The new Swiss Data Protection Act 2023 applies from the beginning of September and affects not only companies, but also associations and private individuals who process personal data. As a Swiss web hosting provider, this new data protection law affects a large part of our customers at FireStorm. For this reason, we want to give you a brief, but at the same time comprehensive overview of the new data protection regulations in today’s article. In doing so, we will not only go into the changes brought about by the totally revised Data Protection Act (DPA), but also into the new Data Protection Ordinance (DPO) as well as the new Ordinance on Data Protection Certifications (VDSZ). Of course, this article does not constitute legal advice and is only intended to provide initial information. – Now we hope you enjoy reading the article!

On 1 September 2023, the new Swiss Data Protection Act will come into force, which we present to you in more detail in this article.

Some general information on the new Swiss Data Protection Act 2023

In its meeting on 31 August 2022, the Swiss Federal Council decided on the entry into force of the new Swiss Data Protection Act for 2023. Accordingly, not only the totally revised Data Protection Act (DPA) and the new Data Protection Ordinance (DPO), but also the new Ordinance on Data Protection Certifications (VDSZ) are to apply from 1 September 2023. The reason for this is primarily the better protection of personal data as well as self-determination over personal data. In addition, transparency in the procurement of personal data was also cited as a reason. To ensure all this, data protection must be adapted to technological developments – as the Swiss government wrote in the Media release dated 31.08.2022.

To whom does the new Swiss Data Protection Act apply?

The new law on data protection in Switzerland affects both federal bodies and private individuals who process personal data. In addition to private companies and associations, this can also include private individuals. For the implementation of the Data Protection Act 2023, it does not matter whether you operate your website privately or commercially. As a rule, you will process personal data, i.e. data relating to a specific or identifiable natural person. (Legal persons are excluded from the new data protection law.) The word “process” includes a broad spectrum and ranges from obtaining to storing to using, changing and deleting data.

The new Swiss Data Protection Act 2023 applies to companies and authorities as well as associations and private individuals who process personal data.

?What has changed in the new Swiss Data Protection Act 2023?

The principles of data processing remain largely unchanged. They require that data only be used for the intended purpose and only be processed lawfully and proportionately. In the process, certain breaches of duty in data protection law can now be prosecuted under criminal law. However, it is not the company but the responsible natural person who is punished with up to CHF 250,000. Apart from that, there are some familiar, others updated and again also new obligations as a result of the new Swiss Data Protection Act 2023. We have compiled a compact list of some of the most important obligations for you below:

Overview of important obligations under the new Swiss Data Protection Act 2023:

• Any personal data must be anonymised or deleted if it is no longer needed for the original processing purpose.
• Companies with more than 250 employees must keep an inventory of all data processing, while smaller companies are usually exempt from this requirement.
• Users must be informed of the scope and purpose of data processing through an easily accessible and up-to-date privacy policy on the website, without having to accept it.
• A commissioned data processing contract should be concluded with web hosting providers such as FireStorm who process personal data on behalf of the controller.
• To ensure the security of personal data, only authorised persons should have access, technical as well as organisational measures should be taken and technical systems should be up to date.
• Violations of the confidentiality, integrity or availability of personal data must be reported to the Federal Data Protection and Information Commissioner (FDPIC).
• Appropriate data protection measures are necessary for the disclosure of data abroad, and website operators should check for these before using providers abroad.
• Individuals whose data is processed have (with some restrictions) the right to access, correct and delete their data, whereby access should be provided free of charge within 30 days.
• In the case of data processing requiring voluntary consent, the data subject must be informed of the consequences, whereby particularly sensitive personal data require explicit consent.
• Data protection provisions must be technically and organisationally compliant with data protection law and made available with data protection-friendly default settings.
• Data protection advisors can be appointed voluntarily under the new data protection law and data controllers based abroad must in some cases appoint a representative in Switzerland.

There is a whole range of obligations under Swiss data protection law, many of which are also extremely important for website operators.

Further information and implementation of the new Data Protection Act 2023

Since you only have until 1 September 2023 to implement the new Swiss data protection law, you should start promptly. In many cases, it makes sense to get legal support – especially if you are very unsure. To give you some more information yourself, we have compiled the most important links here:

Media release of the Swiss Federal Council

Bundesgesetz über den Datenschutz (DSG)

Data Protection Ordinance (DPA)

Verordnung über Datenschutzzertifizierungen (VDSZ)