New Swiss Data Protection Act (nDSG) – What has been extremely important since 01.09.2023?
The new Data Protection Act (nDSG) and the associated ordinances came into force in Switzerland on September 1, 2023. The legal change adapts data protection to today’s technology and society. People should be able to better understand and control how their data is used. This was long overdue, considering that the old Data Protection Act dated back to 1992. Google was founded in 1998, and Facebook (Meta) went online in 2004. By then at the latest, large-scale data collection had begun 🐙. The GDPR has also been in force since May 2018, and Switzerland has now followed suit, albeit with one major difference in penalties.
I will explain why IT security is even more important as a result and why many are only now reacting.
Why was a new law needed?
The new Swiss Data Protection Act has two main objectives:
- It updates the rules to adapt them to today’s technologies such as cloud, social media, AI, Big Data, and IoT. This is intended to give people more control over their own data.
- It ensures that data protection in Switzerland is brought up to the level of the EU. This is important so that data exchange between Switzerland 🇨🇭 and the EU 🇪🇺 can continue without problems. The law also takes into account EU regulations and international data protection agreements.
Personal data? It doesn’t concern me!
It concerns everyone who deals with personal data: at work, in an association, or in private life (excluding friends and family). As soon as information relates directly or indirectly to a specific natural person, it is considered personal data. This includes not only names and addresses, but also things like IP addresses or email addresses. If such data is collected, stored, used, changed, or deleted, this is considered processing and the updated Data Protection Act applies.
Privacy by Design and Privacy by Default
“Privacy by Default” and “Privacy by Design” mean that companies must incorporate data protection into their technology and settings from the outset. This means that data protection rules must already be considered during the planning phase when developing apps or websites. In addition, the default settings should always be the most privacy-friendly option. For example, if a website has a member area, the user’s name should not be visible by default.
Minimize data collection to what is necessary
When something is built from scratch (Privacy by Default), it is naturally easier to take this into account; doing it later is always more complex. It is important that data is only used for the purpose for which it was originally collected. It may only be used for other purposes if there is a valid reason, such as fulfilling a contract, or if the data subject explicitly consents.
If the data is no longer required for the original purpose, it must be deleted or anonymized without delay.
Cookies 🍪
The annoying thing about cookies and the associated cookie banners.
Cookies are small text files that are stored by websites on the user’s computer or mobile device. They are often used to improve the user experience by saving settings or tracking user behavior. In the new Data Protection Act, cookies are relevant because they often collect personal data. The law therefore requires that users are clearly and distinctly informed about which cookies are used and for what purpose. In addition, users must give their consent before cookies can be set. The default settings that can be seen in the cookie banner must be data-protection-friendly. This means that only absolutely necessary cookies should be activated automatically.
However, operating a website without cookies that collect user data is no longer difficult. Thanks to the GDPR, various new tools are available as alternatives that take data protection seriously. Our website does not use cookies.
Privacy Policy
The Privacy Policy is an essential document that should be available on every company website. It informs visitors and customers about what personal data is collected, how this data is used and stored, and what rights data subjects have in relation to their data. A clear and understandable privacy policy is not only good business practice, but also legally required, especially in light of the new data protection laws. It should be updated regularly to reflect new legal requirements or changes in data processing practices.
The Right to Your Data
Every person has a right of access to the data stored about them. This information must generally be provided within 30 days and free of charge to the person concerned. Individuals have the right to have incorrect data corrected or to request the deletion of data. However, these rights are not absolute and are subject to restrictions, such as retention obligations.
IT Security
Let’s now turn to the actual topic of this article: how to protect data. As you can see, there are various places in a company where data is collected and therefore stored. Anything stored somewhere can be stolen, encrypted, changed, or deleted. With the right technical measures, it is now possible to prevent unwanted changes.
The introduction of the new Data Protection Act (nDSG) in Switzerland has significantly increased the importance of IT security in companies, especially in small and medium-sized enterprises (SMEs). Although IT security has always been a critical factor, the nDSG has further intensified the urgency of this issue. Since the law came into force on September 1, 2023, we have received a significant increase in inquiries from SMEs looking to strengthen their IT security measures.
Someone else should take care of it
Many inquiries we received focused on the Managed Detection and Response (MDR) service. Companies want to delegate responsibility and recognize that IT security is not simply taken care of by installing a firewall and the already existing Windows Defender.
It therefore makes sense to outsource this task to external service providers who deal with threat hunting full-time, do nothing else, and know the field extremely well. This is a wise decision, as MDR offers proactive monitoring and response to security incidents, which aligns with the requirements of the nDSG. If you have additional systems in the company, you can also send this third-party telemetry data to Sophos. This means that this data can also be taken into account for a comprehensive security analysis.
Nevertheless, you still hear from people who think they can do it themselves and underestimate the scope of this topic. I can recommend this article with the videos; you will quickly change your mind: The Ransomware Documentary
I am primarily talking about the endpoint here, but the same naturally applies to the firewall. Configuration, maintenance, auditing, and penetration testing should be carried out by trained personnel or, if that expertise is not available internally, outsourced to an external service provider like us.
Security Audit - Always test again
While most people take regular inspections and maintenance for their cars for granted, because they are required by law, IT security is often neglected. Yet especially today, with the threat landscape constantly growing and changing, it is essential to put IT systems to the test again and again.
An important step toward robust IT security is regular audits and penetration tests. While audits verify compliance with security policies, penetration tests simulate cyberattacks to identify vulnerabilities in the system. Both methods are important to ensure that security measures meet current requirements.
A few Cybersecurity Best Practices
In our recently published blog post “Sophos Recommendations – Cybersecurity Best Practices”, we highlighted several points that are important for IT security. Many of these points could fall under the category of “negligence” if not observed, especially in light of the new nDSG.
Reporting obligation
FDPIC stands for the Federal Data Protection and Information Commissioner in Switzerland. It is an independent authority that monitors and enforces data protection at the federal level. In the new Data Protection Act (nDSG), the FDPIC plays an important role because it is responsible for monitoring compliance with the law. In the event of data breaches that pose a high risk to the personal rights or fundamental rights of the data subjects, these must be reported to the FDPIC. It can also issue instructions and impose sanctions if data protection regulations are not complied with.
Under the nDSG, cyberattacks that lead to a breach of data security must be reported to the FDPIC. This is particularly the case if the attack poses a high risk to the personal rights or fundamental rights of the data subjects.
A data security breach occurs if personal data is unintentionally or unlawfully lost, deleted, destroyed, altered, or made accessible to unauthorized persons. This must be reported to the FDPIC without delay. The report must be made as soon as possible, generally within 72 hours of the attack becoming known. The FDPIC is the competent authority for receiving such reports and further monitoring the situation. However, the incident must also be reported to the NCSC: Report incident to the National Cybersecurity Centre (NCSC)
Such a scenario should be thought through in advance, not only once the worst has already happened.
Criminal liability
In the case of intentional violations of the nDSG, such as violations of information, disclosure, cooperation, or due diligence obligations, private individuals can be fined up to 250,000 CHF. In the case of offenses in business operations, companies can be fined up to CHF 50,000 if the identification of the culpable persons would involve disproportionate effort – and a fine for them of no more than CHF 50,000 would be considered.
This is also the key difference compared with the GDPR. With regard to criminal liability, it is particularly important to note that since September 1, 2023, violations of certain obligations can trigger liability not for the company, but for the responsible natural person. Responsible persons can include members of management, other decision-makers in the company, or individuals who committed a breach of duty (for example, a breach of confidentiality). Under Swiss law, however, only intentional conduct is punishable.
A fine of up to 250,000 CHF can be imposed in Switzerland for various data protection offenses, including:
- Lack of transparency or missing privacy policy
- Missing contractual agreements with data processors
- Failures in data security such as insufficient technical and organizational measures (TOMs)
- Transfer of personal data to countries without adequate data protection, without additional security precautions, or without a valid exception, such as consent
- Failure to comply with the obligation to provide information
- Disregard of the so-called “minor professional secrecy”
The revised Swiss Data Protection Act also provides for criminal consequences for individuals who are responsible for such offenses.
FAQ about the new nDSG
What is the new Swiss Data Protection Act?
What are the penalties for violations of the nDSG?
What does "Privacy by Design" mean?
Do companies have to inform users about the processing of their data?
Does the nDSG also apply to companies outside Switzerland?
What requirements does the new nDSG place on consent?
Who is affected by the new Data Protection Act?
Disclaimer ⚖️
Please note that this blog post is only a brief summary of aspects of the new Data Protection Act that we consider important. We are not legal experts or lawyers. For comprehensive legal advice, you should consult a qualified lawyer to ensure that you comply with all legal requirements. Our main source here was Admin.ch :: Press release :: New data protection law from September 1, 2023
