Contact




    The ‘new’ Federal Data Protection (nDPA): One year on

    The ‘new’ Federal Law on Data Protection (nLPD) recently celebrated its first anniversary – an occasion we took the opportunity to celebrate with our clients during a breakfast dedicated to the subject at our offices. In this article, we remind you of the main changes to bear in mind when your company processes personal data in Switzerland.

    Why a new law?

    There are many reasons for this. Firstly, there was a certain need for harmonisation in view of the entry into force of the General Data Protection Regulation (GDPR) in the European Union (EU) on 25 May 2018. It had become imperative for Switzerland to bring itself up to speed with this regulation, which imposes binding legal barriers on an EU member state to transfer personal data to a non-EU member state such as Switzerland.

    We can also mention the need to modernise the law to adapt to the latest technological developments. Smartphones, the cloud, AI, the IoT… all these elements that have become part of our daily lives, on which personal data is hosted and transited, necessarily need to be regulated in order to provide a minimum level of protection for individuals and their rights, as well as transparency regarding the processing of their personal data.

    The new requirements in brief

    Here again, the changes are numerous. To mention only the most important:

    • A new scope of application: only the personal data of natural persons is now covered by the nLPD, and no longer that of legal entities.
    • Introduction of the principles of ‘Privacy by design and by default’: the protection of users’ personal data must be integrated into the design stage of any project that involves the processing (collection, transmission, anonymisation, etc.) of personal data. In addition, all software, hardware and services must be configured in such a way as to protect data ‘by default’ with the highest level of security and to respect users’ privacy.
    • Introduction of the concept of impact assessment: If the processing of personal data envisaged by an organisation is likely to result in a high risk for the data subject, the data controller will now have to carry out an impact assessment beforehand.
    • The controller’s duty to inform has been extended: Previously, only the collection of sensitive personal data had to be notified to the data subject.
    • Notification procedure: Data controllers must now notify the Federal Data Protection and Information Commissioner (FDPIC) of data security breaches that pose a high risk to the data subject.
    • Register of processing activities: there is now an obligation to keep an up-to-date register of processing activities, with an exception for organisations that employ fewer than 250 staff and/or whose data processing presents a limited risk to data subjects.
    • Appointing a Data Protection Officer : organisations have the option of appointing a Data Protection Officer in order to avoid major administrative burdens for the authorities. For more information on this subject, see our page dedicated to the DPO: https: //www.meanquest.ch/sequal/dpo-as-a-service/

    Ensuring the security of your personal data: a legal obligation…

    It is now mandatory for an organisation that processes personal data to put in place ‘ organisational and technical measures appropriate to the risk involved[1].

    Naturally, any legal obligation is accompanied by penalties for non-compliance. The nLPD provides for fines of up to 250,000 Swiss francs for private individuals within an organisation who are found guilty of breaching one of these provisions.

    … but above all an opportunity to control your information security risks

    Although the nLPD is more restrictive overall than its predecessor, it also provides an excellent opportunity to identify, assess and deal with the security risks associated with the personal data you process.

    An analysis of the Ordinance implementing the nLPD (the OPDo) reveals that it is the very identification and processing of risks that become mandatory: ‘[…] in relation to the risk incurred[2]. This makes sense. The relevance of security measures will necessarily depend on the risks identified within your organisation.

    To go even further, the OPDo, which came into force at the same time as the nLPD and which complements the latter, specifies this obligation:

    “The need to protect personal data, the risk incurred, and the technical and organisational measures are reassessed throughout the processing period. If necessary, the measures shall be adapted[3] ‘.

    This means that not only is it necessary to identify the risks, but that these risks must also be regularly reassessed.

    How can sequal help you comply with the nLPD?

    sequal can help you comply with these new obligations. Firstly, by carrying out an initial data protection and information security audit, we can identify your risks in these areas, and then offer you support tailored to your needs (up to and including obtaining ISO 27001 and 27701 certification). For more information, visit our dedicated support page: https: //www.meanquest.ch/sequal/conformite-lpd/

    [1] Article 8 of the Federal Data Protection Act (LPD) of 19 June 1992 (as at 1 September 2023), RS 235.1.

    [2] Ibid.

    [3] Article 1, para. 5 of the Ordinance on data protection for federal bodies (OPDO) of 14 June 1993 (status as at 1 September 2023), RS 235.11.

    News suggestions

    Donation of old MBC tablets to the Jobtrek Foundation

    Meanquest fait don de tablettes MBC à la fondation Jobtrek pour soutenir l’inclusion professionnelle.

    On the road to a responsible approach!

    Meanquest presents its CSR strategy

    Swiss IT Forum(s) 2024 in Geneva

    Discover the video of our presence at the Swiss IT Forum(s) 2024 in Geneva on our news.

     

    Swiss IT Forum(s) Genève 2024: The benchmark IT event in French-speaking Switzerland

    Meanquest will be taking part in the Swiss IT Forum(s) on 25 and 26 September 2024 at Palexpo. Come and meet us!