The amended data protection law is expected to come into force in 2022. It brings new rights and duties. Here are the most important points.
High risk profiling – only with consent
Personal data can be evaluated automatically from various sources. With this “profiling”, for example, personality profiles, living conditions and behaviors of a person can be derived. If this is associated with a high risk for the personality or the fundamental rights of the person concerned, their express consent must be given.
Jürg Eberhart is a lawyer in the Eberhart law firm AG, Bern and Solothurn. In addition to other activities, the law firm specializes in contract and corporate law, telecommunications and data protection law. He is a member of GetYourLawyer.
Automated individual decisions – only with information and the right to review
When a system makes its own decisions, it is called “automated individual decision-making” (e.g. which insurance policy should be the right one for a certain person). There is also an obligation to provide information. The data subject can request that the decision made automatically be checked by a person in the company.
More information requirements – not only for data that is particularly worthy of protection
In the new data protection law, the information rights and obligations are greatly expanded. This is intended to enable the data subjects to better control their data.
More documentation requirements – especially for companies
The companies are obliged to keep a record of all data processing. It is still open whether the Federal Council will provide for exceptions for companies with fewer than 50 employees.
Data protection follow-up assessment to assess the risks of a personal violation
Companies that are planning to process data must assess in advance whether this entails a high risk of a violation of the personality or the fundamental rights of a data subject.
Fines for intentional offenses
In the event of an intentional violation, fines of up to CHF 250,000 can be imposed on company executives. In the case of fines of up to 50,000 francs and in cases where the effort involved in identifying the criminal offense would be disproportionate, the company can also be asked to pay instead of the natural person.
This is how SMEs avoid the stumbling blocks:
It is necessary to raise awareness of the handling of personal data. It already makes sense to define a person in the company who is responsible for data protection. An internal data protection check is also recommended.
If necessary, an external expert should be used to check which data is in which
Systems are collected, for what purpose, to whom they are passed on, whether the necessary
Consent has been given as to whether data protection impact assessments are necessary and whether automated individual decisions are made.
If a company recognizes the pitfalls of the new data protection law and prepares accordingly, it can definitely avoid future fines or damage to its reputation.