Personalakte Datenschutz

Employment

The new Swiss Data Protection Act and what employers need to consider

On the first 1st of September 2023, the completely revised Data Protection Act (revDSG) and the associated Ordinance (DSV) will come into force. Now is the time to take the necessary precautions for internal implementation - not only to avoid the penalties provided for by law, but also to keep up with the times and always handle (employee) data carefully and in compliance with the law.

05.07.2023 Melanie Käser  •   Fanny Sutter, LL.M.

The revised data protection legislation in Switzerland brings with it a number of changes that will affect companies in general. In particular with regard to their function as employers, companies must comply with new and extended documentation obligations.

The most important changes at a glance

The key changes to the new data protection law include, in particular, the following:

  • The data of legal entities are no longer covered by the revDSG, but only those of natural persons.
  • The definition of particularly sensitive data has been expanded to include genetic and biometric data.
  • The principles of ‘privacy by design’ and ‘privacy by default’ are being introduced, which means that software, hardware and services must be designed in such a way that data protection is guaranteed at all times.
  • Data protection impact assessments must be carried out where there is an increased risk to personal privacy or fundamental rights.
  • The obligation to inform data subjects will be substantially extended (proactive information must be provided each time data is obtained) and new documentation obligations will be introduced (e.g. record of processing activities).
  • The range of fines for wilful violation of the revDSG is increased from CHF 10,000 to CHF 250,000 and is directed against the person in the company who personally committed the violation. Prosecution will take place upon request.

For employers, there are two main changes in relation to their employees, which are highlighted below.

The introduction of the record for processing activities

The introduction of a record of processing activities is mandatory for companies. It is intended to ensure the traceability and verification of all data processing activities within the company. Among other things, the record of processing activitiesmust contain information on the purpose of processing, categories of data subjects and categories of personal data processed, the retention period and measures to ensure data security.

A large amount of personal data is typically processed in the employment relationship - from recruitment, personnel administration and payroll accounting to performance and career reviews and development. From 1st September 2023, this data processing must be comprehensively documented in the record of processing activities. It should be noted that companies with fewer than 250 employees are exempt from this obligation, provided that the company's activities do not involve any risky data processing. There are no penalties for failing to implement this requirement. However, implementation is still highly recommended, as it raises awareness of how personal data is handled within the company.

Extended information obligation and data protection declarations

As a consequence of the extended information obligation, companies are strongly recommended to review existing data protection declarations or to introduce data protection declarations where they do not yet exist. The duty to provide information applies in principle to every company, regardless of its size. With regard to employees, it is recommended that the privacy policy be included in the employment contract or provided as a separate document.

It should be noted that the duty to provide information also applies to (rejected) job applicants, as personal data is inevitably processed in relation to them. The data protection declaration can be referred to in the reply letter by means of a link, for example, or a data protection declaration can be added as a separate document. The duty to inform also applies to former employees if personal data continues to be stored.

Your experts for the new Swiss Data Protection Act

Do you need a template for a data protection declaration for your employees or do you have questions about the revised data protection act? Do not hesitate to contact us at any time.

Kontakt aufnehmen!
Expertise

Employment

From the onboarding process to the termination of an employment relationship, as well as far beyond, various legal issues, conflicts and questions can arise for all parties to an employment relationship. This requires foresight as well as comprehensive advice and guidance.

Discover the expertise

Related articles

All articles