On 25TH September 2021 the Swiss National Council adopted the revision of the new LPD. In structuring the new Data Protection Law, the Federal Council and the Parliament could not fail to take into account the Convention STE 108 regarding the automated processing of persons’ personal data, to which Switzerland has adhered.
On last January, the deadline for the referendum expired unused. Therefore, the new revised LPD will presumably come into force in the spring of 2022. By this deadline, private companies and federal bodies will have to have revised their methods of processing personal data in order to comply with the provisions of the new regulatory text.
Recently, the Federal Personal Data Processing and Transparency Officer (“IFPDT”) published a summary containing the major innovations introduced by the new text.
First of all, the new LPD aims to protect only the personal data of natural persons (as already provided for by the GDPR). Therefore, the protection of the personal data of legal persons is excluded. Furthermore, the concepts of “privacy by default” and “privacy by design” are introduced.
The GDPR has introduced the role of the Data Processor Officer. The new LPD, specularly, establishes the figure of the company consultant on the processing of personal data who can be an internal or external professional, as long as he carries out his duties in a hierarchically independent manner. This new role, whose appointment is mandatory only for federal bodies and not for private companies, has consultancy and training functions, as well as intermediation between the company and the IFPDT.
With regard to the drafting of an Impact Statement, the new text merely reiterates its use in the case of high risk treatments. Furthermore, the new text adopted the possibility to develop and to adopt own codes of conduct, as well as to provide for specific certification.
With reference to the introduction of the obligation to keep a Register of Treatments, it should be noted that this will only exist for companies with more than 250 employees and for those companies that implement potentially risky large-scale treatments.
Another fundamental point is that of the communication of personal data abroad. This action is only permitted towards countries to which the Federal Council has given its consent. Otherwise, transmission can only take place if protection is ensured through the use of other procedures. In particular, with regard to the publication of data abroad on cloud systems, the new legislation introduces the obligation of specific indication of the recipient countries of the data transfer, in addition to the definition of the organizational and security procedures expressly adopted.
The new LPD is very close to what has already been established by the GDPR regarding the rights that can be exercised by the interested parties and the contents of the information to be made to the interested parties before proceeding with the treatment.
From the point of view of the function of the IFPDT, in the future this body will be entitled to act in the event of any violation of the provisions of the new LPD. The penalties are up to 250’000 CHF for willful misconduct. Failure to comply with the provisions, on the other hand, is punishable up to 50’000 CHF for natural persons only, but in the future it is thought to be able to extend the punishment also to the companies themselves.
Obviously, the new LPD largely accepts what has already been established by the GDPR which in fact has been regularly applied by Swiss companies for some years, while maintaining some typical characteristics of Swiss law, among which the brevity and pragmatism. Now it is up to all companies to take action to foresee alignment with the new provisions by the beginning of next year.
Apparently, all those companies that adopt adequate management tools that allow them to intervene easily and to adapt from time to time to the standards required by the various applicable regulations remain at an advantage.