SWITZERLAND Law and Practice Contributed by: Hugh Reeves, Jürg Schneider and David Vasella, Walder Wyss Ltd
3. Data Regulation on IoT Providers, Data Holders and Data Processing Services 3.1 Objectives and Scope of Data Regulation There has been little specific legislative effort directed at the internet of things (IoT) and supply chain actors. This mostly relates to Switzerland’s technologically neutral approach to legislative action. Therefore, the general requirements under the FADP in terms of data security play a predominant role, though sector-specific rules may come into play as well. That said, 1 January 2023 updates to telecommunications legislation brought about, in particular, increased network security requirements, especially in the form of reinforced anti-piracy and anti-tampering mech - anisms to handle malicious activities; in addi - tion, operators of 5G networks and services that operate on these networks have to implement an information security management system. There are no specific cybersecurity and data breach notification rules pertaining to the IoT. However, various authorities serve as valuable contact points. In particular, the FDPIC and BACS play an important role – the former in matters pertaining to data protection and data security, the latter for any voluntary notification of a cyber-incident. Security requirements around the IoT are also a priority for the government, which mentioned in its Digital Switzerland Strategy (see 1.1 Over- view of Data and Privacy-Related Laws ) the need for the industry to implement state-of-the- art cybersecurity measures to accompany the growth of the IoT on the Swiss market. In the financial and banking sector, FINMA Cir - cular 2008/21 Operational Risks at Banks, and
its replacement Circular 2023/01, contain a noti - fication duty in certain data breach cases. This Circular provides that banks must have a clear communication strategy in case of serious inci - dents pertaining to client-identifying data (CID); this communication strategy must specify when it is necessary to notify FINMA, criminal pros - ecution authorities, the clients concerned and the media. 3.2 Interaction of Data Regulation and Data Protection Concerning the interplay between data regula - tion and data protection requirements in Swit - zerland, see 1.1 Overview of Data and Privacy- Related Laws . 3.3 Rights and Obligations Under Applicable Data Regulation Concerning the obligations set out in the laws regulating the use of IoT services and data pro - cessing services in Switzerland, see 1.1 Over- view of Data and Privacy-Related Laws and 1.3 Enforcement Proceedings and Fines . 3.4 Regulators and Enforcement Concerning the bodies designed to enforce the data regulation in Switzerland, see 1.2 Regula- tors .
4. Sectoral Issues 4.1 Use of Cookies
Since 2007, the use of cookies has been regu - lated in the Swiss TCA. Website operators must inform the user about the processing and its pur - pose, but it is not mandatory to use a cookie, banner under Swiss law. They must also note that the user may refuse to allow processing and how cookies can be deactivated in the user’s browser. In Switzerland, the opt-out prin -
426 CHAMBERS.COM
Powered by FlippingBook