection declaration(s), the transfer of data to third parties (including internationally), and technical and organizational measures.

1. Data Protection Declaration

The information requirements for those responsible for holding data have been significantly enhanced. The affected individuals need to be informed of data processing activities, even in cases where information is not required of the person in question.

These can be clients, website visitors, app users, suppliers, or external contractors. The data protection declaration has to have the following information on your website (Art. 19 Para. 2 ff. nDSG):

  • Who is responsible for the website and who/what is the contact point?
  • What will the personal information be used for?
  • Who are the recipients of the data being processed?
  • How are any exports of data protected?
  • What rights do affected individuals have in connection with the data being protected?

It is recommended that the declaration be as generic and general as possible in order to cover all possible data processing activities now and in the immediate future.

2. Data Transfers

Those who provide data to third parties must make sure that they protect the data as they were themselves responsible for it. This requirement is linked with the so-called contractual data protection agreements.

Those responsible for data and information  (or the controller) are required to make sure that third parties process data adequately and this should be agreed on a contractual basis. There is little new in the law when it comes to exporting data to countries that have similar levels of data protection.

The catch is that the list is a short one. Exporting data to countries without adequate levels of protection must be secured by contractual guarantees. This also covers internal exchanges of data. The contractual guarantees use standardized agreement clauses that have been reviewed and approved by the Federal Data Protection and Information Commissioner.

3. Technical and Organizational Measures (TOM)

TOM is a catch-all for measures that companies need to do to ensure that they acquire data safely and then process it, keep it, transfer it, and destroy it in an appropriate manner. In connection with that, the measures being implemented have to be commensurate with the level of protection.

Everyone Impacted

The revised data protection law has been harmonized with the requirements of the EU. We believe that almost all Swiss companies need to act with regard to the expanded information requirement and data processing. Fidinam can help you find a solution quickly.

  • More information on Fidinam is accessible here.

Dominic Müller is responsible for business development at Fidinam's fiduciary business. He studied law at the University of Bern and has since spent his career consulting national and international clients. His areas of expertise are in human resources, payroll accounting, data protection, and digitalization.