Data protection FAQ Switzerland: Really confusing questions and clear answers

Content

Who is affected by the FADP?
What is personal data?
What is sensitive personal data?
Who needs to appoint a Data Protection Officer?
What are the advantages of an external versus an internal Data Protection Officer?
What is the cost of an external Data Protection Officer compared to an internal appointment?
What are the benefits of appointing a Data Protection Officer?
What should be considered when appointing an external Data Protection Officer?
When is a data breach considered to have occurred?
When does a data breach need to be reported?
What are the consequences of a data breach?
What is a privacy notice and why is it needed?
What information obligations do companies have to data subjects?
Are there exceptions to the information requirements?
What are the information requirements for sending newsletters?
Is a privacy policy required for a Facebook page?
What is a data processor?
When must a data processing agreement be concluded?
What is the Register of Processing Activities?

General Information

Our answers to common questions about data protection:

Who is affected by the FADP?

The Federal Act on Data Protection (FADP) applies to all organizations domiciled in Switzerland that process personal data. The revised FADP also applies to organizations outside Switzerland if their data processing outside Switzerland has an impact on matters in Switzerland.

What is personal data?

Personal data is any information about an identified or identifiable natural person. In addition to general information such as name, address, date of birth, e-mail address, postal address, occupation and nationality, personal data may also include sensitive personal data that requires greater protection and is therefore subject to stricter rules. The IP address is also considered personal data.

What is sensitive personal data?

In addition to general personal data, there is also data that is particularly sensitive. These include data concerning religious, ideological, political or trade-union opinions, data concerning health, data concerning racial or ethnic origin, biometric and genetic data, data concerning administrative or criminal proceedings and data concerning social assistance measures. These categories of data are considered by the legislator to be particularly worthy of protection during processing.

Data Protection Officer (DPO)

Our answers to questions about the requirement to appoint a DPO and the role of the DPO:

Who must appoint a Data Protection Officer?

The appointment of a DPO is voluntary, but has benefits for companies with complex data processing operations.

What are the advantages of an external versus an internal Data Protection Officer?

When deciding whether to appoint an internal or external DPO, factors such as expertise, liability, termination and cost need to be considered. An external DPO has in-depth expertise. They are always up to date on the latest developments in data protection law. An external DPO minimises the company’s liability risk. They have no special protection against dismissal. The termination of the mandate is regulated by contract. The cost of the external DPO’s services must be compared with the cost of salary, training and development for an internal appointment.

What are the costs of an external Data Protection Officer compared to an internal appointment?

When hiring an external DPO, the initial costs can vary depending on the service provider. At OBSECOM GmbH, the first step is usually a comprehensive inventory, which is invoiced separately. A monthly lump sum is then agreed upon for ongoing consulting. The amount of the flat fee depends on the consulting needs of the company. However, since an internal DPO is trained and requires regular training, the overall cost of an external DPO is likely to be lower in the long run.

What are the benefits of appointing a Data Protection Officer?

The DPO is the point of contact for data subjects and supervisory authorities. He or she works with the company’s compliance team, advises management and employees on data protection issues, and ensures that data protection is considered as a requirement in all compliance activities. He or she reviews the processing of personal data and recommends corrective actions. If a privacy impact assessment is required for high-risk data processing, the company is not required to consult the FDPIC if a DPO has been involved.

What should be considered when appointing an external Data Protection Officer?

When selecting an external DPO, attention should be paid to his or her professional qualifications and, in particular, expertise. The DPO should be competent in the field of data protection law and practice and receive regular training. It is therefore easier to select a suitable person if the DPO is a member of professional associations and has relevant expertise in IT law, employee data protection or other data protection issues that are important to the company.

Here you will find further information on the services of OBSECOM GmbH as external Data Protection Officer in Switzerland.

Data breaches

Our answers to questions about data breaches and reporting obligations:

When is a data breach considered to have occurred?

A data breach occurs when the security or privacy of personal data is compromised. This may be unintentional or unlawful. A data breach can occur, for example, if personal data is lost or destroyed, or if personal data is disclosed or made available to a third party without authorisation (for example, sending an email to the wrong recipient, hacking).

When does a data breach have to be reported?

A data breach must be reported if the breach results in a high risk to the privacy or fundamental rights of data subjects. The risk must be carefully assessed and the impact, the reasons for the decision and the actions taken must be documented in writing and in an understandable manner. This documentation must be retained for at least two years. In the event of such a breach, the incident should be reported to the FDPIC as soon as possible. In addition, the data subjects must be notified if this is necessary for their protection.

What are the consequences of a data breach?

Depending on the severity of the breach, individuals may be entitled to compensation for damages. If individuals in the EU are also affected by the data breach, the EU supervisory authorities may impose a fine. The amount of the fine will be determined on a case-by-case basis. They will take into account, among other things, the seriousness and duration of the breach, the intentional or negligent behavior of the data controller, and the type of personal data involved in the breach. The GDPR provides for fines of up to €20 million or, in the case of a company, up to 4% of its global annual turnover in the preceding financial year.

Information requirements

Our answers to questions about information requirements:

What is a privacy notice and why is it needed?

Whenever a company collects, processes, uses or discloses personal data to third parties, it must inform individuals about the processing of their personal data at the time of collection. This information is provided in a privacy notice. In the case of the processing of personal data on a website, the privacy notice should generally be easily accessible on the website. Depending on the other purposes for which the company processes personal data, further information may need to be provided (for example, for employees or business partners).

What information obligations do companies have towards data subjects?

Companies must inform data subjects about the scope and purpose of the processing of personal data at the time they collect personal data. Data subjects can be customers, employees and applicants, but also interested business partners. The scope of the information to be provided is governed by Article 19 FADP. As a minimum, the following information must be provided:

  • The identity and contact details of the controller.
  • The purposes for which the personal data will be processed.
  • The recipients or categories of recipients to whom the personal data will be disclosed.
  • The categories of personal data, if the personal data are not obtained directly from the data subject.
  • The controller’s intention to transfer the data abroad and, where applicable, the safeguards to protect the rights of data subjects in the country of destination.

In the interest of transparency, further information may be provided on an optional basis:

  • The contact details of the Data Protection Officer.
  • Information on the retention period of personal data.
  • Information on the rights of data subjects: access, rectification, restriction of processing, as well as data portability and the right to object.

Are there exceptions to the information obligations under the FADP?

Yes, the information under Art. 19 FADP does not have to be provided again if the data subject already has the information, the processing is provided for by law, the controller is legally obliged to maintain confidentiality or can claim media privilege. Furthermore, information on data processing by third parties does not have to be provided if the provision of such information proves impossible or would require a disproportionate effort.

What are the information requirements for sending newsletters?

As the sending of a newsletter involves the processing of personal data, the FADP’s information obligations must also be complied with. The recipient of a newsletter must be duly informed of the processing of the personal data provided. Since subscription to the newsletter is usually based on the recipient’s consent, the notice should provide all relevant details to enable the recipient to make a free and informed decision. Ideally, the privacy policy should describe how the user’s data will be handled in the context of sending the newsletter and which external service providers are responsible for processing it. The privacy policy should be accessible at the point of data collection (when registering for the newsletter) and can then be made accessible each time the newsletter is sent via a link included in the e-mail.

Is a privacy policy required for a Facebook Page?

If a publicly accessible Facebook fan page (Facebook Business Page) is operated, personal data is also processed (e.g. web statistics/Facebook Insights, contact forms or surveys). Accordingly, privacy information must be published. This can be done via a menu item, a page tab, or an entry in the application area. It can be either the full text or a link to an external document (e.g., the company’s website). The operator of a fan page is jointly responsible with Facebook for the processing of data in connection with the fan page. Both parties must therefore provide information about the data processing for which they are responsible. In particular, the privacy policy should include information on whom data subjects can contact to exercise their data subject rights.

Other obligations

Our answers to questions about other data protection obligations:

What is a data processor?

A data processor is a natural or legal person (a company), federal body or other organisation that processes personal data on behalf of the controller. The processor may only process the personal data on the instructions of the controller and on the basis of a contract. The processor must take appropriate technical and organisational measures to protect the data. Examples of processors are IT service providers, cloud providers or document destruction companies.

When must a data processing agreement be concluded?

A contract must be concluded whenever an external service provider has access to personal data and processes it on behalf of the controller in accordance with instructions.

What is the Register of Processing Activities?

According to the FADP, every organisation that processes personal data is obliged to list and document the processing activities in a register. Article 12 FADP governs what information the register must contain. Among other things, the register must contain the following information: The purposes of the processing, description of the categories of data subjects, categories of recipients, data transfers abroad, retention periods and a general description of the technical and organisational measures.