Logo SICA english
Log In for Members
Log In for Members
Become a Member
Become a Member

Dats Protection

In September 2017, the Swiss Federal Council presented its draft of the fully revised Data Protection Act (E-DPA). This comprehensive overhaul aligns Swiss legislation with recent developments in the EU and the Council of Europe. The main goals include:
Improving transparency for individuals
Strengthening the independence of the Federal Data Protection and Information Commissioner (FDPIC)
Ensuring that Switzerland remains recognized by the European Commission as a third country with an adequate level of data protection, thus allowing uninterrupted cross-border data transfers

The legislative process has proceeded through both chambers of Parliament and is currently in the conciliation phase. While some issues remain unresolved, several major changes are already defined—assuming the bill is not unexpectedly rejected.

Sanctions Against Natural Persons

As in the current law, the revised DPA includes criminal sanctions, but the range of punishable offences has been significantly expanded. The revised act explicitly includes fines of up to CHF 250,000.
Unlike the EU’s GDPR, corporate fines are only foreseen in exceptional cases, when identifying the responsible individual would be disproportionate (Art. 58 E-DPA).

Mirroring the GDPR, the E-DPA introduces a record of processing activities to be maintained by both data controllers and processors (Art. 11 E-DPA).
Exemptions are granted to companies with fewer than 250 employees, provided their data processing activities pose minimal risk to the privacy rights of individuals.

Article 6 E-DPA codifies the principles of
Data protection through technology (Privacy by Design), and
Data protection through default settings (Privacy by Default).
Controllers are required to design their systems and processes from the outset in a way that ensures compliance. They must also ensure that only the minimum amount of personal data necessary for the intended purpose is processed.

Whereas the current DPA only requires that data subjects be able to recognize what data is being processed and for what purpose, the revised E-DPA imposes an active obligation to inform the data subject at the time of data collection.

Controllers must conduct a DPIA if the planned data processing poses a heightened risk to the privacy or fundamental rights of the affected persons.

If a data breach presents a high risk to the rights or freedoms of individuals, the controller must report it to the FDPIC as quickly as possible.

Current Legislative Status
On 2 June 2020, the Council of States resumed—but did not complete—the reconciliation process.
The National Council was scheduled to continue deliberations during the autumn session (7–25 September 2020).
It remains to be seen whether remaining issues will be resolved within the conciliation process or whether a formal conciliation committee (after three rounds) will be required.

Further Information