- The Federal Council has on August 31, 2022 the new data protection regulation (DSV) und die Verordnung über Datenschutzzertifizierungen (VDSZ) verabschiedet.
- The Implementing regulations and the totally revised DSG treten am September 1, 2023 in Kraft und gewähren der Wirtschaft eine Anpassungsfrist.
- The Federal Council hat auf die Kritik in der Consultation reagiert und Contents der DSV an die gesetzlichen Vorgaben angepasst.
At its meeting on August 31, 2022, the Federal Council adopted the new Data Protection Ordinance (FDPO) and the new regulation on data protection certifications (VDSZ) has been adopted. The implementing provisions will be published together with the totally revised Data Protection Act ([n]DSG) as expected on September 1, 2023 come into force (Media release).
Content
ToggleInitial situation
As you know, on September 25, 2020, the Swiss Parliament passed the totally revised Data Protection Act (FDPA) adopted. From the fall of 2020, the revision of the corresponding implementing provisions was accordingly initiated. On June 23, 2021, the Federal Council opened the Consultation to it, which lasted until October 14, 2021.
According to the Report on the outcome of the consultation procedure of August 31, 2022 The consultation process involved a wide range of parties – comments were received from 24 cantons, the Conference of Cantonal Data Protection Officers “privitim”, political parties and numerous associations from the economic, consumer protection and data protection sectors, including Walder Wyss.
Now the Federal Council has decided to
- totally revised DSG and
- the new data protection regulation (DSV, PDF) as well as
- the new regulation on data protection certifications (VDSZ, PDF)
to come into force on September 1, 2023. In doing so, it is granting the economy a further year’s adjustment period.
Thus, the long-awaited final version of the DSV is finally available. At the same time, the Federal Council has approved the extensive Explanatory report on the DSV and likewise to the VDSZ published, together with a “FAQ data protection law„.
Working materials
We (Hannes Meyle and Anne-Sophie Morand with David Vasella) have a Comparison of the DSV, the E‑VDSG and the applicable VDSG have been compiled. You will find these here as PDF. As far as a Word version is helpful for internal purposes, we can provide it on request.
A prepared version of the DSV together with the corresponding excerpts from the explanatory report you will also find here, besides the new DSG with excerpts of the message and a English version By Walder Wyss (Hugh Reeves).
Changes due to the consultation
In the DSV, the Federal Council made adjustments in relation to the draft (draft FDPO) and thus reacted to the harsh criticism in the consultation.
Already at Becoming aware of the E‑VDSG At the end of June 2021, the business community in particular was expecting a missed opportunity spoken. Particular criticism was levelled at the fact that the content of the preliminary draft was imprecise and often unnecessarily restrictive, and that numerous provisions lacked a legal basis. The consultation submissions were not lacking in criticism either. In the DSV, the Federal Council has therefore attempted to establish a clearer relationship between the provisions of the ordinance and the respective legal norms. Compared to the consultation draft, the DSV thus contains substantive but also systematic adjustments. The explanatory report summarizes these adjustments as follows:
Adjustments based on the consultation
Compared to the consultation draft, the ordinance contains substantive and systematic adjustments. The most important changes are presented below.4.1 Data security
The section on data security was revised to take account of the criticism expressed in the consultation.
Terms requiring interpretation (e.g. “appropriate distances”) have been deleted. In addition, the objectives are now regulated in a separate article (Art. 2 DPA), which is based on the regulation in the Information Security Act11. Article 3 regulates the technical and organizational measures.
The provisions on logging and processing regulations (Art. 4 – 6 DPA) maintain as far as possible the regulation of the current VDSG. Thus, the reference to the data protection impact assessment is deleted from the prerequisites for the logging obligation. The proposal to increase the duration for the retention of logs to two years is not maintained. Since the duration of one year according to the current VDSG is both a minimum and a maximum, the term “at least” has been inserted to allow private persons to keep the logs for more than one year. In the case of federal bodies, the special legal provisions remain reserved.
4.2 Processing by order processor
The previous content of Article 6 FADP has been deleted. Instead, Article 7 DPA only regulates the type of prior authorization with which a controller can authorize a processor to transfer data processing to a third party. This provision is based on Article 22(2) of Directive (EU) 2016/680 or Article 28(2) DPA. For reasons of legal certainty, it takes up what the Federal Council had already proposed in the dispatch on the total revision of the Data Protection Act on the
Approval of subcontract processing executed (see BBl 2017 6941, 7032).Article 6(1) and (2) of the Draft Data Protection Act are deleted because these standards are already covered by Article 9(1)(a) of the Federal Data Protection Act and the provisions on the disclosure of data abroad (Article 16 f. of the Federal Data Protection Act; Article 8 ff. of the Federal Data Protection Ordinance). A controller who delegates the processing of personal data to a commissioned processor also remains responsible for data protection.
Furthermore, an express provision for the written form of prior approval of subcontracting by federal bodies, as provided for in Article 6(3) E‑VDSG, does not seem necessary. It can be assumed that this is already to be chosen with a view to legal certainty. In addition, any relevant formal requirements under procurement law must also be observed.
Article 7 of the e‑Data Protection Act has been deleted altogether. The reason for this is that Article 26(2)(a) FADP (formerly Article 28(2)(a) and (b) EDPA) already regulates the participation of the data protection advisor.
4.3 Disclosure of personal data abroad
The consultation process has shown that there is a need for increased transparency and clarity.
According to Article 8 (5) DPO, the Federal Council’s assessments must now be published. A transitional provision governs the modalities (Art. 46(2) DPO). In addition, the principle of transparency has been explicitly included in Article 9(1)(a) DPO.
Finally, it is also specified that the FDPIC shall issue an opinion within ninety days on the standard data protection clauses and binding corporate data protection rules submitted to it (Art. 10(2) and Art. 11(3) FADP).
4.4 Duties of the responsible party
The processor has been deleted from Article 13(1) of the FADP (formerly Article 13(1) of the e‑FADP), since the legal basis in Article 19 of the nDSG is also directed only at the controller. The responsibility for the information remains with the controller. Furthermore, paragraph 1 has been reworded in line with the GDPR. In addition, paragraph 2 of the provision has been deleted. The consultation showed that the use of pictograms in the required form could not be implemented by the business community. In particular, the requirement of machine readability was strongly criticized.
Article 15 E‑VDSG will now only apply to federal bodies and will therefore be moved to the chapter concerning data processing by federal bodies (new Art. 30 FADP). The provision will be retained for federal bodies, as it is required by Art. 7(2) of Directive (EU) 2016/680.
Article 16 E‑DPA was deleted because this article had been removed after the consultation on the nDSG and was therefore not in the draft law submitted to Parliament. In this sense, it was not coherent to list it in the draft ordinance.
Article 17 E‑DPA has been deleted, as the aim and purpose of the provision are already covered in particular by Article 21(2) nDSG.
Article 14 FADP (formerly Art. 18 FADP) now only regulates the storage of the data protection impact assessment and no longer makes any statement about its form. As with other instruments regulated in the nDSG and the FADP, it is at the discretion of the data controller in which form they wish to store it. Certainly, it must be readable in a common format in the event of an audit by the FDPIC or in the event of a breach.
In the case of Article 15 FADP, paragraph 2 has been aligned with the requirement of Article 24(1) FADP, so that the subsequent notification must also be made “as soon as possible”. Paragraph 4 has been deleted due to the amendment in Articles 26 and 27 FADP, according to which the inclusion of the data protection advisor in the notification of the data security breach is now structured as an obligation of the federal body.
4.5 Rights of the data subject
In the first section, Article 20(4) E‑DPA (now Art. 16(5) FADP) has been amended to the effect that the requirements already provided for in Article 1(2)(a) and (b) FADP, in order to ensure the security of the information transmitted, are only partially taken over. The obligation of the controller provided for in letter b to ensure that the personal data of the data subject are protected from access by unauthorized third parties when providing information already arises sufficiently
specifically from Article 8 nDSG. Letter b has therefore been deleted. However, it has been expressly retained that the controller must take appropriate measures to identify the data subject. This is particularly the case since the data subject is required to cooperate.Article 20(5) E‑DPA has been deleted as the issue is already sufficiently covered by Article 26(4) nDSG. Article 26(4) nDSG already provides that the controller must state why he refuses, restricts or postpones the information. This is sufficient for a judicial assertion. Thus, data controllers no longer have a duty to retain data. However, retention by the data controller is advisable for evidentiary reasons.
Article 21 of the e‑Data Protection Act (now Art. 17 of the FADP) has been adapted to be clearly visible as a coordination standard. Paragraph 2 has been amended so that the processor assists the controller in providing the information.
Article 23 E‑DPA (now Art. 19 FADP) on the exceptions to free of charge has also been revised. Paragraph 3 now provides that the request is deemed to be withdrawn if the data subject does not confirm his or her request within ten days of being notified of the cost sharing. Accordingly, the time limit pursuant to Article 18 FADP (formerly Article 22 E‑DPA) only begins to run after this cooling-off period.
The 2nd section on the right to issue or transfer data has been fundamentally revised again. The following articles have been created: Article 20 FADP deals with the scope of the claim, Article 21 FADP with the technical requirements for implementation, and Article 22 FADP (formerly Art. 24 E‑DPA) specifies under time limit, modalities and competence to what extent the provisions on the right of access apply to the right to issue or transfer data.
4.6 Special provisions for data processing by private persons
Paragraph 1 of Article 25 E‑DPA (new Art. 23 DPA) “data protection advisor” has been deleted, as private controllers are not required to appoint data protection advisors. In the remaining text, letter c has introduced the possibility for data protection advisors to inform the highest management or administrative body in important cases.
4.7 Special provisions on data processing by federal bodies
In Article 26 DPA (former Art. 28 E‑DPA), paragraph 2 clarifies that the data protection officers are involved in the application of the data protection provisions. Whereby the specifications in items 1 and 2 here serve exclusively as examples of this.
The task of the data protection advisor to report data security breaches to the FDPIC (Article 28(2)(c) FADP) is now structured as a duty of the federal body. It is therefore now regulated in Article 27 FADP.
Article 31 E‑DPA on information to the data protection advisor is deleted. The provision has partially taken over Article 20(2) of the FADP. However, the information to be provided to the data protection advisor results from his or her general advisory, support and supervisory duties.