Thought leadership from our experts

Pre-Draft of Revised Swiss Data Protection Act published – introducing new duties on Companies doing Business in Switzerland

On 22 December 2016 the Federal Department of Justice and Police published the long expected pre-draft of the revised Swiss Data Protection Act ("DPA"). The new DPA will have serious effects on companies doing business in Switzerland which are well advised to start implementation of the required measures now in order to be fully compliant once the revised DPA will enter into force (presumably in 2018).

The revised DPA will impose several new duties (see below) on all companies doing business in Switzerland and it foresees serious fines for those companies that do not comply. Once the revised DPA will be in force, the data protection supervisory authority will have a much stronger power to enforce the law and punish firms by imposing very high fines (from previously CHF 10,000) of up to CHF 500,000 (in the case of intent) and CHF 250,000 (in the case of negligence).

Consequences for Companies doing Business in Switzerland

The revision of the DPA (as well as similar changes in data protection laws in the EU) will lead to a paradigm shift in that violations of data protection legislation will forthwith expose companies to serious sanctions, whilst, so far, data protection breaches very rarely entailed any material consequences.


In the light of this, companies must act now and ensure to be fully compliant once the revised DPA (and as far as they offer services and goods in the EU, the new EU data protection legislation) will be in force. They must, in particular, (1) perform a thorough due diligence to establish a comprehensive overview on all personal data which they process as well as the relevant processes of using and disclosing such personal data, (2) implement required processes and policies to ensure compliance with the revised law (3) monitor, forthwith, use of personal data to ensure strict observations of the new rules and (4) in general, raise awareness within the workforce so as to avoid violations of the new DPA and exposure to the new sanction regime.

Companies doing business in Switzerland must act fast and implement the necessary measures in due course as the revised DPA is expected to come into force in 2018 (and the new legislation in the EU which may apply to Swiss companies doing business in the EU and which will be similar to the revised DPA will enter into effect on 25 Mai 2018).