SWITZERLAND Law and Practice Contributed by: Lukas Morscher, Lukas Staub and Jil Eichenberger, Lenz & Staehelin
Challenges with Technology Agreements ). Enti - ties supervised by the FINMA are also obliged to report cyber-attacks to the FINMA in line with the FINMA’s Guidance 03/2024. If employee data is processed in the cloud, the specific restrictions under the CO must be adhered to and Ordinance 3 to the Federal Employment Act limits employers’ use of surveil - lance systems. Swiss DPA Switzerland’s data protection framework is pri - marily governed by the revised Federal DPA of 25 September 2020 and the DPO, which entered into force on 1 September 2023. These laws regulate the processing of “personal data” by private entities and federal bodies, aligning Swiss standards with international norms and addressing technological advancements. Can - tonal authorities are subject to separate legisla - tion and additional federal laws govern data pro - tection in regulated industries, such as financial markets and telecommunications. The DPA and DPO apply to the processing of any data relating to an identified or identifiable (natural) person. A person is identifiable if a third party, having access to the data on the person, is able to identify that person with reasonable efforts. Under the DPA, “sensitive personal data” is considered a special category of personal data that is subject to stricter processing conditions. Sensitive personal data is data on: • religious, ideological, political or trade union- related views or activities; • health, the intimate sphere or affiliation to a race or ethnicity; • genetic data; • biometric data that uniquely identifies a natu - ral person;
• administrative and criminal proceedings or sanctions; or • social security measures. Furthermore, the DPA provides for stricter pro - cessing rules for certain processing activities, including “high-risk profiling” and “automated individual decision-making”. “High-risk profil - ing” refers to any form of automated process - ing of personal data to use the data to evaluate certain personal aspects relating to a natural person that involves a high risk to the personal - ity or fundamental rights of that natural person, by pairing data that enables an assessment of essential aspects of the personality of the natural person. “Automated individual decision-making” is any decision based exclusively on automated processing of personal data that has a legal con - sequence for, or a considerable adverse effect on, the data subject. As a general principle, personal data must always be processed (this includes collection and usage) lawfully. Processing is lawful if it is either processed in compliance with the general principles set out in the DPA (including, among others, the principle that the collection of per - sonal data and, in particular, the purpose of its processing, must be evident to the data subject at the time of collection) or, if non-compliant with these general principles, is justified (eg, by the data subject’s voluntary informed consent or by law). The disclosure of personal data to third parties is generally lawful under the same conditions. Swiss Legislation is Aligned with International Data Protection Standards The revised DPA closely mirrors the EU Gen - eral Data Protection Regulation 2016/679 (the “GDPR”), with minor “Swiss finishes”. Most notably the sanction system in the DPA targets
459 CHAMBERS.COM
Powered by FlippingBook