The obligations of data controllers under the new Swiss Data Protection Act

The new Swiss Data Protection Act (DPA) came into force on September 1, 2023. It strengthens the rights of data subjects in terms of data protection and imposes new obligations on data controllers.

Data controllers are the persons or organizations that collect, use or disclose personal data; They are required to comply with the DPA, which imposes the following obligations:

• Obtain the consent of data subjects before processing their personal data;
• Inform data subjects about how their personal data is collected, used and disclosed;
• Implement security measures to protect personal data against loss, misuse and unauthorized disclosure;
• Responding to requests from data subjects regarding their personal data;
• Respect the rights of the persons concerned;

Penalties can be as high as CHF 250,000 for the individual responsible for the offence; The person is criminally liable even if he has violated the law in the course of his work for his company; Criminal sanctions are no longer aimed at the “owner of the file”, but at the “person responsible for the processing”; Employees can therefore be personally sentenced, in place of the company, to pay this fine, the maximum amount of which is immediately exorbitant;

In this blog post, we will discuss the obligations of data controllers under the new DPA and how companies can comply with the law.

The obligations of data controllers

The obligations of data controllers
The new Swiss Data Protection Act (DPA) came into force on September 1, 2023. It strengthens the rights of data subjects in terms of data protection and imposes new obligations on data controllers.

Data controllers are the persons or organizations that collect, use or disclose personal data; They are required to comply with the DPA, which imposes the following obligations:

Obtain the consent of data subjects before processing their personal data;

Consent must be free, informed and explicit; It can be given in writing, orally or by an affirmative gesture; In some cases, consent may be implied, but only if the data subject has the possibility to refuse the processing of his/her personal data;

Inform data subjects about how their personal data is collected, used and disclosed;

Information must be clear, concise and accessible; It must include the purposes of the processing, the categories of data collected, the persons or organizations that will receive the data and the rights of the data subjects;

Implement security measures to protect personal data against loss, misuse and unauthorized disclosure;

Security measures must be adapted to the nature of the personal data processed and the level of risk involved; They may include technical measures, such as encryption, and organizational measures, such as staff training;

Respond to requests from data subjects regarding their personal data;

Data subjects have the right to access their personal data, rectify it, delete it, object to its processing and request that their data be transferred to another data controller; Data controllers must respond to such requests promptly and free of charge;

Respect the rights of the persons concerned;

Data controllers must respect the rights of data subjects, such as the right to privacy, the right to information, the right of access to personal data, the right of rectification, the right of deletion, the right to object to processing and the right to data portability;

The new DPA is an important text that strengthens the rights of data subjects in terms of data protection; It also imposes new obligations on data controllers, who must now comply with the law and respect the rights of data subjects;

In conclusion

The new DPA is an important text that strengthens the rights of data subjects in terms of data protection; It also imposes new obligations on data controllers, who must now comply with the law and respect the rights of data subjects;