On September 1, 2023, the new Data Protection Act (revDSG) will come into force in Switzerland.

For individuals, this means more transparency and rights with regard to their own personal data. For companies, it means adapting the dissemination and storage of customer and employee data in accordance with the revised law.

We summarize the most important changes for you:

1. Only the data of natural persons is affected, legal persons (companies) find their rights in legal bases such as ZGB or UWG.

2. Previously, data on origin, health-related aspects or information on religious affiliation or political opinion were considered "particularly sensitive data". In addition, biometric data such as fingerprints or retina scans, genetic data, and information on ethnic affiliation are also protected.

3. The principles of "privacy by design" (which means that data protection is taken into account from the outset in the development of software and hardware as soon as personal data is to be processed) and "privacy by default" (which means that data protection should already be ensured through data protection-friendly default settings). In this way, less tech-savvy users who are unable to make their own data protection settings according to their needs should also be protected. Precise internal planning of data privacy settings is essential and saves trouble later on.

4. The consequences of processing personal data must be assessed in advance if there is a risk to personal or fundamental rights.

5. Extension of the duty to inform: The data subject must be informed when any personal data is collected. (E.g. consent banner when calling up websites).

6. Mandatory directory of data processing activities. There is an exception here for SMEs (less than 250 employees) if a low risk of violation of personal rights can be assumed.

7. Direct notification to the Eidgen. Datenschutz- and Öffentlichkeitsbeauftragten (EDÖB) in the event of a breach of data security.

8. Inclusion of the term "profiling" in the FADP. This is understood to mean the automated processing of personal data.

The following aspects are important

A gap analysis is very suitable in order to close existing gaps:

• As a company, you should have an overview of which data is processed for which purpose.

• Critically review and question the collection of personal data. Which data is necessary? Can you explain data collection beyond that?

• Reduce query criteria to a minimum.

• Restrict data access within the company to as few people as possible.

• Take stock of technical defaults and improve them. At the same time, you can check the user-friendliness of data-related queries and give users insight into the use of mandatory data (create transparency).

• Conduct training sessions within your company to make EVERYONE aware of the importance of the topic.