On September 1, 2023, Switzerland’s new Data Protection Act (DPA) came into effect, introducing several crucial changes.
The amendments to the DPA affect virtually every company or entrepreneur in Switzerland. However, some companies in Switzerland have yet to take any steps. Immediate action is crucial for these businesses. Violating the DPA can have severe consequences, including potential criminal law consequences.
What consequences can occur due to a breach of the DPA?
- Penalties under the DPA: The new DPA imposes significant fines explicitly targeting individuals responsible for data protection within a company. This typically includes the management and/or the board of directors if there is no designated Data Protection Officer. Penalties for breaching obligations can amount to fines of up to CHF 250,000.00. Intent is required for liability. Intent is given even in cases of presumed intent, where one considers a breach possible and accepts the risk. This threshold is easily met, and claiming ignorance does not protect against penalties. Non-payment of fines can lead to imprisonment and further penalties.
- Penalties outside the DPA: Violation of data protection principles may lead to additional penalties under the Criminal Code, such as for unauthorized acquisition of sensitive personal data, abusive use of another person’s identity, or breach of professional secrecy.
- Investigations: The Federal Data Protection and Information Commissioner (FDPIC) can initiate an investigation if there is suspicion of a violation of the DPA. During these investigations, the FDPIC can issue orders, and non-compliance can lead to criminal penalties.
- Damage compensation: When individual privacy rights are violated, individuals can claim compensation based on the Swiss Civil Code (SCC) and, under certain conditions, even demand satisfaction.
- Violation of Specific Rules: Many entities are subject to special regulations, such as the FINMA Circular 2018/3 on Outsourcing, applicable to banks, insurance companies, and selected financial institutions under the FINIG. Failure to comply with data protection can expose them to FINMA’s enforcement procedures.
- Reputational Damage: DPA violations can severely damage the trust of customers and other stakeholders. The risk of exposure should not be underestimated. If a company has not (yet) consistently implemented the DPA, this is externally visible (e.g., lack of or outdated privacy policy). This may prompt former employees or disappointed contractual partners to report the company to authorities, resulting in the aforementioned consequences.
Considering the consequences of violating the DPA, companies that have neglected or deliberately ignored the DPA should take immediate action.
What immediate steps should I take if I haven’t done anything yet?
In a first step, all outward-facing documents should be drafted or updated promptly. This particularly involves the privacy policy and data processing agreements.
Subsequent steps should also be taken as soon as possible. Please refer to our blog post on ‘Switzerland’s New Data Protection Act from September 1, 2023: What Businesses Need to Know’ for further details.
Advoro’s attorneys are available to assist you with implementing your data protection obligations at any time. Specifically, we offer the following:
- Initial consultation and assessment of DPA current/expected situations,
- Evaluation of the data protection concept and existing documents,
- Creation or update of necessary documentation (privacy policy, contracts, etc.) in compliance with laws, and Assistance with complex legal issues and ongoing compliance with all data protection regulations.