New Data Protection Act
New Data Protection Act
After almost four years of discussion, Parliament has adopted the revised Data Protection Act. This should enter into force in mid-May 2022. But it is in the interest of SMEs to prepare for its implementation now.
The revised version of the Data Protection Act contains several new features, in particular more rights for those affected, the promotion of prevention and the strengthening of controls. In addition, the penal provisions have been extended. The new Data Protection Act replaces the previous Act of 1992, which has become obsolete due to technological developments. The Swiss Data Protection Act is also intended to meet European requirements. The EU General Data Protection Regulation (GDPR) has been in force since May 2018 and applies to the entire European Economic Area from 20 July 2018, including Liechtenstein, Iceland and Norway. What do the new provisions of the revised version of the Data Protection Act mean for SMEs? The Bridge2digital association proposes help to facilitate autonomy in the application of the new regulations. Wolfgang Pfister, head of the organisation's "Security & Compliance" specialist group, provides us with some background information.
A What do SMEs need to pay attention to with regard to the new Data Protection Act?
Wolfgang Pfister: The revised version of the Data Protection Act only applies to personal data and not to corporate data. When an SME has employees and customers, it also has personal data and therefore has to comply with data protection obligations. The new law provides for more extensive information obligations, including the creation of a register of data processing activities, and more rights for the persons concerned. Particularly sensitive personal data now also include genetic and biometric data, such as fingerprints or retinal scans. The Federal Council has put the ordinance relating to the law up for consultation. It should enter into force in mid-May 2022. But it is in the interests of SMEs to prepare for its implementation now.
What problems may SMEs encounter with the application of the new rules?
Wolfgang Pfister: SMEs that collect or process personal data must indicate in a data protection declaration what customer information is processed when customers visit their website, when they use their online services or when the company provides services to the customer. The Bridge2digital association helps SMEs to create a data protection declaration using a template document. This template can be adapted to different sectors, whether it is a medical practice, (online) sales or a craft business.
In accordance with the law, only data that is actually necessary may be collected. An SME may have questions regarding agreements with suppliers, including those of cloud solutions. Data may be disclosed abroad if the third country has adequate data protection. The Federal Council provides a list in this respect. If the exporting country in question is not on this list, personal information may still be passed on, as under the previous law, provided that data protection is guaranteed in another way.
What is the purpose of the Bridge2digital association?
Wolfgang Pfister: The aim of the association is to create a platform for the exchange of experience between companies and across sectors on the application of digitisation procedures. We also want to launch and accompany digital pilot projects, called "flagship" projects and "best practices" at the level of companies, sectors and specialised areas. The association was founded in November 2017 and proposes events on various topics, such as "Security & Compliance" and "Smart Customer Interaction". The 15 current members include interested users who want to develop digitisation further but do not have the resources to do so themselves. They also include Swiss providers of digital solutions, start-ups and established companies. Within the framework of the specialised "Security & Compliance" group, the non-profit association deals with the implementation of the new Data Protection Act, focusing in particular on Swiss SMEs.
What are the questions that SMEs ask about automated individual decisions?
Wolfgang Pfister: The company must inform the data subject of any decision which is based exclusively on automated processing and which is associated with a legal consequence for that person or which significantly influences that person. An example might be the case of signing an insurance contract for which the (potential) customer is refused. The person in question must therefore be given the opportunity to present his or her point of view and, if he or she does not agree with automated individual decisions, must be able to demand that the decision be reviewed by a natural person.
What do SMEs have to watch out for when it comes to profiling?
Wolfgang Pfister: In the case of profiling, a lot of data is combined, which makes it possible to create behavioural patterns and personality profiles. Online shops that analyse users' browsing and shopping behaviour are an example of this. The new law distinguishes between ordinary and 'high-risk' profiling for the rights of a natural person. For the latter, the express consent of the person concerned is required. The Bridge2digital association helps SMEs to create data protection impact analysis models.
What should an SME do in the event of a data protection breach?
Wolfgang Pfister: Under the new law, companies must notify the Federal Data Protection Commissioner of any data leaks. In the event of a data protection breach, the SME or the person responsible must inform the Commissioner as soon as possible whether there is a significant risk to the individual or to the fundamental rights of the person concerned. The data subjects must also be informed if it is deemed necessary for their protection. It is important that companies record what they do. If things go wrong, it is preferable for the SME to be able to provide a clear chain of decisions on how it has sought to comply with the law.
Some of the most important data to protect are those of medical practices, find out more here.
