New data protection law in Switzerland
The new Swiss data protection law will come into force in 2023.
What should we expect and what are the differences with the RGPD already present for companies offering services to EU countries?
Swiss Lemon informs you about the new law on data protection (LPD).
LPD and RGPD, the laws that protect our personal data
We often talk about the protection of our personal data on the Internet. But what exactly is personal data?
Personal data ” is “any information relating to an identified or identifiable natural person”: surname, first name, telephone number, image, but also location, age or even tastes and habits.
All the traces you leave of yourself on the web, by entering information, by browsing, by registering on certain sites…
Let’s start with the known: RGPD.
The acronym RGPD stands for “General Data Protection Regulation”. The RGPD regulates the processing of personal data in the European Union.
It harmonizes the rules in Europe by providing a single legal framework for professionals.
Any organization, regardless of its size, its country of establishment and its activity, can be concerned.
Indeed, the GDPR applies to any organization, public and private, that processes personal data on its behalf or not, as soon as:
- that it is established on the territory of the European Union,
- or that its activity directly targets European residents.
For example: a company established in Switzerland, offering services on its website, in French, and delivering products or services in France, must respect the RGPD.
In Switzerland, we are protected by the DPA since 1993.
The new federal law on data protection (LPD) is coming soon. It contains the cross-sectoral rules to be respected in a general way when processing personal data, which have been updated.
The DPA sets out the fundamental principles and requirements to ensure the lawful processing of personal data:
- Principle of transparency:all data processing must be done in a transparent manner.
- Purpose Principle:Data collected should be used only for purposes that are obvious to the data subject; data should be collected, retained, disclosed and processed only to the extent necessary for those purposes.
- Consent to data processing:when the processing of data requires the consent of the data subject, as for example in the context of research on human beings, this consent will only be legally valid if it has been given freely, on the basis of appropriate information, and explicitly if it concerns particularly sensitive data.
- Right of revocation: consent to data processing may be revoked by the data subject at any time.
- Data security: personal data must be protected against unauthorized processing by appropriate technical and organizational measures.
- Right of access: any person has the right to ask the holder of a data collection, information on the processing of data concerning him.
- Duty to inform: the data controller is obliged to inform the data subject about the acquisition of particularly sensitive personal data. This information obligation also applies to data collected by third parties.
- Cross-border disclosure:personal data must not be disclosed abroad if this would result in a serious risk to the personal rights of the data subjects.
What are the objectives of the new LPD?
The Swiss data protection law, which has been in place for almost 30 years, is now outdated. The technological and societal landscape has changed, and this law is no longer effective in protecting people.
Moreover, the rise of digital technology makes its revision necessary. It must also be adapted to the European Data Protection Regulation (GDPR). As Switzerland is part of the Schengen Agreement, it must follow the legal provisions of Directive (EU) 2016/680. The latter, concerning the protection of individuals with regard to the processing of personal data for criminal purposes, is indeed a “development of the Schengen acquis”.
In order to process personal data of European citizens, the Confederation must provide a level of protection equivalent to the level imposed by the EU.
Harmonizing the LPD ensures that Switzerland is recognized as a third country with a sufficient level of protection, so that a smooth exchange of data between Switzerland and the EU remains possible in the future.
New LPD, soon to be implemented
The revised LPD was announced for the second half of 2022.
The Federal Office of Justice has just announced a possible delay, which would push this date to September 1st 2023.
Since there is no transition period, every company must check its compliance with the new legislation in time and know the consequences.