On September 1, 2023, the new Swiss data protection law will come into force. In contrast to the summer figure, the following applies to data protection fitness: If you are not yet ready, you can still get active now. The following overview shows what companies should consider.
Handling personal data
The good news: In principle, personal data can continue to be processed as before. Anyone who does not adhere to principles such as transparency, purpose limitation or “need-to-know” needs a good reason. The requirements for the disclosure of personal data in countries without adequate data protection are no stricter than today. Individual detailed regulations are new, such as the “Privacy by Default” principle, according to which default settings must be as data protection-friendly as possible, for example in apps. Also new is a confidentiality obligation for everyone with regard to personal data entrusted to them in and for the job; anyone who intentionally violates them can be fined.
Information obligations and data subject rights
However, the information obligations for those responsible will be extended, which now apply in principle to any planned procurement of personal data. In other words: the data protection declaration becomes mandatory. Most often, one is made for employees and one in relation to all other personal data the company collects – and not just on the website. However, it should then be published there so that it can be referred to in forms, general terms and conditions, etc. The rights that people have in relation to their data in relation to companies, such as the right to information or the right to be forgotten, are not new, but are increasingly in focus. But: These are still not absolute, but restrictions are possible. Incorrect or incomplete information can be punishable.
Expansion of governance and reporting obligations
In certain cases there are additional obligations. If, for example, order processors are called in, the processing by them or certain elements of them must be contractually regulated. If processing activities can entail a high risk for data subjects, those responsible must also carry out (and keep on file) a data protection impact assessment, together with a list of measures to reduce the risks. There are new reporting obligations for data security breaches for processors and those responsible; for the latter, however, only if the injury is likely to result in a high risk for the persons concerned. Depending on the size of the company or the type and scope of the processing, logging or other obligations may arise, such as creating a processing index or processing regulations.
key factors for companies
The violation of certain (not all!) requirements of the new data protection law can lead to personal fines of up to 250,000 francs. Companies should therefore in particular:
- understand how they use personal data;
- (also) clearly regulate responsibilities and responsibilities in the area of data protection and introduce processes to ensure compliance with legal requirements;
- Sensitize employees to data protection according to their level and function.
2023-06-07 06:06:43
#data #protection #law #companies #aware