New Federal Act on Data Protection Strengthens Rights

As of September 1, 2023, the new Data Protection Act is in force. It improves the control over your personal data.

One objective of the total revision of the Data Protection Act was to raise the level of data protection to that of the European Union. In addition, the law was improved by creating more transparency in the processing of personal data and expanding the rights of data subjects.

We explain the most important innovations and what advantages they bring for you.

Stricter Provisions for the Processing of Data

Various extensions in the new Data Protection Act ensure that your data is even better protected:

  • Personal data may only be processed for a specific purpose that is recognizable to the person concerned. Employees Switzerland, for example, processes data in order to be able to make you, as a member, customized offers.
  • Data on ethnic origin as well as genetic or biometric data are now also considered to be particularly worthy of protection. This means that, for example, facial or voice recordings of you are better protected.
  • Anyone who wants to obtain and process data from you must inform you about this in a precise, transparent and comprehensible manner. This can be done, for example, by means of a data protection declaration, as published by Employees Switzerland on its website (see link at the end of this article).
  • Personal data must be destroyed or anonymized as soon as it is no longer required for the purpose of processing.
  • Every person who processes data must make sure that it is correct. Incorrect data must be corrected or deleted.
  • Technical aids must be designed in such a way that they comply with the principles of the Data Protection Act. Software, for example, must be programmed in such a way that data is deleted or anonymized at regular intervals.
  • Technical aids must be set up in such a way that only as little data is processed as is necessary for the intended purpose.
  • Persons in charge and commissioned processors must take technical and organizational measures to ensure adequate protection against unauthorized processing.
  • Anyone who processes personal data must not violate the personality of the persons concerned. This would be the case, for example, if personal data were processed contrary to the person's express declaration of intent or if particularly sensitive personal data were disclosed to third parties.

New Obligations Ensure More Careful Handling of Data

With the new Data Protection Act, anyone who procures data has to fulfill new and extended obligations:

  • Responsible parties must disclose to those affected by the data processing who is responsible for the data processing, for what purposes the data is collected and who the possible recipients of the data are.
  • A record of data processing activities must be kept.
  • Data controllers must ensure that commissioned data processors only process data in the same way as they are permitted to do themselves.
  • If a company wants to introduce new data processing (e.g., to offer a new app on the website or smartphone), it must clarify what consequences this will have for data protection.
  • If breaches of data security are identified, this must be reported to the Federal Data Protection and Information Commissioner. This is the case, for example, in the event of a hacker attack or if an e-mail containing personal data is mistakenly sent to an incorrect recipient address.

Right to Information and Surrender of Data

Thanks to the new Data Protection Act, you have better control over your data. This is due to the following two rights:

  • The right of access allows you to obtain information about how the data concerning you is processed. For example, you can find out the purposes for which your data is processed or where it is passed on.
  • The right to data output and transfer gives you the opportunity to obtain your data in a common electronic format or to have it transferred to others. The prerequisite is that the data is processed automatically. The right to data output, which is free of charge to you, allows you to turn your data into money by making it available to providers for a fee.

Infringements Cost up to a Quarter of a Million Francs

There may be exceptions to certain rights. For example, the right to information can be denied if overriding interests such as business secrecy militate against it.

Violations of the new Data Protection Act can now result in fines of up to 250,000 Swiss francs. In addition to moral reasons, this is another reason to handle personal data with care.


Legal Counseling