SWITZERLAND Law and Practice Contributed by: Hugh Reeves, Jürg Schneider and David Vasella, Walder Wyss Ltd
Walder Wyss Ltd Seefeldstrasse 123
8008 Zurich Switzerland
Tel: +41 58 658 58 58 Fax: +41 58 658 59 59 Email: reception@walderwyss.com Web: www.walderwyss.com
1. Legal and Regulatory Framework 1.1 Overview of Data and Privacy- Related Laws Switzerland is a federation comprising 26 feder - ated states (cantons) as well as a federal govern - ment. This leads to a layered body of laws as well as, at times, a decentralised official approach to cybersecurity. Cybersecurity in Switzerland remains closely tied to the area of data protec - tion. Cybersecurity is frequently perceived as an off-shoot – or even a synonym – of data secu - rity, which, as the name suggests, targets the security and resilience of data processing and storage activities. On a federal level, the Swiss Constitution of 18 April 1999 protects the right to privacy, in par - ticular the right to be protected against misuse of personal data (Article 13). The collection and use of personal data by private bodies are regulated on a federal level and are mainly governed by the Swiss Data Protection Act (the Federal Act on Data Protection; FADP) and its ordinances, including the Federal Data Protection Ordinance (DPO). Data processing by public bodies is governed by the FADP for federal bodies, which includes pri -
vate organisations performing public tasks such as health insurance providers, pension funds and many others, and by cantonal (for example, the Information and Data Protection Act of the Canton of Zurich) and communal laws for can - tonal and communal bodies. The FADP was revised in order to implement the revised Council of Europe’s Convention 108 and to more closely align with the EU General Data Protection Regulation (GDPR). The revised FADP and DPO entered into force on 1 Septem - ber 2023. While the FADP and the GDPR are similar in their approach and purpose, there are notable differences. For example, there is a data breach notification obligation under the FADP similar to that under the GDPR, but the trigger for notify - ing a personal data breach to the Swiss data protection authority, the Federal Data Protection and Information Commissioner (FDPIC), is “high risk”, whereas under the GDPR any relevant risk requires notification. Another key difference is the level of activity by the relevant authorities: while many supervisory authorities within the European Economic Area (EEA) are more active, providing guidance and/or enforcing the GDPR, the FDPIC is generally reluctant to take a deci - sive stance and rarely provides guidance for
417 CHAMBERS.COM
Powered by FlippingBook