The revised Data Protection Act (nDPA) and the revised Data Protection Ordinance (nDPO) will enter into force on 1 September 2023. The revised Swiss data protection law is “a GDPR-like” legislation and provides for certain (new) obligations not contained in the current data protection law.
In an employment relationship, an employer inevitably processes employees’ personal data for various purposes. This client alert aims to inform employers about their data privacy obligations under the new data protection law and provides an opportunity to test data protection compliance.
- Data processing in an employment relationship
- Most important changes for employers at a glance
- Is implementing an employee privacy notice mandatory?
- DIVA – Check out your data protection compliance!
Data processing in an employment relationship
Article 328b of the Swiss Code of Obligations (CO) only allows for the collection of data to the extent that such data relates to the employee’s suitability for the job or is necessary to fulfill the employment contract. For example, an employer may not only process employee data related to the employee’s CV and application documents as part of a job application but also payroll data, such as the employee’s name, bank account details, social security number, and information on salary and benefits. The employer may even be required to process sensitive employee data: The employee’s religious activities can be relevant in the context of withholding tax purposes, or the employer might receive sensitive health data related to an employee’s sick leave. These are only a few examples. When it comes to data processing in an employment relationship, it is worth noting that employers must comply with the principles and requirements set forth in the data protection law.
Most important changes for employers at a glance
The nDPA and the nDPO now provide further obligations:
- Larger companies that act as controllers or processors (i.e., they have more than 250 employees) must keep a register of processing activities (comparable to the register of processing activities under the GDPR).
- The controller has a duty to report data security breaches to the Federal Data Protection and Information Commissioner, while processors have a duty to inform the controller.
- The controller has, under certain circumstances, an obligation to carry out data protection impact assessments.
- According to the nDPO, the controller and processor have an obligation to keep specific records under certain circumstances.
- According to the nDPO, the controller and processor have an obligation to provide a processing policy (Bearbeitungsreglement) under certain circumstances.
- Under the nDPA, a processor may only transfer personal data to a third party (subcontractor) with the controller’s prior consent. The nDPO clarifies that it is sufficient if the controller has a right to object.
- In addition, unlike under the current DPA, the data subjects must be informed of any data processing (general notification obligation) — not only if sensitive data is being processed.
Amendments to the current DPA:
- The nDPA no longer protects legal persons’ data but only natural persons’ data.
- The safeguards to ensure an appropriate level of data protection where personal data is transferred to countries with a lower data protection level than Switzerland have been slightly amended. Employees shall check if the safeguards taken are still appropriate.
- The data subjects’ rights are somewhat broader.
- The Federal Data Protection and Information Commissioner have extended powers under the nDPA: It can issue processing bans and other rulings and may also conduct investigations.
- The professional duty of confidentiality contained in the DPA, which punishes anyone who intentionally discloses secret personal data that they became aware of in the course of their professional duties, has been extended.
- Penalty provisions have been adapted under the nDPA, and the fines have been increased from CHF 10,000 under the current DPA to CHF 250,000.
Is implementing an employee privacy notice mandatory?
Whether an employer is obligated to implement an employee privacy notice under the nDPA is subject to controversy. The revised law provides for broader information duties compared to the current DPA. In essence, this provision stipulates that the data controller must inform the data subject appropriately about any collection of personal data and, at least, about (i) the data controller’s identity and contact information, (ii) the purpose of processing and (iii) the recipients or categories of recipients to which personal data is disclosed, if applicable. If data is being transferred abroad, the employee further has to be informed about the country to which such data is disclosed and the adequate data protection safeguards (if applicable). The nDPA allows for an exception from the duty to inform if the processing is provided for by law. As explained above, Article 328b CO provides a basis for employers to process employee data. It remains to be seen if courts consider Article 328b CO a sufficient basis to waive the obligation to implement an employee privacy notice.
DIVA – Check out your data protection compliance!
If you are uncertain whether you are already compliant with the revised law, check out DIVA.
*We thank Matteo Ritzinger, who is a Trainee at Baker McKenzie, for his contribution to this article.