Regulatory
Data protection

Basics

4min

⚡TL;DR

  • Both the Swiss law (FADP) and the European regulation (GDPR) can apply simultaneously to Swiss companies.
  • Understand your role:
    • The controller is the entity determining the purpose and the means of the data processing.
    • The processor processes data on behalf of the controller.
  • The law provides an exhaustive list of sensitive data (e.g., health data).
  • There's an information obligation for the controller. This is usually performed in a privacy policy.
  • Book a free call with us.

Data protection laws can significantly impact your business model. This is, in particular, relevant for data-intensive businesses. In these cases, it is key to understand the impact of these rules and to outline a key strategy to tackle any issues.

General risks are fines for board members (in Switzerland) and for the company (in the EU) as well as reputational damage. For companies active in B2B fields, having a proper set up is a requirement to sell your services to customers.

The FADP is the Swiss Federal Act on Data Protection; it applies :

  • When the data processing is done in Switzerland or when the data processing is done abroad but has an impact in Switzerland.
  • If personal data are processed (see below for the definition).
  • If the data are processed by private persons (e.g., by companies) or by the federal administration, but not when the data are processed by cantons or cities.

The GDPR is the European General Data Protection Regulation; it applies:

  • When the data processing is done in the EU or when the data processing is done out of the EU (e.g., in Switzerland) but relates to:
    • the offering of goods or services to people in the EU; or
    • the monitoring of behaviors of people taking place in the EU.
  • If personal data are processed (see below for the definition) through automated means (e.g., AI) or (in case they are not processed by automated means) if they are meant to be included in a filing system (e.g., hard drive, cloud).

Keep in mind that data protection laws do not apply to data processing done exclusively for personal use.

Both regulations can apply simultaneously. This is often the case for Swiss companies targeting Swiss and European customers.

  • Personal data: Any information relating to an identified or identifiable physical person, such as:
    • Name, birth date
    • Address, email, phone number
    • IBAN
    • Log-in data
    • IP address
    • Etc.
  • Sensitive data (FADP) / Special Categories of data (GDPR): Personal data deemed as more important because of their significance to the core personal elements of a person. These are:
    • Data relating to religious, philosophical, political, or trade union-related views or activities;
    • Data relating to health, the private sphere or affiliation to a race or ethnicity;
    • Genetic data;
    • Biometric data that uniquely identifies a natural person;
    • Data relating to administrative and criminal proceedings or sanctions;
    • Data relating to social assistance measures (only for FADP).
  • Processing: Any handling of personal data. This is a very wide definition, and it includes collecting, storing, using, amending, archiving, deleting, and even reading data.
  • Controller: The company (or person, or authority) determining the purpose and the means of the processing. It is often the party collecting the data, but not necessarily. Keep in mind that there can be joint-controllers.
  • Processor: The company (or person, or authority) processing data for the controller.
  • Sub-processor: The company (or person, or authority) processing data for the processor, as a sub-contractor.
  • Data subject: The person whose data is being processed.

Best practices

FADP/GDPR: It is clarified whether FADP, GDPR, or both are applicable to the data processing.

Controller/processor: For each processed dataset, the role (data controller or data processor) of the company is understood and confirmed in writing.

Sensitive data: For each processed dataset, it is understood and confirmed in writing whether sensitive data is processed.

Under the FADP, data processing is generally authorized without justification grounds, provided that the data subject is sufficiently informed (see Privacy and cookies policies). If the processing unlawfully breaches the data subject's rights (e.g., because it violates the legal obligations or is against the express wish of the data subject), it is only possible if it is legitimized by a justification ground.

Under the GDPR, any processing is unlawful and must be legitimized by a justification ground.

In both cases, justification grounds include:

  • the consent of the data subject (which must sometimes be given expressly);
  • an overriding private, public, or vital interest;
  • execution of a contract with a data subject or for the purpose of entering into a contract with a data subject;
  • the law.

Information duty

In any case, as a data controller, you must inform the data subjects of the processing and its related elements. This is done in Privacy and cookies policies

When processing data, the data controller must establish a Record Of Processing Activities (ROPA). This is an obligation for all companies under the GDPR and for all companies with more than 250 employees under the FADP. The ROPA is an overview of the key processing activities incl. types of personal data, controller vs. processor, and overview of sub-processors.

Best practices

Justification grounds: Justification grounds are collected and documented when required to process personal data.

ROPA: There is an overview of the key processing activities.

Processing sensitive data means having to comply with additional requirements.

  • If the processing is based on consent, this consent must be explicit.
  • Other justification grounds might also be applicable (e.g., the doctor must process health data to cure patients).
  • Stricter technical and organizational measures must be implemented to ensure data security.
  • In the case of the large-scale processing of sensitive personal data, a data protection impact assessment must be carried out.

Book a flat-fee assessment with us to understand where your blind spots are and have the proper documentation in place.

Read more on the LEXR Blog

https://www.lexr.com/en-ch/blog/data-controller-data-processor/

https://www.lexr.com/en-ch/blog/preparation-as-new-swiss-data-protection-act-comes-into-force/

https://www.lexr.com/en-ch/blog/gdpr-switzerland/

https://www.lexr.com/en-ch/blog/iot-and-gdpr/





Updated 12 Dec 2024
Did this page help you?
PREVIOUS
Data protection
NEXT
Privacy and cookies policies
Docs powered by Archbee