Today is an important day for all of us in Switzerland, as the new Federal Act on Data Protection (nFADP) comes into force. This law affects us all, and it is our duty to be up-to-date. Even though we cannot make legally backed recommendations, we are excited to share our experiences and insights.
Why do we need a new law?
In a world where technology is developing rapidly, it is essential that our laws also keep pace. Since the previous law is dated in 1992, it is time to get up to date. The new Federal Act on Data Protection strengthens the self-determination of users and ensures more transparent handling of our data. It is also necessary for Switzerland to be recognised by the EU as a third country with adequate data protection, as the General Data Protection Regulation (GDPR) applies in the EU.
What has changed?
There are some important changes that businesses need to be aware of:
Natural Persons Until now, data of legal persons were also affected, now only those of natural persons (Art. 2 FADP).
Genetic and biometric data This data, which uniquely identifies a person, now also belongs to data requiring special protection. Article 5c FADP: also contains other data requiring special protection, such as data on religious, ideological, political or trade union views or activities. This also includes health data, privacy or racial or ethnic affiliation. And also data on administrative and criminal prosecution, sanctions, or social assistance measures.
Privacy by Design In the case of products that collect personal data, the structure must be technologically designed from the outset in such a way that the protection and respect of the privacy of the users is guaranteed. As little personal data as possible should be collected, and if it is collected, it should be protected. For example, only those details that are absolutely necessary should be mandatory fields in contact forms (Art. 7 FADP).
Privacy by Default By default, hardware and software, as well as any services, must be configured in such a way that both data protection and restrictions on the use of the data are activated without users having to actively do anything about it (Art. 7 FADP).
Impact Assessment An impact assessment is required if the data processing has the potential to significantly endanger the personal rights or fundamental rights of the users. This is particularly the case if data requiring special protection is processed extensively or if systematic and far-reaching monitoring takes place in the public sector (Art. 22 para. 1 FADP).
Penal Provisions Violations of the Data Protection Act can result in fines of up to CHF 250,000 for private individuals. Further information on this can be found in chapter 8 FADP.
Register of processing activities In principle, a register of processing activities is now obligatory. SMEs are exempt if there is only a low risk of violations of the personal rights of users through data processing (Art. 12 FADP).
Notifications of data security breaches If data security is breached, prompt notification to the Federal Data Protection and Information Commissioner (FDPIC) is mandatory (Art. 24 FADP).
Profiling Profiling means the automated processing of personal data. This term was newly included in the law. Profiling is used, for example, in job applications or in online marketing to create precise customer profiles. Users must be actively informed about profiling and have the right to have automated decisions reviewed (e.g. in the case of job applications, credit checks) (Art. 5f FADP).
Data Disclosure Users have the right to data disclosure, which means that the collected data can be requested at any time, free of charge and in a common electronic format (e.g. CSV) (Art. 28 FADP).
Transparency is key
Companies must provide clear, understandable and transparent information about when, for what purpose and what kind of personal data is processed. Even if data is sent abroad (e.g. for hosting), this must be communicated, especially if the destination country does not guarantee adequate data protection. Enclosed is a list of countries which, according to the FDPIC, do not guarantee adequate data protection.
How we prepared for the new law
We have also given a lot of thought to what the new law means for us and what adjustments are necessary. A first step was to discuss and document all the places where we process data. This includes contact forms, newsletter lists, application data or our CRM system as well as the data of our employees. When we receive requests to store or delete data, we have defined who will deal with the requests and provide a timely, sympathetic mail response with the requested information, of course in the usual Renuo manner (Chapter 4 DSG). Our imprint has also been updated to meet the latest requirements of the Data Protection Act. Furthermore, we have assessed the risk of a breach of the Data Protection Act, which we currently consider to be low. Nevertheless, we have included a special slot on data protection in our LearningWeek to ensure that all our staff are up-to-date. Lastly, we have regulated access to staff data and made it even more possible for them to define which of their data should be accessible. This is an important step towards strengthening employee self-determination and ensuring that data is handled responsibly.
What we have been implementing for a long time
Data protection is not a new issue for us at Renuo, so there are some measures we have been implementing for a long time. These include the encryption of all data with Secure Sockets Layer (SSL) and the encryption of all hardware. We also encrypt data such as usernames and passwords and store them in a password manager. If this data has to be transmitted to customers, we use a secure solution with seme.li. Our approach of "Privacy by Design" is reflected in the contact form, where we only collect data that we actually need. Data from applicants is treated confidentially and destroyed after the application process or stored by mutual agreement. Our imprint also receives a chapter on data protection with all the necessary information, including the note that data can be passed on to third-party providers by clicking on social media buttons. In addition, we always check plug-ins and tools for data protection conformity before use and make it possible to unsubscribe from our newsletter mailing list at any time and independently - even though this fortunately only happens rarely.
Data protection is an important topic that affects us all. The new Federal Act on Data Protection strengthens the rights of users and increases the requirements for companies. It is important that we are all informed and take appropriate measures to ensure data protection. At Renuo, we have already made some adjustments and are striving to improve data protection even further and keep it up to date.