Search for:

Switzerland: The revised Data Protection Act – need for action for employers?

By , , , , , , , , , and 5 Mins Read

In brief

The revised Data Protection Act (nDPA) and the revised Data Protection Ordinance (nDPO) will enter into force on 1 September 2023. The revised Swiss data protection law is “a GDPR-like” legislation and provides for certain (new) obligations not contained in the current data protection law.

In an employment relationship, an employer inevitably processes employees’ personal data for various purposes. This client alert aims to inform employers about their data privacy obligations under the new data protection law and provides an opportunity to test data protection compliance.

Contents

  1. Data processing in an employment relationship
  2. Most important changes for employers at a glance
  3. Is implementing an employee privacy notice mandatory?
  4. DIVA – Check out your data protection compliance!

Data processing in an employment relationship

Article 328b of the Swiss Code of Obligations (CO) only allows for the collection of data to the extent that such data relates to the employee’s suitability for the job or is necessary to fulfill the employment contract. For example, an employer may not only process employee data related to the employee’s CV and application documents as part of a job application but also payroll data, such as the employee’s name, bank account details, social security number, and information on salary and benefits. The employer may even be required to process sensitive employee data: The employee’s religious activities can be relevant in the context of withholding tax purposes, or the employer might receive sensitive health data related to an employee’s sick leave. These are only a few examples. When it comes to data processing in an employment relationship, it is worth noting that employers must comply with the principles and requirements set forth in the data protection law.

Most important changes for employers at a glance

New obligations:

The nDPA and the nDPO now provide further obligations:

  1. Larger companies that act as controllers or processors (i.e., they have more than 250 employees) must keep a register of processing activities (comparable to the register of processing activities under the GDPR).
  2. The controller has a duty to report data security breaches to the Federal Data Protection and Information Commissioner, while processors have a duty to inform the controller.
  3. The controller has, under certain circumstances, an obligation to carry out data protection impact assessments.
  4. According to the nDPO, the controller and processor have an obligation to keep specific records under certain circumstances.
  5. According to the nDPO, the controller and processor have an obligation to provide a processing policy (Bearbeitungsreglement) under certain circumstances.
  6. Under the nDPA, a processor may only transfer personal data to a third party (subcontractor) with the controller’s prior consent. The nDPO clarifies that it is sufficient if the controller has a right to object.
  7. In addition, unlike under the current DPA, the data subjects must be informed of any data processing (general notification obligation) — not only if sensitive data is being processed.

Amendments to the current DPA:

  1. The nDPA no longer protects legal persons’ data but only natural persons’ data.
  2. The safeguards to ensure an appropriate level of data protection where personal data is transferred to countries with a lower data protection level than Switzerland have been slightly amended. Employees shall check if the safeguards taken are still appropriate.
  3. The data subjects’ rights are somewhat broader.
  4. The Federal Data Protection and Information Commissioner have extended powers under the nDPA: It can issue processing bans and other rulings and may also conduct investigations.
  5. The professional duty of confidentiality contained in the DPA, which punishes anyone who intentionally discloses secret personal data that they became aware of in the course of their professional duties, has been extended.
  6. Penalty provisions have been adapted under the nDPA, and the fines have been increased from CHF 10,000 under the current DPA to CHF 250,000.

Is implementing an employee privacy notice mandatory?

Whether an employer is obligated to implement an employee privacy notice under the nDPA is subject to controversy. The revised law provides for broader information duties compared to the current DPA. In essence, this provision stipulates that the data controller must inform the data subject appropriately about any collection of personal data and, at least, about (i) the data controller’s identity and contact information, (ii) the purpose of processing and (iii) the recipients or categories of recipients to which personal data is disclosed, if applicable. If data is being transferred abroad, the employee further has to be informed about the country to which such data is disclosed and the adequate data protection safeguards (if applicable). The nDPA allows for an exception from the duty to inform if the processing is provided for by law. As explained above, Article 328b CO provides a basis for employers to process employee data. It remains to be seen if courts consider Article 328b CO a sufficient basis to waive the obligation to implement an employee privacy notice.

DIVA – Check out your data protection compliance!

If you are uncertain whether you are already compliant with the revised law, check out DIVA.

*We thank Matteo Ritzinger, who is a Trainee at Baker McKenzie, for his contribution to this article.

Categories:
Author

Christoph Stutz is a partner in Baker McKenzie's Zurich office and serves as head of the Firm's Employment Law Practice Group in Switzerland. For more than 10 years, Christoph has been advising numerous companies in complex labor issues and has successfully represented clients in court. He also advises and represents pension funds and companies in pension-related matters. Christoph regularly publishes work in relation to all aspects of Swiss employment law and is a speaker at internal and external seminars. Christoph is admitted as attorney specialized in labor law (Certified Specialist SBA Labour Law) and holds a certificate as Social Security Specialist.

Author

Alessandro Celli’s broad experience includes technology-related transaction work, intellectual property and competition law, IT, data protection and cyber risk, commercial litigation, sports and entertainment law. Alessandro regularly advises Swiss and international clients on technology-related national and cross-border transactions (JVs, licences, distribution, sale and purchase of technology or related businesses and brands). He counsels on sourcing and data protection, competition law and business restructuring as well as sports and entertainment law in relation to media or sponsoring. As a member of the IP and Disputes practice groups, Alessandro is leading the IT/C (TMT) team in our Zurich office. His actual focus lies primarily on new technologies and business processes within a digitalized global economy and the associated legal and compliance challenges. His work has been increasingly determined by co-operational (sourcing) work as well as regulatory items involving the rapidly developing new technologies with a large impact also on the financial services sector. Alessandro has chaired the committee on legislation and practice at the Zurich Bar Association and is a member of the boards of selected Swiss companies.

Author

Johanna Moesch is an associate in the Firm’s Intellectual Property Practice Group in Zurich. Prior to joining Baker McKenzie she worked as an associate and senior associate in a major Zurich law firm and prior thereto as a law clerk in a Swiss district court. She was also a tutor and student research assistant at the University of Basel in the fields of public and private law. Johanna obtained a LL.M. degree from the Tsinghua University (Beijing). She is a member of the International Association of Privacy Professionals (IAPP) and since January 2021 a Certified Information Privacy Professional/Europe (CIPP/E).

Author

Dr. Peter Reinert is a partner in Baker McKenzie's Zurich office, and serves as head of the Firm's Employment Law Practice Group in Zurich. For more than 25 years, Peter has been advising numerous companies in complex labor issues and has successfully represented clients in court. He also advises healthcare companies on Swiss regulatory matters. Peter regularly publishes work in relation to all aspects of Swiss employment law, and is a regular speaker at internal and external seminars.

Author

Serge Pannatier worked as a trade negotiator with the Swiss Federal Administration before joining Baker McKenzie. Mr. Pannatier currently serves as head of the Employment Law and the WTO and International Trade practice groups in Geneva, and is a member of the Steering Committee of the Firm's International Trade Compliance and Customs Practice Group. In addition to working for the Firm, he is also a faculty member of the World Trade Institute of the University of Berne (Switzerland).

Author

Andreas Becker is an associate of Baker McKenzie's Zurich office and a member of the Firm's Employment and Dispute Resolution Practice Group. Prior to rejoining the Firm in 2022, he gained some practical experience as a law clerk at the cantonal civil court of Basel-Stadt and a group legal department of a leading global pharmaceutical company. Before preparing for the bar exam, he already worked as a trainee lawyer for the Baker McKenzie Zurich office.

Author

Nadine Charrière is an associate in the Firm’s Intellectual Property and Technology Practice Group in Zurich. Nadine holds a Master degree in Law and Economics as well as International Management. She gained practical experience in both the legal and business field in Switzerland, Germany, Belgium and Japan before she joined the Firm in 2019. She is a member of the International Association of Privacy Professionals (IAPP) and since October 2021 a Certified Information Privacy Professional/Europe (CIPP/E).

Author

Dr. Sandra Marmy-Brändli is an associate in the Firm’s Intellectual Property Practice Group in Zurich. She gained her initial work experience as a trainee lawyer in an international law firm in London as well as a law clerk at a district court in the canton of Aargau. Prior to joining Baker McKenzie, she worked as a research assistant and lecturer at the University of St. Gallen.

Author

Meera Rolaz is an associate at Baker McKenzie's Antitrust, EU & Trade Law and Compliance & Investigations Practice Groups in Zurich. She is also part of the Data & Technology team. After graduating from Oxford University with a Bachelor of Arts and a Master degree, she completed her LLB at the London University of Law and qualified as a UK solicitor in 2016. She worked over 7 years at Baker McKenzie in London and has spent time in the Amsterdam office before joining Baker McKenzie Zurich in 2022. Meera is bilingual in French and English.

Author

Nicole Schön is a member of Baker McKenzie's Intellectual Property & Technology practice group.
After being admitted to the bar Nicole joined Baker McKenzie as an associate. From August 2020 until June 2021 she completed the bilingual (French and English) LLM in European Law at the College of Europe in Bruges after which she worked for the attorney general's office in the area of cybercrime before rejoining Baker McKenzie in May 2023.

Author

Muriel Binder is a Professional Support Lawyer in Baker McKenzie, Zurich office.

Related Posts

Write A Comment