Sofortkontakt zur Kanzlei

KMU-Magazin Nr. 04/05, April/May 2021 What the new data protection law means for SMEs

When the European General Data Protection Regulation (EU GDPR) took effect in May 2018, many companies in Switzerland were uncertain about what impact it could have on them. As is well known, the EU GDPR not only has an effect within the EU, but also, under certain conditions, on companies outside the EU and thus on Swiss companies.

Three years have since passed. During this time, numerous Swiss companies have dealt with data protection more or less intensively. Others have waited for the revision of the Swiss Data Protection Act.

The new Federal Data Protection Act (nDSG) is now available and preparatory work is underway for the revision of the Ordinance on the nDSG and for the Ordinance on Data Protection Certifications. The new data protection law is not expected to come into force until the second half of 2022 at the earliest. But what exactly will Swiss SMEs have to do until then?

Check need for action

Many companies wonder whether the nDSG is not old wine in new skins. This question is justified. In fact, many of the provisions of the nDSG are not new, but they have a different meaning due to the increased awareness among the population that has taken place in recent years. The nDSG aims to ensure that data protection not only exists, but is also practiced. To this end, the nDSG contains expanded enforcement mechanisms. On the one hand, the right of the data subject to obtain information has been made easier (Art. 25 nDSG), and on the other hand, the powers of the European Data Protection and Information Commissioner (FDPIC) have been expanded. The FDPIC can now conduct ex officio investigations and issue binding rulings (Art. 49 ff. nDSG). In addition, fines of up to CHF 250,000 and an entry in the criminal register are provided for if certain rules of the nDSG are violated, whereby the penalty is not primarily directed against companies, but against the responsible natural person (Art. 60 ff. nDSG).

In addition to this legal "threat", however, the risk of negative headlines in the (social) media with a corresponding loss of reputation is likely to be the primary concern for many companies. A discussion of the nDSG is therefore unavoidable, even if a company ultimately comes to the conclusion that there is little need for action for its own business activities.

Recognize and assign data

In order to know the effects of the nDSG on one's own company, all data and data flows must first be identified and assigned. Specifically, the question arises as to where and how personal data is processed in the company. This concerns data of natural persons, because legal persons do not fall within the scope of application of the nDSG (Art. 2 Para. 1 nDSG). This question, which seems banal at first glance, is not always easy to answer. It involves a precise analysis of all processes within the company. Three areas may be mentioned by way of example.

Example Human Resources (HR)

In the Human Resources process, it is clear that data is processed by natural persons. For example, the following questions arise, which are by no means exhaustive: How does our recruiting process work? What happens to applications that are not considered? Who is given access to application dossiers and when? What data do we collect when we hire a person? Do we also collect sensitive personal data, such as religious affiliation? What data do we collect when employees are ill?

Example customer data

As soon as a company is not exclusively active in the B2B sector, it processes customer data that is protected by data protection law. Here, too, a precise analysis of the customer management is essential in order to find out whether there is a need for action or not. This involves answering the following questions, among others: How can our customers reach us? What data do they provide us with (name, e-mail address, telephone number, date of birth, etc.)? Do we also collect particularly sensitive data, such as health data? What do we do with this data? Do we use it for marketing purposes? Do we pass on customer data to third parties? How do we deal with feedback from customers? Do our contracts contain provisions on data protection? How can our customers assert their rights to information?

Example internet presence

The internet presence is particularly important for many companies. The website is often the first impression potential customers have of the company. Accordingly, compliance with data protection regulations is of utmost importantance. Here, too, numerous questions arise, such as: What data do we collect when someone visits our website? For how long is this data stored? Is our privacy policy up to date? Do we need a cookie banner? Can interested parties register for a news letter? What data do we collect for this purpose?

"Hidden personal data"

It is not always immediately clear that certain data is personal data. In data protection law, personal data is defined as data "relating to an identified or identifiable natural person". According to federal court rulings, this term is to be interpreted broadly. It also includes, for example, data on water consumption, as recorded by water meters, provided that it is possible to draw conclusions about the residents of the houses (see Federal Supreme Court ruling 1C_273/2020 of January 5, 2021, E. 5.3). This is usually the case, since water consumption is billed individually, at least in the case of newer buildings. Every company should therefore carefully check whether it processes "hidden personal data".

Maintain a directory

Once the analysis has been carried out, the result is best recorded in a list of the processing activities. According to Art. 12 nDSG, companies with fewer than 250 employees that process data with only a low risk of a personal data breach are not required to keep such a register. But how can a company know whether its data processing involves only low risks if it has no overview of the processing?

Cleansing data

Once a company has analyzed its data flows, it must be clarified whether it actually needs all the data collected. To do this, the purpose of the data processing must be clarified and precisely defined. As a general rule, no unnecessary data should be collected. Data that the company needs, for example, to provide a service, but no longer needs afterwards, must be anonymized or deleted (Art. 6 Para. 4 nDSG). This triage is also not always easy to handle in practice. Due to the almost unlimited possibility to store data, there is a tendency that too much data is kept. The "analog test" can be helpful here. This test takes you back to the analog age.

For example, if a craftsman's company receives the password for access to a house in order to carry out repairs, this is often transmitted electronically to the craftsman. After the repair, this message must always be deleted, which is probably not always done consistently in practice.

If you do the "analog test," it quickly becomes clear that deletion is necessary: Would the craftsman keep the key that was given to him by the neighbor for access to the house after the repair? Probably not.

Adapt processes

Only when it is known which personal data a company processes in which form and which personal data it actually needs, can the implementation of the nDSG be tackled. If necessary, adjustments must be made to certain default settings in the webshop so that the "privacy-by-default" obligation is complied with (see Art. 7 Para. 3 nDSG). This states that a company is obliged to ensure by means of suitable default settings (for example on websites) that the processing of personal data is limited to the minimum necessary for the purpose of use, unless the data subject specifies otherwise.

It is possible that a company will recognize gaps in the procedure when a data loss occurs. This is not only a case of hacker attacks, but also the loss of a USB stick with personal data. If necessary, adjustments or additions need to be made to the contracts with customers, suppliers or IT service providers. Some companies may decide to appoint a data protection advisor (Art. 10 nDSG), which may facilitate the implementation of the nDSG. Still others need a data protection impact assessment (Art. 22 nDSG) because they process data with a high risk to the person or fundamental rights of the data subject.

Getting employees on board

Even if a modern IT infrastructure and legal documents contribute to effective data protection, it is ultimately the employees who play the main role in implementing data protection-compliant processes. Therefore, special attention must be paid to their training. Employees must live the data protection requirements on a daily basis, and this can only be achieved if they understand what it is all about, and if they stand behind the specified processes.

Data protection takes time

Our experience shows that data protection projects take time. They run alongside everyday business and are therefore often perceived as disruptive. Those who have already converted to the requirements of the GDPR will have a relatively small effort to be nDSG-compliant. Here, the need for action within the framework of the so-called Swiss Finish, i.e. the Swiss particularities, must be specifically sought. For those companies that want to wait for the nDSG to come into force, we recommend that they get their data protection projects underway now, even if, they have to wait until mid-2022 for the nDSG to come into force.

Click here for the article:

Further articles