SWITZERLAND Trends and Developments Contributed by: Hugh Reeves, Jürg Schneider and David Vasella, Walder Wyss Ltd
Data Protection and Information Commissioner (FDPIC). The FADP also introduced new require - ments around data breach reporting, requiring controllers to inform the FDPIC as soon as pos - sible regarding data security breaches that lead to a high risk and, where necessary, to commu - nicate the breach to the affected data subjects. The reporting obligation is similar to that under the GDPR, but the threshold is higher (high risk under the FADP, and any relevant risk under the GDPR). In addition, the FADP and the Federal Data Pro - tection Ordinance (DPO) provide for a general requirement to ensure an appropriate level of data security in relation to personal data. The FADP calls for state-of-the-art data security measures, without specifying specific technical standards. This is a deliberate approach from the legislator, who chose to maintain a future-proof, technologically neutral philosophy. However, a specific security requirement is the obligation to ensure that data operations are logged by fed - eral authorities, and by private actors that pro - cess sensitive personal data on a large scale or carry out “high-risk profiling”, a form of profiling that leads to personality profiles. The FDPIC has provided guidance for implementing these log - ging obligations. As Switzerland is not a member of the European Economic Area (EEA), incident notifications in the EEA under the GDPR do not exempt companies from notification obligations towards the FDPIC under the FADP, if applicable, and vice versa. The FADP provides that individuals (not legal enti - ties, in contrast to the GDPR) who breached data security provisions and thereby failed to comply with the minimum requirements in that respect will face criminal fines of up to CHF250,000. It remains unclear at this time if a general failure to implement a sufficiently robust level of data
security can lead to a fine, but given the poten - tial risks for business managers who may have a personal exposure, these fines are expected to work as an incentive for businesses to ensure state-of-the-art cybersecurity practices. The new Information Security Act While the FADP applies to personal data only and, as noted, is fairly high-level, the Swiss Fed - eral Council enacted the Information Security Act (ISA) and four implementing ordinances on 8 November 2023, effective as of 1 January 2024. The ISA is a response to the increasing num - ber of cyber-attacks on public authorities and private individuals, and places high demands on information security. For example, it requires authorities to maintain an information security management system and to ensure that the third parties and providers they work with take necessary security measures. The ISA has also centralised cybersecurity activities under the National Cyber Security Centre (NCSC; now part of the BACS as discussed hereunder) within the Federal Department of Defence, Civil Protection and Sport (DDPS). A significant feature of the ISA is the introduc - tion of a reporting obligation for cyber-attacks for public authorities such as universities and federal, cantonal and municipal agencies; inter- cantonal, cantonal and intercommunal organi - sations; and providers of critical infrastructures, for example in the energy, finance, healthcare, insurance, transport and communication and IT sectors. In-scope organisations must report cyber-attacks to the NCSC within 24 hours, where the relevant thresholds and definitions are met. This obligation will come into force on 1 April 2025. This notification obligation is in addition to other incident notifications, such as the obligation to report personal data security breaches to the FDPIC.
289 CHAMBERS.COM
Powered by FlippingBook