New Federal Act on Data Protection: retailers must act now

With the new Federal Act on Data Protection, Switzerland is changing the rules of the game for retail too. From now on, non-compliance can be costly, so companies should act now.

In all likelihood, the new Data Protection law will come into effect in Switzerland on the 1^st of September 2023. It means that retailers in Switzerland must deal more intensively with the topics of data protection and data security, just as companies in other European countries are already doing. The Swiss Federal Act on Data Protection is closely aligned with the European General Data Protection Regulation (GDPR), which has been in effect for a while now.

What the law requires

In short, the revised law requires that

• Companies take appropriate technical and organizational measures to ensure data security commensurate with the risk. As far as possible, the measures should ensure the confidentiality, integrity and availability of personal data. The meaning of “appropriate” depends on how great the probability is of an incident occurring and how great the damage is for the data subject. In general, it can be said that the requirement for measures increases in line with how sensitive the information being processed is.
• Since attack attempts by criminals change and the IT landscape is continually evolving, the measures taken must be checked regularly and adapted as needed.
• The basic principles of “Privacy by design” and “Privacy by default” are taken from the GDPR. This means that already during the stage of development and procurement of technical solutions, care must be taken to ensure that as little personal data as possible is processed. And the data must be protected in accordance with the current state of the art.
• If a data subject could be severely disadvantaged in the case of a data protection violation, the company must carry out and document a data protection impact assessment before introducing any processing of personal data. Examples of this type of information are health data or financial circumstances. It must be demonstrated which protection measures are being taken to exclude the risk. And this must all be documented.
• If a data breach occurs and there is a risk that personal data is or has been compromised, involving a risk to data subjects, the law stipulates that a company must report data security violations as quickly as possible to the Federal Data Protection and Information Commissioner (FDPIC). If in doubt, it is better to report severe breaches more than once rather than not at all. Furthermore, besides reporting to the FDPIC, companies must also directly inform the data subjects affected by the data breach. If unauthorized third parties manage to gain access to passwords and customer data, and even more so if this includes payment information, this would be an incident that makes notification mandatory. Regardless of whether this is because of an attack or because of negligence within the company.

Tough sanctions threatened

Data protection and data security violations have always been connected with costs. An online shop brought to a standstill by a successful attack costs revenue. And if the incident becomes known, the company’s reputation is damaged, which can also result in lower revenue. In contrast to the current law, criminal sanctions with fines of up to CHF 250,000 will be imposed in the event of a deliberate breach (which also includes acceptance of negligence) of data security. A peculiarity of Switzerland is that the fines are not directed at the company. It is more likely that criminal sanctions are directed against the person responsible for the data protection violation.

It is precisely in terms of culpability that retail companies should take greater action.

Pay attention to outsourcing and data exporting!

In order to implement the technical and organizational measures already mentioned, it is advisable to prepare a “data inventory” directory, if this doesn’t already exist. The Federal Act on Data Protection explicitly requires this. It clarifies where data relating to a person is stored and processed.

Most online shops will access technical elements that are provided by third parties (e.g. tools for newsletter administration, payment systems, etc.), so these data are not processed and stored by the company itself. Nevertheless, retailers remain responsible for data security. This is why contracts for this “order processing” should be concluded with all external service providers. This is managed with a standardized order processing contract that follows a European template and is also known as a Data Processing Agreement (DPA). All reputable service providers should already have an appropriate contract prepared.

If the supplier’s systems are located abroad, for example if the newsletter service is based outside Switzerland, the processing of data is considered an export. It should be noted here that the FDPIC manages a list of countries where legislation allows an appropriate level of data protection. This includes the member states of the European Economic Area (EEA), the United Kingdom, Canada, Israel and New Zealand. This generally means that if it is not possible to have data processed on a server in one of the listed countries, processing should not be carried out there because exporting data there is not permitted.