Update 20 Dec, 2019: Due to the flags published in the meantime we have updated the comparison of the versions according to BR, NR and SR (link see below).
—
On December 18, 2019, the Council of States approved the draft of the FDPA (E-FDPA) advise. In doing so, it has largely endorsed the resolutions of the National Council (cf. Media release), which should facilitate the reconciliation of differences expected for the spring 2020 session. Entry into force of the revised FDPA to 2021 is therefore likely.
A Comparison of the versions of the Federal Council, the National Council and the Council of States. can be found here (PDF [As of 12/20/19]).
The following points stand out prima vista in the Council of States’ version:
- As proposed by the National Council, the E-FDPA A provision for the spatial scope (Article 2A E-FDPA).
- The Personality profile is supported by the Profiling replaced. Here, Council of States of the SPK-S and distinguishes between profiling as such and profiling “with high risk. This is particularly the case if the responsible person processes data from several sources and about different areas of life or processes data systematically and extensively with the aim of drawing conclusions about different areas of a person’s life. Echoes of the personality profile of today’s FDPA are clearly recognizable, which should be of importance for the interpretation.
- A express consent will remain necessary for the processing of particularly sensitive data, but also for high-risk profiling. This argues for assuming a high risk only in clear cases. In any case, it would be unreasonable to have to obtain explicit consent in cases of doubt, considering the possible operational effort for explicit consent, especially for offline customers.
- Further relief in the appointment of a Privacy Advisor is not provided. After all, the responsible person can thus escape the obligation to provide the FDPIC to report high net risks after conducting a data protection impact assessment.
- The obligation to keep a Processing directory not required for companies with fewer than 250 employees, provided the processing involves only a low level of risk.
- Responsible persons domiciled abroad must be registered in Switzerland with a Representation order
- The Duty to inform includes information on the person responsible, the purpose of the processing and categories of recipients, but additionally – the proposal of the SPK- accordingly – the list of data subjects’ rights and, if applicable, the intention to process personal data for the purpose of checking creditworthiness and (and/or?) to disclose them to third parties, and further all recipient countries and, if applicable, further information on foreign disclosure
- Exceptions to the obligation to provide information apply, among other things, if the information requires disproportionate effort (in the case of third-party procurement). However, the appeal to the responsible party’s own overriding interests unfortunately fails, as it already does today, if the responsible party discloses personal data to third parties. Here, after all, a (albeit – certainly inadvertently – much too restrictively formulated) Group Privilege.
- At Right to information the Council of States has regrettably deleted the clarification that the personal data processed must only be handed over “as such”. This will also fuel the discussion in Switzerland as to whether the right of access confers a right to surrender documents (probably not; even in Germany, the tendency is in this direction).
- The Exception to the right of information in the case of the controller’s own overriding interests is also limited to cases where personal data is not disclosed to third parties – outside the group.
- The right to Data portability will be introduced as envisaged by the National Council.
- Fortunately, the Council of States has eliminated the SPK-S proposed Prohibition, Personal data to third parties without express consent.
- When processing personal data for the purpose of verifying the Creditworthiness the Council of States has followed the National Council. The legal presumption of overriding interest includes here if for this check (i) data of minors are processed, (ii) data processing is carried out that is older than five years and (iii) profiling with high risk takes place. Conversely, it follows that the credit check as such cannot constitute high-risk profiling.
- The FDPIC receives Dispositional Authority.
- In the event of certain intentional violations, the following are threatened Buses up to CHF 250’000. the addressee of the fines is, according to Art. 29 StGB to be determined, e.g. in the event of a breach of the duty to provide information, unauthorized foreign disclosure and inadequate safeguarding of order processing. Among other things, punishable – as proposed by the Federal Council, but contrary to the National Council – will also be the Violation of data security requirementswhich the Federal Council is to specify by ordinance.
- Transition periods are provided, but only for ongoing processing if the purpose of processing remains unchanged and no new data are obtained. In the case of such processing, Art. 6 (data protection by technology and data protection-friendly default settings) and Art. 20 f. (data protection impact assessment) do not apply to such processing. The obligation to provide information when obtaining personal data (Art. 17) also does not apply if, after the entry into force of the revised FDPA no new procurement takes place. Otherwise, however, the application of the new law is determined by the final title of the ZGB.
Even before the differences have been resolved, it is clear that the revised data protection law will require considerable effort, partly because it differs significantly in many respects from the provisions of the GDPR deviates, in some respects to the advantage, but in many respects also to the disadvantage of the companies concerned.