On 1 September 2023, the totally revised Data Protection Act (revDSG) will come into force in Switzerland and fiduciary companies will have to comply with additional mandatory regulations when handling personal data. In this blog post, you will get an overview of the most important changes brought about by the new data protection law.
Data is considered the most important currency of the digital world. Among other things, it allows companies to deepen the bond with their customers, to develop new products according to the needs of their target group and to increase market share by means of targeted marketing measures. Data protection is primarily needed to protect “informational self-determination” (people are allowed to decide for themselves what should happen to their data) and to adapt the privacy of individuals to technological developments.
Attention: This blog post will only give you an overview of the new data protection law. If you have specific questions about the implementation of the revDSG in your trust company, you should seek legal assistance.
This data must be particularly strongly protected
Data protection laws protect the rights of individuals to their data. In most industrialised countries – including Switzerland – personal data on religious, ideological, political or trade union views and activities, as well as data on health status, sexual orientation, administrative and criminal prosecutions or sanctions, and receipt of social assistance are considered to be particularly worthy of protection. A breach of data security in these cases can have serious consequences for the data subject. With the revised Data Protection Act (revDSG), which will come into force in Switzerland in September 2023, genetic and biometric data will also be included in the definition of data requiring special protection.
Thousands of fiduciaries in Switzerland work daily with personal data such as wages, national insurance numbers and contributions to political parties from private individuals or individual companies. In payroll accounting, they also see when employees of a company they support receive daily sickness benefits, are on maternity or paternity leave or move house. According to the Data Protection Act, personal data must always be processed and transmitted in such a way that it cannot be read, copied, changed or deleted by unauthorised persons. With the revised Data Protection Act, additional regulations must be followed.
This is what lies behind the new Swiss data protection law
Parliament adopted the new Federal Data Protection Act in its 2020 autumn session. The revDSG brings changes to the processing of personal data and grants Swiss citizens more rights to their data. Why was it necessary to revise the Swiss Data Protection Act? “The first federal law on data protection dates back to 1992. In the meantime, the Swiss population has integrated the use of the internet and smartphones into their everyday lives, and social networks, cloud services or the internet of things are also becoming increasingly popular. Against this background, a complete revision of the data protection law is indispensable to guarantee the population adequate data protection adapted to the technological and social changes of our time,” writes the Swiss State Secretariat for Economic Affairs (SECO) on its SME portal. The compatibility of Swiss law with EU law, in particular with the General Data Protection Regulation (GDPR), is the second major concern of the new law. The revDSG is intended to ensure that the free movement of data with the European Union can be maintained.
Fiduciary companies must document their data protection measures
The totally revised Data Protection Act will apply from 1 September 2023. Only personal data of natural persons, i.e. private individuals and sole proprietorships, will be covered by the revised Data Protection Act. For consultations, tax returns, audits or financial accounting for legal entities, you must therefore ask yourself whether your fiduciary company also processes data of the persons behind the company in the process. Only then is the revised Data Protection Act relevant.
According to the 7 principles of the Data Protection Act, personal data must be processed lawfully and in good faith. Personal data may only be obtained for a specific purpose that is recognisable to the data subject and may only be processed in this context. The consent of the data subject is only valid if it is given voluntarily. Consent must be given explicitly, especially in the case of particularly sensitive personal data, high-risk profiling by a private person, and profiling by a federal body. In the event of inaccuracy or incompleteness, the data must be adapted or deleted. As soon as the data is finally no longer required, it must either be anonymised or destroyed.
By means of technical and data protection-friendly default settings, you must protect the personal data processed by your fiduciary company against unauthorised access, leaks and losses. You must document the measures taken to this end so that they can be submitted to the Federal Data Protection and Information Commissioner as part of accountability if required. As a data processor, you should prepare a so-called data protection impact assessment in accordance with the revised Data Protection Act if a potentially high risk to the personality or the fundamental rights of the data subjects can be identified when processing personal data. In addition, you must delete or anonymise personal data as soon as it is no longer needed and there is no legal obligation to retain it. This is also part of the accountability obligation. It is advisable to draw up a so-called order processing contract in all instances, in which you define what the rights and obligations are with regard to the data protection aspects. If you have already adapted to the EU’s GDPR, you will only have to make a few changes when the revised GDPR comes into force.
How fiduciary software simplifies the secure storage of sensitive data
Fiduciary companies are currently particularly at risk of losing valuable data in the event of hacker attacks or other IT disasters. Many trust companies have linked their document management system (DMS) to accounting software through an interface. This allows the two systems to communicate with each other. However, this poses security risks: Since DMSs are often not cloud-based, files stored in a DMS are not automatically stored in a cloud. Software breaks between digital and automated solutions therefore make it more likely that sensitive data will be lost in the event of a hacker attack, system failure or loss of the work device.
Fiduciary software can significantly simplify data storage and backup in your fiduciary business. All relevant data is kept on a secure platform that only you and authorised employees can access. You define access rights so that you always have control over who can view and edit data. The platform provider normally takes all basic security measures, takes care of backups and creates an IT emergency plan (disaster recovery) so that no personal customer data – which is therefore subject to the revDSG – is lost in the event of hacker attacks, natural disasters or a loss of work equipment.
When working with external software providers, you should always inquire about the data retention location for data protection reasons. Many international accounting software and fiduciary software providers have their headquarters in the USA, where access to company data is possible without judicial control by means of the Patriot Act. In Switzerland, however, this is not permitted. Therefore, opt for a solution that is completely hosted in Switzerland and explicitly ask where your data is stored.