Since September 1, 2023, the new Swiss data protection legislation (nLPD) has been in effect. This significant update to the legal framework has implications for citizens, organizations, and businesses. In this article, we will delve deep into the key changes and their impacts.
1/ What Is Swiss Data Protection Legislation (LPD)?
LPD is the law that protects the personal information of Swiss citizens. It applies to everyone: individuals, businesses, and even government agencies in Switzerland. This law ensures that data is kept secure and used in a safe manner.
In simple terms, LPD dictates what companies or institutions can do with the information of their visitors, customers, etc. For example, they must inform when they collect data and how they will use it. Moreover, this law grants certain rights, such as the ability to see what information a company has about you and, if necessary, correct or delete it.
It’s important to note that Switzerland has its own rules for data protection, which are slightly different from those of the European Union (the famous GDPR). However, the two laws are quite similar, and Swiss law is considered strict enough to facilitate information exchanges between Switzerland and the EU.
2/ The Necessity of a New Version of LPD: Why Was a Revision Necessary?
The last time Switzerland updated its data protection law was in 1992. Since then, our way of life and communication have radically changed, and the digital landscape has seen spectacular advancements since the adoption of LPD. Today, we all use smartphones, are active on social media, and store information in the “Cloud.” With the emergence of all these new technologies, it was imperative to update the law to ensure data remains secure and to limit abuses in data collection.
3/ Key Changes Introduced by the nLPD
Effective since September 1, 2023, the new data protection law (nLPD) introduces several major changes, redefining how personal data is managed in Switzerland. Here are some of the most significant changes:
- Increased Transparency: Organizations must now inform individuals clearly and comprehensibly when collecting their data. This change aims to provide citizens with a clearer picture of how their data is used.
- Enhanced Control: The nLPD gives Swiss citizens the power to access, rectify, and even delete their data. You now have the ability to ask companies what data they have about you, how it is used, and you have the right to have it corrected or deleted under certain conditions.
- Corporate Responsibility: Companies must implement appropriate security measures to protect data against unauthorized access and leaks. In case of non-compliance, the penalties are more severe than in the previous version of the law.
- International Compliance: With the nLPD, Switzerland aims to align its legislation with the latest European directives and Council of Europe conventions, facilitating data exchanges with EU member countries.
- Focus on Criminal Law: The first phase of this revision introduced specific rules for data processing in criminal law, including how data can be used in criminal investigations.
- Adaptability to New Technologies: Given technological advances, the nLPD is designed to be flexible enough to adapt to future changes in how data is collected, stored, and processed.
These changes will allow Switzerland to comply with recent European directives and Council of Europe conventions on the same subject. It’s worth noting that this revision took place in two distinct phases, with the first focusing on data protection in criminal law, while the second was a complete overhaul of the legislation to better align Switzerland with prevailing European standards.
4/ nLPD, OPDo, and OCPD: A Trio of Regulations
While the new data protection law (nLPD) forms the foundation of the revised legal framework, it is not alone. Indeed, it is complemented by two regulatory texts, forming a robust tripartite legislative framework for data protection in Switzerland. Each has a specific role to play in this new data protection architecture.
- The New Ordinance on Data Protection (OPDo): This ordinance provides detailed guidelines on the practical application of the nLPD. It clarifies the obligations of companies and institutions regarding the collection, processing, and storage of data. Its aim is to clarify ambiguities and provide a practical guide for effective compliance.
- The New Ordinance on Data Protection Certifications (OCPD): This ordinance establishes a certification system that allows companies to prove their compliance with high data protection standards. It is a kind of “quality label” for data management that organizations can obtain after rigorous auditing.
These two regulatory texts not only support the new law but also make it more effective and easier to implement. In essence, the nLPD, OPDo, and OCPD form a coherent trio aimed at establishing a safer environment for personal data, enhancing transparency, and ensuring better compliance with international standards. This bundle of legislative measures provides Swiss citizens with a modern and effective framework for personal data protection, enabling better control of their digital identity.
5/ nLPD vs. GDPR: What Are the Differences?
While nLPD and GDPR share a common goal of data protection, there are notable differences between the two. GDPR is a regulatory text that applies to all EU member states, while nLPD is specifically Swiss. Furthermore, GDPR includes provisions such as the “right to be forgotten” and severe fines for non-compliance, which are not as explicitly present in nLPD. However, Switzerland’s goal in updating its legislation was clearly to bring nLPD closer to the standards set by GDPR, ensuring the continuity of data exchanges with the European Union.
6/ Who Is Affected, and What Are the Implications for Businesses?
If you operate a website in Switzerland, whether you are in the private sector, a charitable organization, a local administration, or an individual, this legislation applies to you. Thus, if you collect personal data through registration forms, surveys, online commercial transactions, or comments on your website, it is imperative to become familiar with the new legal requirements imposed by this new data protection law (nLPD) in Switzerland.
So, as you may have understood, compliance with this new law is crucial, not only to avoid sanctions but also to gain and maintain the trust of your customers. Companies may need to review and adjust their data policies, management practices, and security systems. This is particularly important for companies that operate internationally and must also comply with regulations in other jurisdictions.
7/ Where to Begin?
Whether you are an individual concerned about your privacy or a business with data management responsibilities, it is crucial to familiarize yourself with the new Swiss data protection law (nLPD) and its associated regulatory texts. Here are some practical tips for navigating this new regulatory environment:
- Take the time to read and understand the legislative documents. These texts are often available online and detail obligations and rights regarding data protection. If the official texts seem too complex to decipher, it can be very helpful to consult data protection experts or a Data Protection Officer (DPO) within your organization. They can provide precise explanations of the concrete implications for you or your business.
- Assess risks and your needs by conducting an audit of your current data management practices. Identify areas where improvements are needed to comply with the new law.
- Establish an action plan to implement the necessary changes. This could include updating your privacy policies, adopting new security measures, or appointing a Data Protection Officer within your organization. Inform and educate your employees about the importance of data protection and the changes brought about by nLPD.
Compliance is not a state but a process, so make sure to regularly review your practices and adjust them if necessary, especially in the case of additional legislative changes or evolving technologies.
Conclusion
The nLPD, which came into effect this month, marks a significant step in the evolution of data protection regulations in Switzerland. Citizens, organizations, and businesses will need to become familiar with these changes, as they have significant implications for the processing of personal data in Switzerland. Given the nuances between nLPD and GDPR, consulting data protection experts is highly recommended to navigate this new regulatory environment effectively.
