In its 2020 autumn session, Parliament adopted the new Federal Data Protection Act. The revised Data Protection Act (revDSG) will come into force throughout Switzerland on 1 September 2023. Find out what may change for your fiduciary company with the new data protection law in this blog post.
Thousands of fiduciaries work with personal data such as wages, national insurance numbers and information about contributions to political parties from private individuals or individual companies every day. In payroll accounting, they also see when employees of a company they support receive daily sickness benefits, are on maternity or paternity leave and get married or divorced. Personal data on religious, ideological, political or trade union views and activities, as well as data on health status, sexual orientation, receipt of social assistance, and data on administrative and criminal prosecutions or sanctions are considered to be particularly worthy of protection under the Swiss Data Protection Act. A breach of data security in these cases can have serious consequences for the data subject.
Attention: This blog post only gives you an overview of the new data protection law. If you have specific questions about the implementation of the revDSG in your trust company, you should seek legal assistance.
Data protection laws protect the rights of individuals to their data and thus prevent violations of their personality. The first federal law on data protection is already over 30 years old. With the totally revised Data Protection Act (revDSG), which will apply from 1 September 2023, genetic and biometric data will also be included in the definition of data requiring special protection. According to the Swiss State Secretariat for Economic Affairs (SECO), the revDSG is intended to guarantee the Swiss population “adequate data protection adapted to the technological and social changes of our time”. The compatibility of Swiss law with EU law, in particular with the General Data Protection Regulation (GDPR), is the second major concern of the new law. The revDSG is intended to ensure that the free movement of data with the European Union can be maintained. If you had already adapted to the GDPR, you will therefore only have to make a few changes when the revDSG comes into force.
What changes for trust companies with the revDSG?
The revised Data Protection Act concerns disclosure, profiling, high-risk profiling, as well as the processing of personal data, which includes obtaining, storing, retaining, using, modifying, sharing, archiving, deleting and destroying. The listed actions must always comply with the 7 principles according to Art. 6 DPA – see chapter “Fiduciary companies must document their data protection measures” in Part 1. In the event of a deliberate violation of the Data Protection Act, fines of up to CHF 250,000 may be imposed. In addition to financial sanctions, data protection violations can also lead to permanent loss of reputation and trust on the part of clients, prospective clients and partners.
Fiduciaries must protect the personal data they process from unauthorised access, leakage and loss through appropriate technical and organisational measures as well as technology and data protection-friendly default settings. When introducing data protection-friendly data collection, there are two new measures; data protection by default (Privacy by Default) and data protection by design (Privacy by Design). Privacy by Default is about protecting all personal data in all IT systems to avoid corrective actions. With Privacy by Design, on the other hand, you plan data protection completely into your strategy in order to protect all data. Document the measures and processes you have taken so that you can submit them to the Federal Data Protection and Information Commissioner (FDPIC) as part of your accountability if necessary. As a data processor, you should prepare a so-called data protection impact assessment in accordance with the revised Data Protection Act if a potentially high risk to the personality or fundamental rights of the data subjects can be identified in the case of personal data processing. In the event of a breach of data security, a rapid report must be made to the FDPIC. In addition, you must delete or anonymise personal data as soon as it is no longer needed and there is no legal obligation to retain it. This is also part of the accountability obligation.
Extra tip: With revDSG-compliant fiduciary software such as Accounto, you can store and edit all data on a secure platform. You define the access rights yourself, so you have complete control over who can view and edit data. Before choosing an accounting or trust software, you should always ask about the data storage location for data protection reasons. Many software companies have their headquarters in the USA, where access to company data is possible without judicial control by means of the Patriot Act. In Switzerland, on the other hand, this is not permitted. Experience in a free live demo of the Swiss fiduciary software Accounto how your fiduciary company can simplify revDSG-compliant data retention.
Note that only personal data of natural persons are covered by the revDSG. The data of legal persons are no longer affected. In the case of consultations, tax returns, audits or financial accounting for legal entities, you must always ask yourself whether your fiduciary company also processes data of the persons behind the company in the process. Only then is the revDSG relevant.
This notice now belongs on every trust company website
One of the most important changes brought about by the revised Data Protection Act is an extended duty to inform: Before each collection of personal data – and no longer only of so-called particularly sensitive data – you must inform the data subject in advance. To this end, you should share a data protection statement on your website and inform visitors that their data will be collected and possibly processed. In addition, you need a cookie banner with which you obtain the consent of the website visitors to the data processing. “The obligation to inform ensures transparent data processing and strengthens the rights of the persons concerned,” writes the FDPIC. Make sure that the banner content is clearly understandable.
Your clients, current and former employees and all possible data subjects may ask at any time what data your fiduciary company is processing about them within the framework of the right to information enshrined in the revDSG. They may also request the release or deletion of data. When deleting data, always observe the statutory retention periods. As a contact point for data subjects and the supervisory authority, you should set up a separate e-mail address such as datenschutz@name-treuhandunternehmen or datenauskunft@name-treuhandunternehmen and designate a person responsible for data protection-related enquiries. Your trust company must respond to data protection enquiries within a maximum of 30 days. The person responsible for data protection enquiries should therefore check the e-mail box regularly in order to be able to meet the response deadline.
Please note: This blog post only provides an overview of the revised Data Protection Act. If you have specific questions about the implementation of the revised Data Protection Act in your trust company, you should consult data protection experts and lawyers.