SWITZERLAND Trends and Developments Contributed by: Jürg Schneider, David Vasella and Hugh Reeves, Walder Wyss Ltd
to do so. The minimum content of the inventory is specified in the FADP and is largely identical to the content required for ROPA under the GDPR. The Data Protection Ordinance (DPO) provides for exceptions from the obligation to keep an inventory of processing activities. An inventory does not have to be kept if a company has fewer than 250 employees (as of January 1st of a given year). The number of employees is determined per head count, not full-time equivalent (FTE), and part-time employees as well as trainees, for example, are fully counted. However, there are “counter exceptions” in the DPO. This means that a company must keep an inventory even though it has fewer than 250 employees if it either: • carries out extensive processing of particu - larly sensitive personal data (this includes, for example, organisations and companies whose very purpose entails the processing of particularly sensitive personal data); or • carries out high-risk profiling, meaning profil - ing that poses a high risk to the privacy or fundamental rights of the data subject by combining data that allows an assessment of essential aspects of the personality of a natural person. Processing regulations Although Swiss law does not recognise any gen - eral accountability as found in the GDPR, the obligation to have data processing regulations serves the same purpose. The DPO requires private data controllers and their processors to maintain data processing regulations for auto - mated processing if they either process sensi - tive personal data on a large scale or carry out high-risk profiling. Under the DPO, the processing regulations must include information on the internal organisation
and the processing and control procedures, as well as the measures to ensure subject rights and data security. Processing regulations can be in the form of a summary document that references existing documents, directives and guidelines. Working with data processors Controllers must enter into a processing agree - ment with data processors. The FADP requires less for these agreements than the GDPR, but failure to enter into a processing agreement may potentially trigger criminal liability (see below). Cross-border disclosure of personal data Like the GDPR, the FADP restricts transfers abroad to countries without adequate protec - tion. Transfers are permitted based on safe - guards, which include the standard contrac - tual clauses (SCCs) approved by the European Commission; however, these must be adapted slightly to account for Swiss law. In line with the GDPR, the exporter must carry out a transfer impact assessment before commencing a trans - fer to a recipient in an unsafe country. Obligation to provide information Under the FADP, and similar to the GDPR, the controller must inform the data subjects about its identity and contact details, the purpose of the processing, the recipients or categories of recipients of the data and transfers abroad. In this respect, it requires the listing of all coun - tries, including countries with adequate protec - tion, but in practice, privacy notices frequently refer to regions (such as “EEA”) instead of list - ing individual countries. The FADP does not pro - vide a finite list of the required information and, depending on the circumstances, additional information may be required. Failure to provide the required information accurately can lead to criminal sanctions.
436 CHAMBERS.COM
Powered by FlippingBook