SWITZERLAND Law and Practice Contributed by: Hugh Reeves, Jürg Schneider and David Vasella, Walder Wyss Ltd
breach notification obligations under the FADP. Another key difference is the level of activity by the relevant authorities: while many supervisory authorities within the European Economic Area (EEA) are more active, providing guidance and/ or enforcing the GDPR, the FDPIC is generally reluctant to take a decisive stance and rarely provides guidance for private actors. However, the FDPIC has initiated several investigations under the revised FADP. The FADP and the DPO provide for a general requirement to ensure an appropriate level of data security in relation to personally identifiable information. The revised FADP calls for state-of- the-art data security measures, without speci - fying specific technical standards. However, a specific security requirement is the obligation to keep logs to ensure that data operations are logged by federal authorities and private actors that process sensitive data on a large scale or carry out “high-risk profiling”, a form of profil - ing that leads to personality profiles. These logs must be relatively granular and must be kept for at least one year, separately from the productive environment. In addition, the revised legislation imposes on controllers and processors, under certain conditions, a duty to notify data security breaches to the FDPIC, and potentially to data subjects. Additional compliance and documen - tation measures, such as data protection impact assessments and records of processing activi - ties, as well as an obligation to maintain pro - cessing regulations, have also been introduced. The Information Security Act (ISA) of 18 Decem - ber 2020, which entered into force on 1 January 2024, governs information security practices within the federal government and its adminis - trative bodies. Under the ISA, several ordinances further specify and implement information secu - rity requirements and also repeal (inter alia) the
Ordinance on the Protection against Cyber Risks in the Federal Administration (CyRV). Important - ly, a significant feature of the ISA is the introduc - tion of a reporting obligation for cyber-attacks for public authorities such as universities; federal, cantonal and municipal agencies; inter-cantonal, cantonal and intercommunal organisations; and providers of critical infrastructures, for example in the energy, finance, healthcare, insurance, transport, communication and IT sectors. In- scope organisations must report cyber-attacks to the National Cyber Security Centre (NCSC) within 24 hours, where the relevant thresholds and definitions are met. This obligation will come into force on 1 April 2025. Apart from the ISA, cybersecurity remains most - ly regulated by a patchwork of various acts and regulatory guidance, which deal explicitly or implicitly with cybersecurity in the private sec - tor. These laws include: • the Budapest Convention on Cybercrime (CCC), which entered into force in Switzerland on 1 January 2012 and imposes a harmo - nisation of Switzerland’s criminal legislation as well as speedy international co-operation mechanisms; • the FADP; • the Federal Telecommunications Act (TCA) of 30 April 1997, including its ordinances, which – as of 1 January 2023 – contain specific information security and network threat resil - ience requirements; and • the Federal Act on Financial Market Infra - structures and Market Conduct in Securities and Derivatives Trading (FinMia) of 19 June 2015 – the banking and financial markets legislation also led the financial markets regulator, namely the Swiss Financial Market Supervisory Authority (FINMA), to issue vari - ous circulars and regulatory notices.
276 CHAMBERS.COM
Powered by FlippingBook