New Swiss data protection law entering into force on 1 September 2023
The totally revised Data Protection Act (Datenschutzgesetz (DSG), hereinafter “DPA”) and the implementing provisions in the new Data Protection Ordinance (Datenschutzverordnung (DSV), hereinafter “DPO”) and the new Ordinance on Data Protection Certifications (Verordnung über Datenschutzzertifizierungen (VDSZ), hereinafter “ODPC”) will enter into force on 1 September 2023. This was decided by the Federal Council at its meeting on 31 August 2022. The long period between the announcement and the entry into force is intended to give organizations sufficient time to make the necessary arrangements for the implementation of the new data protection law.
The Swiss legislator had already passed the total revision of the DPA on 25 September 2020. The new data protection law is intended to ensure compatibility with EU data protection law and shall make it possible to ratify the Council of Europe’s modernised Data Protection Convention 108. According to the Federal Council’s press release, the adjustments should also make it possible for the EU to continue to recognise Switzerland as a third country with an adequate level of data protection. This means that cross-border data transfers should remain possible in the future without additional requirements. The EU has recognised Switzerland’s level of data protection since 2000. This recognition is currently being reviewed.
The totally revised DPA and the corresponding provisions in the ordinances shall ensure better protection of personal data in the future. In particular, data protection will be adapted to technological developments, self-determination over personal data will be strengthened and transparency in the procurement of personal data will be increased.
Considering the results of the consultation on the implementing provisions, the Federal Council has adapted the draft DPO in several points. For example, it has extensively revised the chapter on the obligations of data controllers and, in particular, exempted private individuals from certain information obligations when disclosing personal data. The modalities for the right to information were also simplified. In particular, the documentation requirement was deleted. In the area of data security, the Federal Council has partially adapted its original proposal in response to critical feedback during the consultation process. In addition, a new provision was added that harmonises the protection goals in the area of data security with the new Information Security Act of 18 December 2020.