On 1 September 2023, the new Swiss Data Protection Act, which is aligned with the GDPR, will enter into force. Companies active on the Swiss market should prepare. For example, there is a new requirement to appoint a “Data Protection Representative” in Switzerland. The Swiss lawyer Sophie Winkler has answered our questions on this topic:
What is a Data Protection Representative in Switzerland?
The concept of the Data Protection Representative in Switzerland is based on the EU representative under the GDPR. According to the GDPR, companies without an establishment in the EU that target the EU market and process personal data in this context must appoint a representative for data protection issues in the EU. The new Swiss Data Protection Act (nDSG) applies this concept to data controllers with their registered office or domicile outside of Switzerland who process data of Swiss individuals. They have to appoint a representative in Switzerland.
Who is subject to Swiss data protection law and may therefore need a Data Protection Representative in Switzerland?
Subject to the law are companies and private individuals who process data relating to natural persons in Switzerland. This also concerns processing activities initiated or carried out outside of Switzerland, provided the following criteria are met:
- The processing is carried out in connection with the offer of goods and/or services or the observation of the behaviour of individuals in Switzerland;
- The processing of the data is extensive;
- The data is regularly processed;;
- The processing entails a high risk for the personality of the persons concerned.
What is considered a high risk? In case of doubt, this is fulfilled if the entire Swiss market is addressed and thus a large number of persons is affected. However, a high risk can also result from the type of data processed or its content (e.g. sensitive data requiring special protection), the type and purpose of the data processing (e.g. profiling), the amount of data processed (e.g. entire Swiss market), the transfer to third countries (e.g. if foreign legislation does not ensure adequate protection of personal data such as the USA, India, etc.) or if a large or even unlimited number of persons can access the data.
Does this mean that a Data Protection Representative must be appointed if the company website is made available in Switzerland (e.g. in German language) and uses tracking?
A company with a website that (also) addresses Swiss customers with its offers and collects a lot of data relating to these Swiss individuals (including tracking) must appoint a representative.
Do you also have to take action if you already have an office or a subsidiary in Switzerland?
Yes. The obligation to appoint a Data Protection Representative in Switzerland applies to data controllers with registered offices outside of Switzerland in general – which likely refers to the head office. The duty to appoint a Data Protection Representative exists independently of the fact if the data controller already has a branch office or subsidiary in Switzerland. Therefore, also in such cases, the obligation to appoint a Data Protection Representative must be considered. However, the head office may fulfil the obligation to appoint a representative, if necessary, by designating the existing branch or subsidiary as its Data Protection Representative.
What are the duties of the Data Protection Representative?
The Data Protection Representative must keep a register of the data controller’s processing activities, which contains the information in accordance with the Swiss Data Protection Act. The requirements are set out in Art. 12 nDSG. This provision essentially corresponds to the requirements of the GDPR, but some additional information is necessary.
In addition, the Data Protection Representative is the contact point for enquiries from the Federal Data Protection and Information Commissioner (FDPIC) and must provide the FDPIC with the information about the data subjects contained in the data register upon request. If the representative does not cooperate sufficiently with the FDPIC, the latter may impose sanctions.
The representative must also provide information on how a data subject can exercise his or her rights in the event of a request. Accordingly, the Data Protection Representative must provide an address or other means of contact in Switzerland (e.g. postal address and e-mail), which must be published. As a rule, this information is published in the data controller’s privacy policy.
Who can be appointed as Data Protection representative?
Companies or natural persons who have their registered office or place of residence in Switzerland may be appointed as Data Protection Representative in Switzerland. There are no further legal requirements. However, it is recommended that the person has basic knowledge and experience with Swiss data protection law and is familiar with the subject matter.
When does this obligation apply?
The new data protection law will enter into force on September 1st, 2023. As from this date, the companies concerned must provide a Data Protection Representative in Switzerland and publish its contact details.
Contact: If you need advice on the new Swiss data protection law, please do not hesitate to contact Sophie Winkler from FlyingLawyers. If required, the law firm will also offer to be appointed as Data Protection Representative in Switzerland for your company.