The Federal Information Security Act (ISA), which only entered into force on 1 January 2024, is already being amended with an obligation to report cyberattacks for operators of critical infrastructures. On 18 January 2024, the deadline expired for challenging the amendment by way of a public referendum. This means that the amended version will become law, with the new obligation to report cyberattacks expected to come into force in 2025, although an exact date has not yet been set.

On 9 November 2023, the Federal Data Protection and Information Commissioner issued a statement on AI-supported data processing. The Commissioner’s main message is that the Swiss Data Protection Law is formulated in a technology-neutral manner and is, therefore, also directly applicable to AI-supported data processing.

The revised Data Protection Act (nDPA) and the revised Data Protection Ordinance (nDPO) will enter into force on 1 September 2023. The revised Swiss data protection law is “a GDPR-like” legislation and provides for certain (new) obligations not contained in the current data protection law.
In an employment relationship, an employer inevitably processes employees’ personal data for various purposes. This client alert aims to inform employers about their data privacy obligations under the new data protection law and provides an opportunity to test data protection compliance.