Are your company and your website already compliant for September 1, 2023, the date of introduction of the revised Swiss Data Protection Act revDPA? Are you aware of the new data protection regulations?
This involves much more than just updating a privacy policy or revising the legal notice on the website. It’s about a holistic data protection concept with subsequent data protection measures for your association, your company, your online store.
The introduction of the new DPA in Switzerland is a good time to give some fundamental thought to the topic of data security in your organization. Take the opportunity now and invest some time in the topic – either independently or together with us – in order to build up knowledge and comply with the new legal requirements.
Support in the data protection jungle
Following high demand from our customers, we have put together some all-inclusive packages to get your website or store off to a data protection-compliant start this fall. Nothing suitable? We also offer you and your organization online workshops “on demand” according to your wishes and needs.
Basic” package – CH data protection
Implementation of technical measures relevant to data protection, such as
- Take recommended safety measures
- No longer stream web fonts directly, but install them locally on web hosting (Google Fonts, Adobe Fonts)
- Install or remove all third-party script codes on web hosting (if not absolutely necessary)
- Solution for the topic of web statistics / Google Analytics
- Cleaning up data that is no longer required
- Completion by us, no time expenditure for the customer.
All-inclusive package:
CHF 390 excl.
Medium” package – CH data protection
- All services according to the “Basic” package plus:
- Development of a new privacy policy for the CH revDSG 2023, update of the privacy policy page
- Building basic know-how on data protection in an online meeting (1.5 h)
- Support in the creation of required documents on data protection-related topics
- Establish simple rules/procedures in the working document (e.g. when data is deleted) to comply with the new CH data protection regulations
- Working method: In cooperation with the customer
All-inclusive package:
CHF 670 excl.
Large” package – CH data protection
- All services according to the “Medium” package plus:
- Detailed data protection know-how online workshop (3 h), work on specific practical examples
- Access to checklists and templates / documents on data protection
- Support for organizational measures in the company until 31.08.2023
- Support for questions/uncertainties until 31.08.2023
- Working method: Together with the customer
All-inclusive package:
CHF 1120 excl.
Only new privacy policy, compliant for CH data protection
- Creating / updating a suitable privacy policy for the website
- Deposit in footer, adjust links if necessary, deposit in all input forms (e.g. contact form, inquiry forms)
- Completion by us, little time required for the customer (if necessary, survey on the use of tools)
All-inclusive package:
CHF 160.- excl. VAT as a single package, per website
Replace Google Analytics with Matomo, data protection compliant configuration
- Individual setup of Matomo
- Configuration compliant with data protection
- Completion mainly by us, little time required for the customer
All-inclusive package:
CHF 720 excl.
Most frequently asked questions about the revised Data Protection Act FADP in connection with websites / online stores
The new Swiss Data Protection Act (DPA), which comes into force on September 1, 2023, will bring significant changes to the protection of personal data in Switzerland. The law was developed to meet the increasing demands of the digital age and to better protect the privacy of citizens.
One of the most important innovations of the DPA is the strengthening of the rights of data subjects. According to the new law, individuals have the right to obtain information about the processing of their personal data. They can also request that their data be rectified, erased or restricted if it is inaccurate, incomplete or no longer relevant. In addition, data subjects have the right to data portability, which allows them to transfer their data from one controller to another.
The DPA also lays down stricter rules for data processing. Companies and organizations must ensure that they process personal data lawfully, fairly and transparently. They must also observe the principle of data minimization by only collecting the information that is necessary for the respective purpose. In addition, they must take appropriate technical and organizational measures to ensure the security of the data and prevent data breaches.
Another important aspect of the DPA is the introduction of the so-called “right to be forgotten”. This right enables data subjects to request the erasure of their personal data, in particular if the data is no longer required for the original purpose or if the processing has been carried out unlawfully.
The DPA also stipulates that certain data processing may only take place with the express consent of the data subjects. Consent must be voluntary, informed and unambiguous. Data controllers must ensure that consent can be withdrawn at any time.
Compliance with the new Data Protection Act is monitored by the Federal Data Protection and Information Commissioner (FDPIC). The FDPIC is authorized to conduct investigations, impose fines and intervene in the event of data protection violations.
With the entry into force of the new Swiss Data Protection Act (DPA) on September 1, 2023, data protection standards in Switzerland will be strengthened and citizens will be given more control over their personal data. The law is an important step towards ensuring the protection of privacy in the digital age.
The following points are important in connection with the revised Swiss Data Protection Act (DPA) and websites:
- Information obligations: Websites must provide transparent information about the processing of personal data. This includes information on purposes, legal bases, duration of data storage, recipients of the data and rights of the data subjects.
- Consent: Websites must obtain the consent of users before processing personal data. Consent must be voluntary, informed and unambiguous. It should also be easy to withdraw consent.
- Right of access and rectification: Users have the right to obtain information about the processing of their personal data. Websites must make this information easily accessible. If data is inaccurate or incomplete, it must be corrected.
- Right to erasure: Websites must grant users the right to have their personal data erased. This applies in particular if the data is no longer required for the original purpose or if the processing is unlawful.
- Data portability: Users have the right to transfer their personal data from one website to another. Websites should create the technical conditions for this and provide the data in a structured and commonly used format.
- Data security: Websites are obliged to take appropriate technical and organizational measures to ensure the security of personal data. This includes measures to protect against unauthorized access, loss or misuse of data.
- Privacy policy: Websites should provide a privacy policy that is easily accessible and contains all relevant information on data processing. The privacy policy should be written in clear and understandable language.
- Data transfer to third parties: If personal data is passed on to third parties, websites must ensure that these third parties also comply with data protection regulations. The user’s consent may be required.
- Data breaches: Websites are obliged to report data breaches immediately if they pose a risk to the rights and freedoms of data subjects. This includes notifying the supervisory authority and, where appropriate, the data subjects themselves.
It is important to note that this is only a general overview and does not constitute legal advice. For a comprehensive and accurate assessment, website operators should seek legal advice from professionals who are familiar with the revised Swiss Data Protection Act (DPA).
Yes, as an association you must also comply with the new Data Protection Act (DPA). The revised DPA applies to all organizations and companies, regardless of their legal form, including associations. The law regulates the protection of personal data and the associated obligations to ensure the privacy of citizens.
As an association, you probably process personal data, be it from your members, donors, employees or other persons. This may include storing contact details, membership information or financial information. Under the new DPA, you must ensure that you process this data lawfully and in accordance with data protection regulations.
The most important steps you should take as an association to comply with the DPA include
- Find out about the provisions of the new DPA and make sure you understand the basic requirements.
- Review your data processing practices and ensure that you have a legal basis for processing personal data. In most cases, this will either be the consent of the data subjects or the need to fulfill a contract or legal obligation.
- Create or revise your privacy policy to meet the requirements of the DPA. The privacy policy should contain transparent information about the processing of personal data, including the purpose, legal basis, duration of data storage, recipients and rights of data subjects.
- Take appropriate technical and organizational measures to ensure the security of personal data and prevent data breaches. This may include, for example, the implementation of access controls, encryption and regular data backups.
- Ensure that you respect the rights of data subjects, including the right of access, rectification, erasure and data portability.
- Train your employees and raise their awareness of data protection issues so that they are aware of how they should handle personal data.
It is advisable to consult legal counsel or a data protection authority in your country for specific questions about data protection law to ensure that you meet all the requirements of the DPA and ensure the protection of personal data.
If an organization, including an association, does not comply with the Data Protection Act (DPA), this can have various consequences. In general, violations of the DPA can lead to legal and financial consequences. Here are some possible consequences:
Fines: Data protection authorities can impose fines for violations of the DPA. The amount of the fines depends on the severity of the breach and can be substantial. The exact fines may vary depending on national legislation.
Prohibition of data processing: In the event of serious violations, the data protection authority may request the organization to cease processing personal data. This can have a significant impact on business activities.
Legal disputes and claims for damages: Data subjects can take legal action against an organization if they believe their data protection rights have been violated. This can lead to legal disputes and potential claims for damages.
Loss of reputation: If an organization violates the DPA and has data protection violations, this can lead to a significant loss of trust among the data subjects and the public. This can significantly damage the reputation of the organization.
It is important to note that the exact consequences and sanctions may vary from country to country, as the DPA may vary depending on national legislation. It is advisable to check the specific provisions of the DPA in your country and consult with legal counsel or the relevant data protection authority if you have any questions. Compliance with data protection law is crucial to protect the privacy of data subjects and avoid legal problems.
The exact timeframe for adjustments after September 1, 2023 will depend on various factors, including the current status of your organization’s data protection practices and the complexity of the adjustments required. However, it is important to note that the date September 1, 2023 marks the entry into force of the new Swiss Data Protection Act (DPA) and that compliance is expected from that date.
It is recommended that organizations take measures to adapt their data protection practices and ensure that they comply with the new requirements before the new DPA comes into force. Depending on the extent of the adjustments required, it may make sense to start reviewing and updating data protection guidelines, declarations of consent, processing procedures and technical security measures at an early stage.
E-CommerceWIX Online Shop complies with data protection regulations
Make your WIX online store data protection compliant in accordance with the new Swiss Data Protection Act (DSG) regulations.
- Set WIX data protection compliant for CH
- Removal of non-compliant tools (if available)
- Storage of relevant content that is mandatory for a CH store
- Implementation of the changes by us / in close cooperation with the customer
All-inclusive package:
from CHF 560 excl. VAT as a single package, per website
E-commerce: Woocommerce online store compliant with data protection regulations
Make your Woocommerce online store data protection compliant in accordance with the new Swiss Data Protection Act (DSG) regulations.
- Set Woocommerce data protection compliant for CH
- Removal of non-compliant tools (if available)
- Storage of relevant content that is mandatory for a CH store
- Implementation of the changes by us / in close cooperation with the customer
All-inclusive package:
from CHF 790 excluding VAT.
Do you still have questions about the revised Data Protection Act 2023? Unclear about the implementation for your website?
Michael Rettenmund
I will be happy to advise you on all questions relating to the revised Data Protection Act from a technical and organizational perspective.
E-mail: solutions@rettenmund.com
Disclaimer:
Please note that when it comes to legal issues, we can only point you in the direction of generic solutions that are suitable from an IT perspective. Depending on the size or complexity of the company, it may be advisable to seek additional professional legal advice.
