Swiss DPA publishes its guidance on the revised DP law

Switzerland’s Federal Data Protection and Information Commissioner highlighted some aspects of the new data protection law via its website update on 5 March. The new law, adopted in September 2020, and expected to come into force in 2022, makes some subtle changes to the old regime, although the basic data protection principles remain the same. Among the new aspects are a data breach notification duty and explicit provisions on Privacy by Design.

The new obligation to report data security breaches means that controllers must report breaches to the Data Protection Commission (FDPIC) if there is a high risk of adverse effects to the privacy or fundamental rights of data subjects.

‘The FDPIC should be notified of such breaches as soon as possible. Controllers should have previously drawn up a prediction of the potential implications of the breach and carried out an initial assessment as to whether there could be an imminent danger, whether data subjects need to be notified and how this could be done. If the controller does not assess the risk to be high, this does not prevent them from submitting a voluntary report to the FDPIC,’ the regulator says.

The revised law also enshrines the principles of privacy by design and default, and requires organisations to implement these principles at a planning stage.

To comply with the new law, businesses operating in Switzerland ‘need to review their offerings in a timely fashion and make adjustments where necessary through the use of customer-friendly programs that are conducive to data protection.’