Data Protection - Switzerland

25 September 2023

The legislation, which aligns with the European Union's General Data Protection Regulation (GDPR), marks a substantial update to the country's previous data protection framework and promises enhanced privacy rights for individuals and stricter compliance requirements for organizations.

Key provisions of the new Swiss Data Protection Law include:

  1. Extended Territorial Scope: The law applies not only to Swiss-based organizations but also to foreign companies that process the personal data of Swiss residents. This extension aims to ensure that the personal data of Swiss citizens enjoys protection, regardless of where it is processed.

  2. Enhanced Consent Requirements: Organizations are now required to obtain explicit and informed consent before collecting and processing individuals' personal data. Consent must be easily withdrawable, and individuals must be made aware of the specific purposes for which their data will be used.

  3. Data Minimization and Purpose Limitation: The law emphasizes the principles of data minimization and purpose limitation, which means organizations can only collect data that is strictly necessary for the purpose they have declared. Data should not be retained for longer than necessary.

  4. Data Protection Officers: Certain organizations are mandated to appoint Data Protection Officers (DPOs) responsible for overseeing data protection compliance. DPOs will serve as intermediaries between the organization, data subjects, and regulatory authorities.

  5. Data Subject Rights: Individuals have strengthened rights under the new law, including the right to access their data, request corrections, and request the erasure of their data (the "right to be forgotten"). They can also object to data processing in certain situations.

  6. Data Breach Notification: Organizations are obligated to notify both the affected individuals and the Swiss Federal Data Protection and Information Commissioner (FDPIC) of data breaches without undue delay, where the breach is likely to result in a high risk to the rights and freedoms of individuals.

  7. Cross-Border Data Transfers: Transfers of personal data to countries outside the European Economic Area (EEA) and countries that are not recognized as providing an adequate level of data protection are subject to strict conditions, ensuring the protection of data when it leaves Swiss borders.

  8. Harsh Penalties: The law introduces significant fines for non-compliance, with penalties of up to 4% of a company's global annual revenue or CHF 250,000,000 (whichever is higher). This provides a strong incentive for organizations to prioritize data protection compliance.

Switzerland's new Data Protection Law is expected to have a profound impact on how organizations collect, store, and process personal data. It underscores the country's commitment to aligning its data protection standards with international best practices and ensuring that its citizens' privacy rights are upheld in the digital age.

Organizations operating in Switzerland are encouraged to conduct thorough reviews of their data processing activities and compliance measures to ensure they align with the new legal requirements. By doing so, they can avoid substantial fines and contribute to a more secure and privacy-respecting digital environment for all Swiss residents.

Contact our Data Protection team for further support

September 2023