SWITZERLAND Trends and Developments Contributed by: Jürg Schneider, David Vasella and Hugh Reeves, Walder Wyss Ltd
Automated individual decision-making Controllers have an obligation to provide infor - mation in relation to decisions based solely on automated data processing that have legal con - sequences or otherwise significantly affect data subjects. In addition, the data subjects have a right to voice their view and ask an individual to review the decision. The required information can be included in a privacy notice or can be given when the decision is communicated to the data subject. Data protection impact assessment The data protection impact assessment (DPIA) is an important tool for companies to assess data protection risks early, during the implementation of new processes or applications, and to take appropriate countermeasures. If a planned data processing activity may involve a high risk to the privacy or fundamental rights of data subjects, data controllers must carry out a prior DPIA. This may be the case, for example, with systematic surveillance, processing of confidential or highly personal data, high-risk profiling, or automated decision-making. If a DPIA reveals that the planned processing activity still results in a high risk despite mitigating measures, the control - ler must consult with the FDPIC ahead of the processing (unless a data protection adviser is appointed and has been consulted). DPIAs must be kept for at least two years beyond the dura - tion of the processing activity. Notification obligation of data security breaches The controller must notify the FDPIC of any data security breach that is likely to result in a high risk to the data subjects, with the thresh - old for the notification obligation being higher than under the GDPR. The notification must be made as soon as possible, but unlike the GDPR, there is no 72-hour maximum timeframe. In addi -
tion, where necessary for the protection of the data subjects or on instruction by the FDPIC, the controller must inform the data subjects of the breach. According to the DPO, the notification of a data breach to the FDPIC must contain certain information, in particular the type of breach, the time and duration of the breach, the categories and approximate number of personal data con - cerned, the categories and approximate number of data subjects concerned, the consequences for the data subjects (including any risks), meas - ures taken or planned, and the name and contact details of a contact person. If it is not possible for the data controller to report all this information at the same time, the controller shall provide the missing information as soon as possible. Logging obligations A private controller and/or processor must at least log the storage, modification, reading, disclosure, deletion and destruction of the data (including the identity of the person who car - ried out the processing and the type, date and time of processing) if sensitive personal data is processed automatically on a broad scale, or if high-risk profiling is carried out and preventive measures cannot guarantee data protection. These logs must be accessible only to relevant functions and may be used for compliance and security purposes only. Data subject rights Under the FADP, data subjects have a range of rights, such as a right to access their data, to have incorrect data rectified, to have automated individual decisions reviewed by a human and to have their data provided to them or another con - troller in a common, machine-readable format. Data subjects can also withdraw consent and/or object to the processing of their data, resulting in an obligation on the controller to justify further processing, for example by overriding interests,
437 CHAMBERS.COM
Powered by FlippingBook