During the summer session, Parliament failed to resolve the last differences in the Data Protection Act and to help data protection in Switzerland achieve a breakthrough. Accordingly, the hopefully last differences will have to be resolved in the autumn session. Whether the Data Protection Act can then still come into force on 1 January 2021, as originally planned before the Covid 19 pandemic, is rather unrealistic. Nevertheless, it is advisable to use the time to prepare for the new law with appropriate projects.
With the revision of the Data Protection Act, the legislator is undertaking a paradigm shift. Previously, the focus of the Data Protection Act was on the existence of data collections – now the process of data processing is relevant, i.e. the entire data lifecycle, from collection and use to anonymisation or deletion. The new Swiss Data Protection Act will in future dispense with the protection of the data of legal persons and thus adapts to most foreign legal systems, as well as the EU DSGVO [1] In the view of the Federal Council, the protection of legal persons is already sufficiently guaranteed by other laws (e.g. unfair competition or protection of personality) and is therefore of little practical significance.
[1] Article 2 para. 1 of the E-DSG.In the revised DPA, the principle of impact should apply. [1] This means that the DPA enshrines what was already applicable in Switzerland by virtue of case law. [2] If data processing abroad has an impact on the personality of individuals in Switzerland, the Swiss Data Protection Act applies. It is irrelevant here whether this is done in connection with goods and services provided to data subjects or indirectly by a third party, e.g. in the context of providing a B2B service.
1] Art. 2a E-DSG (not yet provided for in the Federal Council’s draft).
2] Logistep decision BGE