SWITZERLAND Law and Practice Contributed by: Hugh Reeves, Jürg Schneider and David Vasella, Walder Wyss Ltd
private actors. However, the FDPIC has initiated several investigations under the FADP. The FADP and the DPO provide for a general requirement to ensure an appropriate level of data security in relation to personally identifiable information. The FADP calls for state-of-the-art data security measures without specifying tech - nical standards. However, an additional specific security requirement is the obligation to keep logs to ensure that data operations are logged by federal authorities, and by private actors that process sensitive data on a large scale or carry out “high-risk profiling”, a form of profiling that leads to personality profiles. These logs must be relatively granular and must be kept for at least one year, separately from the productive envi - ronment. In addition, the FADP imposes certain conditions on controllers and processors, such as a duty to notify data security breaches to the FDPIC, and potentially to data subjects. Addi - tional compliance and documentation measures, such as data protection impact assessments and keeping records of processing activities, as well as an obligation to maintain processing regulations, have also been introduced. The Information Security Act (ISA) of 18 Decem - ber 2020, which entered into force on 1 January 2024, governs information security practices within the federal government and its adminis - trative bodies. Under the ISA, several ordinances further specify and implement information secu - rity requirements and also repeal (inter alia) the Ordinance on the Protection against Cyber Risks in the Federal Administration (CyRV). Important - ly, a significant feature of the ISA is the introduc - tion of a reporting obligation for cyber-attacks for public authorities such as universities, fed - eral, cantonal and municipal agencies, as well as inter-cantonal, cantonal and intercommunal organisations, and for providers of critical infra -
structures, for example in the energy, finance, healthcare, insurance, transport, communica - tion and IT sectors. In-scope organisations must report cyber-attacks to the National Cyber Secu - rity Centre (NCSC) within 24 hours, where the relevant thresholds and definitions are met. This obligation will come into force on 1 April of 2025. Apart from the ISA, cybersecurity remains most - ly regulated by a patchwork of various acts and regulatory guidance, which deal explicitly or implicitly with cybersecurity in the private sec - tor. These laws include: • the Budapest Convention on Cybercrime (CCC), which entered into force in Switzerland on 1 January 2012 and imposes a harmonisa - tion of Switzerland’s criminal legislation with speedy international co-operation mecha - nisms; • the FADP; • the Federal Telecommunications Act (TCA) of 30 April 1997, including its ordinances, which – as of 1 January 2023 – contain specific information security and network threat resil - ience requirements; and • the Federal Act on Financial Market Infra - structures and Market Conduct in Securities and Derivatives Trading (FinMia) of 19 June 2015 – the banking and financial markets legislation also led to the issuance of various circulars and regulatory notices by the regula - tor of the financial markets, the Swiss Finan - cial Market Supervisory Authority (FINMA). However, the Swiss government has given cybersecurity increasing attention in the past few years, and the absence of an overarching ad hoc law on cybersecurity may appear mislead - ing given the importance and national relevance of this topic. Nonetheless, this conclusion is unlikely to lead the Swiss legislator (Parliament)
418 CHAMBERS.COM
Powered by FlippingBook