The Revised DPA: What To Expect

Transcription

1 The Revised DPA: What To Expect The Federal Council's Draft Bill of September 2017 David Rosenthal

2 Where we stand today Revision of Swiss Data Protection Act (DPA) Pre-draft for public comment (December 2016) Draft bill for deliberation in parliament (September 15, 2017) Preparatory discussions in parliament (already started) Draft ordinances expected in early 2018 To be passed in 2018 (shall be put into force on or after August 2018) Overall summary: The draft bill has improved significantly Several "Swiss Finishes" have been removed (but some remain) Criminal sanctions have been reduced significantly (but remain personal) No fundamental changes as compared to current law The revised DPA is comparable to the EU GDPR, but is not "copy & paste" and it not implementing all features (e.g., consent, data portability) Compliance with the GDPR will (likely) result in compliance with the DPA 2

3 What will change 1 No protection of legal persons anymore Definition of personal data remains unchanged Broadened obligation to inform data subjects about collection of data (Art. 17) Including information on countries where data will be processed Also applies if information is obtained through third parties Limited set of exceptions (reliance on overriding private interest restricted) Will it be possible to satisfy the requirement by information on a website only? New obligation to inform on automated individual decisions (Art. 19) Decision concerning a data subject that has a legal or material negative effect and relies exclusively on an automated processing of data including profiling Obligation to inform and permit human intervention unless data subject has consented or decision is made for a contract as desired by the data subject But: Profiling as such is not regulated and requires no consent 3

4 What will change 2 No sub-processing without the controller's consent (Art. 8) Formal obligation to maintain a data processing inventory (Art. 11) For both controller and processors, comparable to GDPR Formal obligation to conduct a data protection impact assessment (Art. 20) Assessment of data protection activities that involve a high risk for the data subject, comparable to GDPR (but sample cases go beyond Art. 29 WP) Consultation of Data Protection Commissioner or Data Protection Counsel required if high risk remains despite counter measures (current text unclear) Formal obligation to notify data breaches (Art. 22) Any security breach is in scope, but notification is only required if it likely results in a high risk for the data subject (i.e. less strict than under the GDPR) No deadline; information as soon as possible Obligation to inform data subject if this is necessary in order to protect them 4

5 What will not change The basic concepts remain the same The processing principles (now Art. 5) and possibility to justify their violation No need to provide for lawful grounds (as required under the GDPR) The definition of consent not narrowed (Art. 5. para. 6) Minimal change to the definition of consent; no change in substance No prohibition to bundle consent declarations (as under the GDPR) "Privacy by Default" (Art. 6) does not affect ability to obtain consent No fundamental change concerning data subject rights Right of access expanded in substance, but limitations remain (Art. 23) Right to correct may be refused only on very limited grounds (Art. 28) Prerequisites for exporting personal data remain largely the same (Art. 13) Federal Council rules on "safe" countries; export to foreign authorities eased 5

6 What to do Set-up an adequate data protection compliance organisation Data protection officer will not be formally required, but makes sense Roll-out project recommended to be run internally, with outside coaching Assess strategy with regard to GDPR Use GDPR as standard use DPA as standard use both (case-by-case) Define strategy with regard to foreign supervisory oversight Analyze data processing, establish inventory and assess level of compliance Risk-based approach recommended, including with regard to gap actions Update contracts, consents, policies and data subject information In the case of GDPR: Establish legal grounds for processing Update internal processes and, where necessary, internal systems Data subject rights, automated decisions, data breach notifications, DPIA 6

7 Summary Revised DPA will be in force sooner than many may expect Already within a year from now? Only existing data processing activities will have a two year transitional period Revised DPA is not identical with the GDPR Typically less strict (Swiss finishes still expected to be removed entirely) Providing more flexibility for (hopefully) reasonable interpretation However, not all provisions are really thought through (e.g., profiling) Companies that try to do it right and act diligently should not fear sanctions It will not be possible to fully comply with the DPA (or the GDPR) Pursue a risk-based approach, prioritize Do your documentation homework, but do not dive too deep Do it internally, establish your own resources and know-how 7

8 Thank you for your attention! David Rosenthal T Homburger AG Prime Tower Hardstrasse 201 CH-8005 Zürich