Doing Business In... 2025

SWITZERLAND Law and Practice Contributed by: Philippe Nordmann, Marion Bähler, Dario Glauser, Christian Hagen and Samuel Lieberherr, Walder Wyss Ltd

apparent to the data subject, and use shall be limited to the specified purpose. • Proportionality: processing must be propor - tionate to the purpose (data minimisation) and must be “destroyed or anonymised” as soon as it is no longer needed with regard to the purpose of the processing. • Accuracy: reasonable measures are to be taken to ensure that the personal data is up to date, and that it is possible to correct incorrect data. • Privacy by design and security: controllers must set up technical and organisational measures in order to meet the data protec - tion requirements (privacy by design) and, in particular, to ensure a level of data security appropriate to the risks (data security). • Privacy by default: unless the data subject instructs otherwise, the controller is required to limit the processing to the required mini - mum through pre-defined settings. The transfer of personal data to countries that do not provide a level of data protection considered adequate by Swiss law is not permitted unless the protection of the personal data is ensured by other measures (eg, by using the stand - ard contractual clauses of the EU with certain Swiss-specific amendments). In certain cases, the transfer mechanism requires prior approval by or notification to the FDPIC, the Swiss data protection authority. 8.3 Role and Authority of the Data Protection Agency The FDPIC is an independent body tasked with supervising private persons and federal bodies with respect to data protection compliance. To this end, the FDPIC has published several non- binding guidelines.

The FDPIC may investigate cases either on its own initiative or at the request of a third party. If such an investigation reveals that data protec - tion regulations are being breached, the FDPIC may issue binding orders (eg, that the process - ing is fully or partially adjusted, suspended or terminated). The individual or entity subject to such order (but not the data subject) may initi - ate proceedings against it before the competent court. The FDPIC may also inform the public of its findings and its decisions in cases of general interest, which may lead to negative publicity. Moreover, the FDPIC is subject to the Freedom of Information Act and may be required, upon request, to release information to the public or the media. The FDPIC does not have the authority to issue any fines. However, law enforcement agencies may issue fines of up to CHF250,000 for cer - tain data protection breaches. These fines may be imposed on the individuals responsible for a breach, including, if applicable, on directors and officers and employees with independent decision-making power, provided these breach - es have been committed wilfully (see Article 12, Criminal Code) and on the condition that a sub - ject makes a complaint. In addition, data subjects may directly take legal action in case of violation of their rights under the FADP and related Swiss data protection leg - islation.

9. Looking Forward 9.1 Upcoming Legal Reforms Revised Corporate Law

The new Swiss Corporate Law entered into force on 1 January 2023, aiming to modernise Swiss corporate law. The main changes are:

815 CHAMBERS.COM

Powered by