The new Swiss Data Protection Act (DPA) from September 1, 2023: What you need to know

Since its introduction, the Swiss Data Protection Act (DPA) has established itself as a key instrument for ensuring the protection of personal data in Switzerland. On September 1, 2023, a revised version of the DPA will come into force, which will have a significant impact on businesses, especially website owners and small and medium-sized enterprises (SMEs). This article provides a comprehensive overview of the key changes and what they mean for your business.

1. background and context

Digitalization and the rapid development of technologies have revolutionized the way in which data is collected, processed and stored. In this context, the FADP was revised to ensure the protection of personal data in the modern digital landscape and at the same time strengthen Switzerland’s position in the international data protection environment.

2. main changes in the new DSG

2.1. Extended area of application

The new DPA has an extended territorial scope of application. It applies not only to companies based in Switzerland, but also to companies outside Switzerland that process the data of Swiss residents.

2.2. Stronger rights for data subjects

Data subjects now have extended rights, including the right to information, the right of access to their data, the right to rectification and the right to erasure. Companies must ensure that they have mechanisms in place to implement these rights effectively.

2.3. Data protection impact assessment

Under certain circumstances, companies must carry out a data protection impact assessment before processing personal data. This is particularly the case if the data processing poses a high risk to the rights and freedoms of the data subjects.

2.4. Data Protection Officer

Companies that regularly and systematically process personal data must appoint a data protection officer. This person is responsible for monitoring compliance with the DPA and serves as a point of contact for data protection issues.

3 What does this mean for website owners?

3.1. Cookies and tracking tools

Website owners must provide more transparent information about the use of cookies and other tracking tools. Visitors must have the opportunity to give or refuse their consent before such tools are activated.

3.2. Privacy policy

Every website that collects personal data from visitors must have a clear and comprehensible privacy policy that provides information about the type of data collected, the purpose of the processing and the rights of the data subjects.

4 What does this mean for SMEs?

4.1. Data processing register

SMEs must keep a register of data processing activities. This register should contain all processing activities, the purposes of the processing and the categories of data concerned.

4.2. Training and awareness

SMEs should ensure that their employees are informed about the provisions of the DPA and receive regular training on data protection compliance.

4.3. Contracts with data processors

If SMEs commission service providers to process personal data on their behalf, they must ensure that these contracts meet the data protection requirements of the new DPA.

5. conclusion

The new DPA brings significant changes that are relevant for both website owners and SMEs. It is crucial to familiarize yourself with the new requirements at an early stage and make the necessary adjustments in order to avoid fines and reputational damage. Compliance with the DPA is not only a legal obligation, but also an opportunity to strengthen customer trust and emphasize the value of data security in the modern business world.

Disclaimer:
This text in no way claims to be 100% valid and legally binding. Please always obtain information on the subject of data protection from your lawyer and data protection partner.