On 25 September 2020, the Swiss Parliament approved the final draft of the revised Data Protection Act (rev-DPA), with the aim to modernise its data protection laws and align it to the latest EU General Data Protection Regulation (GDPR).

The rev-DPA could still be subject to a facultative referendum, but will likely enter into force in 2022 and confer upon the Federal Data Protection and Information Commissioner (FDPIC) new and more extensive powers in order to impose criminal fines of up to CHF 250,000 on individuals responsible for certain types of infringement.

In this respect, foreign controllers and processors should assess whether they are subject to the rev-DPA and review their data processing activities that have an effect on Switzerland, regardless of where they take place.

For companies, it is foreseeable an increase in obligations relating to the production and disclosure of documentation to guarantee transparency on risk-related processing activities.

The new requirements can be summarised as follows:

creating and maintaining an inventory of processing activities;
drafting or updating privacy notices for data subjects when collecting personal data;
reviewing contracts with processors, joint controllers and third parties, and considering special requirements for international data transfers;
carrying out impact assessments when processing might imply risks for the rights and freedoms of the subject;
establishing codes of conduct and policies providing for respective procedures in the event of data breaches and notifications of data security breaches;
for private controllers with domicile or residence outside of Switzerland: under certain circumstances, appointing a representative in Switzerland where personal data of individuals in Switzerland is processed.

SOURCE: www.admin.ch