Takea­ways (AI):
  • The Fede­ral Coun­cil has on August 31, 2022 the new data pro­tec­tion regu­la­ti­on (DSV) und die Ver­ord­nung über Daten­schutz­zer­ti­fi­zie­run­gen (VDSZ) verabschiedet.
  • The Imple­men­ting regu­la­ti­ons and the total­ly revi­sed DSG tre­ten am Sep­tem­ber 1, 2023 in Kraft und gewäh­ren der Wirt­schaft eine Anpassungsfrist.
  • The Fede­ral Coun­cil hat auf die Kri­tik in der Con­sul­ta­ti­on reagiert und Con­tents der DSV an die gesetz­li­chen Vor­ga­ben angepasst.

At its mee­ting on August 31, 2022, the Fede­ral Coun­cil adopted the new Data Pro­tec­tion Ordi­nan­ce (FDPO) and the new regu­la­ti­on on data pro­tec­tion cer­ti­fi­ca­ti­ons (VDSZ) has been adopted. The imple­men­ting pro­vi­si­ons will be published tog­e­ther with the total­ly revi­sed Data Pro­tec­tion Act ([n]DSG) as expec­ted on Sep­tem­ber 1, 2023 come into force (Media release).

Initi­al situation

As you know, on Sep­tem­ber 25, 2020, the Swiss Par­lia­ment pas­sed the total­ly revi­sed Data Pro­tec­tion Act (FDPA) adopted. From the fall of 2020, the revi­si­on of the cor­re­spon­ding imple­men­ting pro­vi­si­ons was accor­din­gly initia­ted. On June 23, 2021, the Fede­ral Coun­cil ope­ned the Con­sul­ta­ti­on to it, which lasted until Octo­ber 14, 2021.

Accor­ding to the Report on the out­co­me of the con­sul­ta­ti­on pro­ce­du­re of August 31, 2022 The con­sul­ta­ti­on pro­cess invol­ved a wide ran­ge of par­ties – comm­ents were recei­ved from 24 can­tons, the Con­fe­rence of Can­to­nal Data Pro­tec­tion Offi­cers “pri­vi­tim”, poli­ti­cal par­ties and num­e­rous asso­cia­ti­ons from the eco­no­mic, con­su­mer pro­tec­tion and data pro­tec­tion sec­tors, inclu­ding Wal­der Wyss.

Now the Fede­ral Coun­cil has deci­ded to

  • total­ly revi­sed DSG and
  • the new data pro­tec­tion regu­la­ti­on (DSV, PDF) as well as
  • the new regu­la­ti­on on data pro­tec­tion cer­ti­fi­ca­ti­ons (VDSZ, PDF)

to come into force on Sep­tem­ber 1, 2023. In doing so, it is gran­ting the eco­no­my a fur­ther year’s adjust­ment period.

Thus, the long-awai­ted final ver­si­on of the DSV is final­ly available. At the same time, the Fede­ral Coun­cil has appro­ved the exten­si­ve Expl­ana­to­ry report on the DSV and like­wi­se to the VDSZ published, tog­e­ther with a “FAQ data pro­tec­tion law„.

Working mate­ri­als

We (Han­nes Meyle and Anne-Sophie Morand with David Vasel­la) have a Com­pa­ri­son of the DSV, the E‑VDSG and the appli­ca­ble VDSG have been com­pi­led. You will find the­se here as PDF. As far as a Word ver­si­on is hel­pful for inter­nal pur­po­ses, we can pro­vi­de it on request.

A pre­pared ver­si­on of the DSV tog­e­ther with the cor­re­spon­ding excerp­ts from the expl­ana­to­ry report you will also find here, bes­i­des the new DSG with excerp­ts of the mes­sa­ge and a Eng­lish ver­si­on By Wal­der Wyss (Hugh Reeves).

Chan­ges due to the consultation

In the DSV, the Fede­ral Coun­cil made adjust­ments in rela­ti­on to the draft (draft FDPO) and thus reac­ted to the harsh cri­ti­cism in the consultation.

Alre­a­dy at Beco­ming awa­re of the E‑VDSG At the end of June 2021, the busi­ness com­mu­ni­ty in par­ti­cu­lar was expec­ting a missed oppor­tu­ni­ty spo­ken. Par­ti­cu­lar cri­ti­cism was level­led at the fact that the con­tent of the preli­mi­na­ry draft was impre­cise and often unneces­s­a­ri­ly rest­ric­ti­ve, and that num­e­rous pro­vi­si­ons lacked a legal basis. The con­sul­ta­ti­on sub­mis­si­ons were not lack­ing in cri­ti­cism eit­her. In the DSV, the Fede­ral Coun­cil has the­r­e­fo­re attempt­ed to estab­lish a clea­rer rela­ti­on­ship bet­ween the pro­vi­si­ons of the ordi­nan­ce and the respec­ti­ve legal norms. Com­pared to the con­sul­ta­ti­on draft, the DSV thus con­ta­ins sub­stan­ti­ve but also syste­ma­tic adjust­ments. The expl­ana­to­ry report sum­ma­ri­zes the­se adjust­ments as follows:

Adjust­ments based on the consultation

Com­pared to the con­sul­ta­ti­on draft, the ordi­nan­ce con­ta­ins sub­stan­ti­ve and syste­ma­tic adjust­ments. The most important chan­ges are pre­sen­ted below.

4.1 Data security

The sec­tion on data secu­ri­ty was revi­sed to take account of the cri­ti­cism expres­sed in the consultation.

Terms requi­ring inter­pre­ta­ti­on (e.g. “appro­pria­te distances”) have been dele­ted. In addi­ti­on, the objec­ti­ves are now regu­la­ted in a sepa­ra­te artic­le (Art. 2 DPA), which is based on the regu­la­ti­on in the Infor­ma­ti­on Secu­ri­ty Act11. Artic­le 3 regu­la­tes the tech­ni­cal and orga­nizatio­nal measures.

The pro­vi­si­ons on log­ging and pro­ce­s­sing regu­la­ti­ons (Art. 4 – 6 DPA) main­tain as far as pos­si­ble the regu­la­ti­on of the cur­rent VDSG. Thus, the refe­rence to the data pro­tec­tion impact assess­ment is dele­ted from the pre­re­qui­si­tes for the log­ging obli­ga­ti­on. The pro­po­sal to increa­se the dura­ti­on for the reten­ti­on of logs to two years is not main­tai­ned. Sin­ce the dura­ti­on of one year accor­ding to the cur­rent VDSG is both a mini­mum and a maxi­mum, the term “at least” has been inser­ted to allow pri­va­te per­sons to keep the logs for more than one year. In the case of fede­ral bodies, the spe­cial legal pro­vi­si­ons remain reserved.

4.2 Pro­ce­s­sing by order processor

The pre­vious con­tent of Artic­le 6 FADP has been dele­ted. Instead, Artic­le 7 DPA only regu­la­tes the type of pri­or aut­ho­rizati­on with which a con­trol­ler can aut­ho­ri­ze a pro­ces­sor to trans­fer data pro­ce­s­sing to a third par­ty. This pro­vi­si­on is based on Artic­le 22(2) of Direc­ti­ve (EU) 2016/680 or Artic­le 28(2) DPA. For rea­sons of legal cer­tain­ty, it takes up what the Fede­ral Coun­cil had alre­a­dy pro­po­sed in the dis­patch on the total revi­si­on of the Data Pro­tec­tion Act on the
Appr­oval of sub­con­tract pro­ce­s­sing exe­cu­ted (see BBl 2017 6941, 7032).

Artic­le 6(1) and (2) of the Draft Data Pro­tec­tion Act are dele­ted becau­se the­se stan­dards are alre­a­dy cover­ed by Artic­le 9(1)(a) of the Fede­ral Data Pro­tec­tion Act and the pro­vi­si­ons on the dis­clo­sure of data abroad (Artic­le 16 f. of the Fede­ral Data Pro­tec­tion Act; Artic­le 8 ff. of the Fede­ral Data Pro­tec­tion Ordi­nan­ce). A con­trol­ler who dele­ga­tes the pro­ce­s­sing of per­so­nal data to a com­mis­sio­ned pro­ces­sor also remains respon­si­ble for data protection.

Fur­ther­mo­re, an express pro­vi­si­on for the writ­ten form of pri­or appr­oval of sub­con­trac­ting by fede­ral bodies, as pro­vi­ded for in Artic­le 6(3) E‑VDSG, does not seem neces­sa­ry. It can be assu­med that this is alre­a­dy to be cho­sen with a view to legal cer­tain­ty. In addi­ti­on, any rele­vant for­mal requi­re­ments under pro­cu­re­ment law must also be observed.

Artic­le 7 of the e‑Data Pro­tec­tion Act has been dele­ted altog­e­ther. The rea­son for this is that Artic­le 26(2)(a) FADP (form­er­ly Artic­le 28(2)(a) and (b) EDPA) alre­a­dy regu­la­tes the par­ti­ci­pa­ti­on of the data pro­tec­tion advisor.

4.3 Dis­clo­sure of per­so­nal data abroad

The con­sul­ta­ti­on pro­cess has shown that the­re is a need for increa­sed trans­pa­ren­cy and clarity.

Accor­ding to Artic­le 8 (5) DPO, the Fede­ral Council’s assess­ments must now be published. A tran­si­tio­nal pro­vi­si­on governs the moda­li­ties (Art. 46(2) DPO). In addi­ti­on, the prin­ci­ple of trans­pa­ren­cy has been expli­ci­t­ly inclu­ded in Artic­le 9(1)(a) DPO.

Final­ly, it is also spe­ci­fi­ed that the FDPIC shall issue an opi­ni­on within nine­ty days on the stan­dard data pro­tec­tion clau­ses and bin­ding cor­po­ra­te data pro­tec­tion rules sub­mit­ted to it (Art. 10(2) and Art. 11(3) FADP).

4.4 Duties of the respon­si­ble party

The pro­ces­sor has been dele­ted from Artic­le 13(1) of the FADP (form­er­ly Artic­le 13(1) of the e‑FADP), sin­ce the legal basis in Artic­le 19 of the nDSG is also direc­ted only at the con­trol­ler. The respon­si­bi­li­ty for the infor­ma­ti­on remains with the con­trol­ler. Fur­ther­mo­re, para­graph 1 has been rewor­ded in line with the GDPR. In addi­ti­on, para­graph 2 of the pro­vi­si­on has been dele­ted. The con­sul­ta­ti­on show­ed that the use of pic­to­grams in the requi­red form could not be imple­men­ted by the busi­ness com­mu­ni­ty. In par­ti­cu­lar, the requi­re­ment of machi­ne rea­da­bili­ty was stron­gly criticized.

Artic­le 15 E‑VDSG will now only app­ly to fede­ral bodies and will the­r­e­fo­re be moved to the chap­ter con­cer­ning data pro­ce­s­sing by fede­ral bodies (new Art. 30 FADP). The pro­vi­si­on will be retai­ned for fede­ral bodies, as it is requi­red by Art. 7(2) of Direc­ti­ve (EU) 2016/680.

Artic­le 16 E‑DPA was dele­ted becau­se this artic­le had been remo­ved after the con­sul­ta­ti­on on the nDSG and was the­r­e­fo­re not in the draft law sub­mit­ted to Par­lia­ment. In this sen­se, it was not coher­ent to list it in the draft ordinance.

Artic­le 17 E‑DPA has been dele­ted, as the aim and pur­po­se of the pro­vi­si­on are alre­a­dy cover­ed in par­ti­cu­lar by Artic­le 21(2) nDSG.

Artic­le 14 FADP (form­er­ly Art. 18 FADP) now only regu­la­tes the sto­rage of the data pro­tec­tion impact assess­ment and no lon­ger makes any state­ment about its form. As with other instru­ments regu­la­ted in the nDSG and the FADP, it is at the dis­creti­on of the data con­trol­ler in which form they wish to store it. Cer­tain­ly, it must be rea­da­ble in a com­mon for­mat in the event of an audit by the FDPIC or in the event of a breach.

In the case of Artic­le 15 FADP, para­graph 2 has been ali­gned with the requi­re­ment of Artic­le 24(1) FADP, so that the sub­se­quent noti­fi­ca­ti­on must also be made “as soon as pos­si­ble”. Para­graph 4 has been dele­ted due to the amend­ment in Artic­les 26 and 27 FADP, accor­ding to which the inclu­si­on of the data pro­tec­tion advi­sor in the noti­fi­ca­ti­on of the data secu­ri­ty breach is now struc­tu­red as an obli­ga­ti­on of the fede­ral body.

4.5 Rights of the data subject

In the first sec­tion, Artic­le 20(4) E‑DPA (now Art. 16(5) FADP) has been amen­ded to the effect that the requi­re­ments alre­a­dy pro­vi­ded for in Artic­le 1(2)(a) and (b) FADP, in order to ensu­re the secu­ri­ty of the infor­ma­ti­on trans­mit­ted, are only par­ti­al­ly taken over. The obli­ga­ti­on of the con­trol­ler pro­vi­ded for in let­ter b to ensu­re that the per­so­nal data of the data sub­ject are pro­tec­ted from access by unaut­ho­ri­zed third par­ties when pro­vi­ding infor­ma­ti­on alre­a­dy ari­ses sufficiently
spe­ci­fi­cal­ly from Artic­le 8 nDSG. Let­ter b has the­r­e­fo­re been dele­ted. Howe­ver, it has been express­ly retai­ned that the con­trol­ler must take appro­pria­te mea­su­res to iden­ti­fy the data sub­ject. This is par­ti­cu­lar­ly the case sin­ce the data sub­ject is requi­red to cooperate.

Artic­le 20(5) E‑DPA has been dele­ted as the issue is alre­a­dy suf­fi­ci­ent­ly cover­ed by Artic­le 26(4) nDSG. Artic­le 26(4) nDSG alre­a­dy pro­vi­des that the con­trol­ler must sta­te why he refu­ses, rest­ricts or post­po­nes the infor­ma­ti­on. This is suf­fi­ci­ent for a judi­cial asser­ti­on. Thus, data con­trol­lers no lon­ger have a duty to retain data. Howe­ver, reten­ti­on by the data con­trol­ler is advi­sa­ble for evi­den­tia­ry reasons.

Artic­le 21 of the e‑Data Pro­tec­tion Act (now Art. 17 of the FADP) has been adapt­ed to be cle­ar­ly visi­ble as a coor­di­na­ti­on stan­dard. Para­graph 2 has been amen­ded so that the pro­ces­sor assists the con­trol­ler in pro­vi­ding the information.

Artic­le 23 E‑DPA (now Art. 19 FADP) on the excep­ti­ons to free of char­ge has also been revi­sed. Para­graph 3 now pro­vi­des that the request is dee­med to be with­drawn if the data sub­ject does not con­firm his or her request within ten days of being noti­fi­ed of the cost sha­ring. Accor­din­gly, the time limit pur­su­ant to Artic­le 18 FADP (form­er­ly Artic­le 22 E‑DPA) only beg­ins to run after this coo­ling-off period.

The 2nd sec­tion on the right to issue or trans­fer data has been fun­da­men­tal­ly revi­sed again. The fol­lo­wing artic­les have been crea­ted: Artic­le 20 FADP deals with the scope of the cla­im, Artic­le 21 FADP with the tech­ni­cal requi­re­ments for imple­men­ta­ti­on, and Artic­le 22 FADP (form­er­ly Art. 24 E‑DPA) spe­ci­fi­es under time limit, moda­li­ties and com­pe­tence to what ext­ent the pro­vi­si­ons on the right of access app­ly to the right to issue or trans­fer data.

4.6 Spe­cial pro­vi­si­ons for data pro­ce­s­sing by pri­va­te persons

Para­graph 1 of Artic­le 25 E‑DPA (new Art. 23 DPA) “data pro­tec­tion advi­sor” has been dele­ted, as pri­va­te con­trol­lers are not requi­red to appoint data pro­tec­tion advi­sors. In the remai­ning text, let­ter c has intro­du­ced the pos­si­bi­li­ty for data pro­tec­tion advi­sors to inform the hig­hest manage­ment or admi­ni­stra­ti­ve body in important cases.

4.7 Spe­cial pro­vi­si­ons on data pro­ce­s­sing by fede­ral bodies

In Artic­le 26 DPA (for­mer Art. 28 E‑DPA), para­graph 2 cla­ri­fi­es that the data pro­tec­tion offi­cers are invol­ved in the appli­ca­ti­on of the data pro­tec­tion pro­vi­si­ons. Wher­eby the spe­ci­fi­ca­ti­ons in items 1 and 2 here ser­ve exclu­si­ve­ly as examp­les of this.

The task of the data pro­tec­tion advi­sor to report data secu­ri­ty brea­ches to the FDPIC (Artic­le 28(2)(c) FADP) is now struc­tu­red as a duty of the fede­ral body. It is the­r­e­fo­re now regu­la­ted in Artic­le 27 FADP.

Artic­le 31 E‑DPA on infor­ma­ti­on to the data pro­tec­tion advi­sor is dele­ted. The pro­vi­si­on has par­ti­al­ly taken over Artic­le 20(2) of the FADP. Howe­ver, the infor­ma­ti­on to be pro­vi­ded to the data pro­tec­tion advi­sor results from his or her gene­ral advi­so­ry, sup­port and super­vi­so­ry duties.

AI-gene­ra­ted takea­ways can be wrong.