The last time most Swiss companies dealt with data protection was probably at the beginning of 2018, when the EU General Data Protection Regulation (GDPR) came into force. At that time, new data protection declarations and policies were hastily drafted. In the meantime, one hears of high fines imposed on European companies for violations of data protection. But since no Swiss company has apparently been fined yet, this seems to be a very distant rumble of thunder.
This relative peace is now over, however, and there is a need for action in Switzerland as well: Swiss data protection law has been revised along the lines of the GDPR and the new Data Protection Act (revDPA) is expected to come into force in mid-2022. The new data protection requirements will come into force without a transition period, meaning that companies must be ready from day one. The revDPA requires the company to take an in-depth look at how it handles personal data and to make significant adjustments to processes, responsibilities and documentation. Much has already been written about this elsewhere. At this point, we would just like to give an additional hint as to why the handling of the regulations of data protection law should be taken much more seriously.
This has to do with the sanctions imposed in the event of violations:
The GDPR provides for high fines, which are calculated according to the turnover of the company. These are fines paid by the company, i.e. the prosecution and the fine do not affect the responsible persons personally. Under these circumstances, the company’s employees might shrug their shoulders and think to themselves, “Not my money!”. However, Switzerland has opted for a different system of sanctions with the revDPA: Chapter 8 introduces criminal law santions and provides that fines of up to CHF 250,000 will be imposed on the private persons who are (jointly) responsible for the data protection violations that have occurred.
The sanctions under the revDSG
a) are sanctions under (administrative) criminal law that are imposed in criminal proceedings
b) affect the responsible persons personally
c) may not be paid by the company and no insurance coverage may be taken out.
At least a conviction does not lead to further stigmatisation of the person concerned via the criminal record: the fines provided for in the revDPA are treated as transgressions (minor offences) only and lead to an entry in the criminal record if the fine exceeds CHF 5,000, and even then they are not listed on the private statements that can be ordered for oneself and that one usually has to show when applying for a job, etc. Only certain authorities see the fine in the record. However, criminal proceedings – in addition to the threat of a fine and the costs of the proceedings – are usually associated with a very considerable psychological burden for the person concerned.
It is obvious that no potentially responsible person will take this responsibility lightly and it can be assumed that the companies will have to explain themselves.
Responsible and thus subject to criminal sanctions are
– the management persons in the company who must ensure compliance with the revDPA in the company, i.e. the board of directors and the executive board
– also persons who do not belong to the top management level but who are assigned a specific responsibility, e.g. a data protection officer or an IT officer.
– but not so-called “assistants”, i.e. such persons who do not have any particular independent decision-making power or responsibility for data protection.
The revDPA does not provide for a criminal sanction for every data protection violation, but only for certain ones:
– deliberate provision of false or incomplete information, e.g. about the acquisition of personal data or the automatic processing of decisions concerning the data subject.
– wilful omission of information spontaneously owed to a person about the procurement of personal data.
– providing false information to the Federal Data Protection Commissioner or refusing to cooperate in investigations. Disregarding the orders of the Federal Data Protection Commissioner is also punishable.
– The transfer of personal data over the border that does not meet the legal requirements. This is likely to be particularly sensitive: Many companies are not even aware that their IT infrastructure entails such transfer, e.g. if service providers store the data on servers abroad or in cloud services.
– The outsourcing of data processing without the required conditions being met.
– Violation of the “minimum requirements” for data security.
– The “breach of professional secrecy”.
The attentive reader who falters on reading the last sentence, scratches his head and asks himself: “Where on earth does this “professional secrecy” come from?” is absolutely right! Established are are the official secrecy of state employees, the professional secrecy of lawyers, pastors and doctors, and the banking secrecy imposed on bank employees. Art. 62 para. 1 of the revDPA now creates, in addition, a completely new duty of confidentiality that applies generally, detached from any profession, function or industry. It is therefore called “minor professional secrecy” or “professional secrecy for everyone”. It is questionable whether “everyone” is aware of this new responsibility today!
Art. 62 para. 1 revDPA reads:
“Any person who wilfully discloses secret personal data of which he or she has become aware in the exercise of his or her profession which requires knowledge of such data shall, on application, be liable to a fine of up to 250,000 francs.”
This wording is worryingly broad, especially because no significant restriction results from the fact that only “secret” personal data is to be protected from disclosure. “Secret” is not only actual state secrets or key trade secrets. According to the formula used in criminal law, “secret” is any fact that is not generally known or accessible if the owner of the secret has an interest worthy of protection in keeping it secret and if the owner takes reasonable steps to keep that fact secret. Obviously, this does not give this “professional secrecy” any really sharp contours. As a precaution, everyone, regardless of their profession, function and hierarchical position in the company, must exercise the greatest caution not to provide personal data to recipients who are not authorised to do so under data protection law. This is of course very sensitive in the context of data flows in a business context, where personal data must be shared within the company and across companies (with partners and service providers), a real minefield!
The new criminal provisions of data protection law go very far in terms of wording and lead to the risk of criminal prosecution and conviction at both the upper and lower hierarchical levels in companies. If voices are now being heard that the Swiss authorities will probably exercise a “sense of proportion” and proceed “pragmatically”, one can only hope that this is not mere wishful thinking. The fact is that the revDPA is an adaptation of the GDPR and does not only adopt the rules, the wording but also the goals. When making decisions, the Swiss authorities will undoubtedly be guided by the decisions of EU authorities and courts, as well as by foreign legal literature on the GDPR. However, there are no signs of “pragmatism” or “moderation” in the latter; on the contrary, the GDPR is interpreted as strictly as possible and enforced with draconian fines. Critical voices about this practice can hardly be found.
Conclusion: How should a company deal with this new situation?
The entry into force of the revised Data Protection Act must be an impetus to thoroughly examine compliance with the new rules. It should be noted that it is no longer just a matter of drafting data protection declarations, but that new rules may require adjustments to the organisation and sensitisation of all employees who come into contact with personal data.
entrepreneurlaw.blog 