Data Protection Reloaded

What is the nDSG?

Essentially, the law is modelled on the General Data Protection Regulation (GDPR), the English term for the European Union's General Data Protection Regulation (GDPR). As many companies have already adapted to the GDPR, there may now be less need for them to take action. Nevertheless, some Swiss peculiarities should not be ignored. One significant Swiss peculiarity is the criminal offence regime under data protection law, which provides for fines of up to CHF 250,000 for individuals (not companies).

What actually is personal data?

Personal data is information that makes a person directly or indirectly identifiable, such as name, employee/insurance/patient number, location data, IP addresses, social media posts or the naming of several special characteristics (physical, physiological, genetic, psychological, economic, cultural, social). A special category of personal data, known as "particularly sensitive personal data", e.g. data on religious, ideological, political or trade union views or activities, is subject to stricter legal requirements. For example, explicit consent must be obtained for the processing of such data. Incidentally, contrary to expectations, salary data does not fall into this category.

Does the nDSG also apply to companies outside Switzerland?

Yes, due to the cross-border scope of application of the nDSG, situations that take place outside of Switzerland are also affected, provided they have an impact in Switzerland. So specifically, if you...

• as an EU company, you have customers in Switzerland and offer them services or products in Switzerland.
• have a branch in Switzerland.
• monitor the behaviour of Swiss citizens in Switzerland (e.g. by evaluating how they use your website or app).
• Process data of employees of a Swiss branch abroad (concerns global corporations).

Core elements of the nDSG

The following core elements of the nDSG regulate principles that must be taken into account for all personal data processing. In order to avoid redundancy, it is recommended that you take a look at the law. At this point, the processing principles and privacy-by-design and privacy-by-default are discussed in particular (see diagram below).

Processing principles

Any processing of personal data requires lawfulness, which can be obtained in several ways. The most common legal basis is the fulfilment of a contract and the consent of the person whose data is being processed (data subject). The aforementioned consent is only valid if the data subject has been informed of the purpose and consent has been given voluntarily. Depending on the type of personal data, consent must be explicit. Implied consent would not be lawful in the case of particularly sensitive personal data, for example. In addition, any processing of personal data must always serve a clearly defined purpose. For example, an address provided for invoicing purposes may not be used for completely different purposes. In principle, personal data is only stored for as long as the purpose of the processing requires. After that, it must be destroyed or anonymised.

Privacy by design and privacy by default

These two principles are related. Privacy by design requires data protection to be implemented at the product development stage, for example when programming Software. Privacy by default, on the other hand, requires that data protection-friendly default settings are made. The most minimally invasive option must always be selected. A concrete example of this is the cookie settings when visiting websites. According to the principle of "privacy by default", only the technically necessary cookies may be selected by default. The active consent (opt-in) of the website visitor is required for additional cookies.

HR practice examples

Three specific HR situations are described below from a data protection perspective, which serve as a guide for further clarification.

What personal data may be collected at events (physical or online)?

In most cases, a person has to register for an event and personal data is requested in the process. It is important that only the personal data that is necessary for the purpose of organising the event is requested. For example, is it necessary to provide a residential address or is an e-mail address of the participants sufficient? There must also be a privacy policy on the same page of the registration form or website that provides answers to the following questions: What is done with the personal data? Why exactly was this data collected (see topic regarding residential address above)? How long will it be stored and when will it be deleted? What are the rights of the data subject with regard to data protection? Finally, it is important to emphasise that the data processing specified in the data protection declaration must actually be implemented in this way and that it must not merely remain a statement.

A person starts a new job. The company asks them whether their photo may be published on the intranet alongside the information about their new job. Is the person's consent legally valid?

As already mentioned, the core requirement for valid consent is voluntariness. In the employee-employer relationship, it is questionable to what extent the employee's consent can be voluntary at all. This is because the relationship between employer and employee is always characterised by an asymmetry of power, which is already evident in the right to issue instructions. In this situation, it is easy to imagine that the new person will only agree out of politeness, even if they do not actually feel comfortable with it. For this reason, consent is fraught with problems. At the same time, it is necessary for normal work processes that employees also recognise each other visually. A pragmatic solution could be to give the person the opportunity to choose their own photo.

An employee decides to leave the company or retires. Which data can and may continue to be used?

The special thing about this situation is that an (employment) contract ceases to exist after the employee leaves the company. This fundamentally changes the former relationship between employer and employee. If the company has justified the use of personal data with the current employment contract, there must be a new legal basis for this after the termination of the employment contract.

After an employee leaves the company, the employer's interests change. However, the employer may well have a well-founded interest in retaining the personal data of the former employee beyond the end of the contract. From a legal perspective, risks could arise, for example in the form of possible back pay claims by the former employee. This could result in a variety of personal data becoming relevant: Working hours, bank details, social security data, etc. This justification (any subsequent wage claims as justification for the retention of certain personal data) ends at the latest when the limitation period for subsequent wage claims expires, i.e. five years after the end of the employment relationship.

However, other types of personal data processing are also conceivable. Companies often maintain contact with their former employees, for example in the form of alumni or retiree events. It is therefore advisable to take measures when leaving the company to ensure that future personal data processing is lawful. When joining an alumni organisation or other associations, it makes sense to include a section on data protection or to draw up a data protection agreement. This way, all future data processing can be defined in advance and former employees will not be surprised when they receive information.

Recommendations for HR managers: What you need to do now

Many companies or individual departments are overwhelmed with the implementation of the nDSG requirements and do not know where to start. This is understandable, as many things are not clearly formulated.

As a first step, we recommend creating a processing directory. This is not only expressly required by law, but is also a practical necessity. A processing directory provides a clear overview of all data processed in HR. This allows you to respond to requests from data subjects and formulate a legally compliant privacy policy. The processing directory is therefore an important cornerstone for compliance with the new Data Protection Act and effective data protection practice within the company.

In addition to creating a processing directory, the periods for the retention and deletion of any personal data used by HR should be listed in a table. Specifically, it should be defined for each type of personal data how long it should be stored and when it should be deleted. For example, how long medical certificates are to be kept must be defined. It is necessary to carry out a thorough examination of data protection regulations and other legal provisions (e.g. limitation periods) in order to determine these periods. It is also important to consider possible future scenarios (e.g. which personal data must continue to be processed after an employee leaves the company?)

Every company is responsible for providing evidence of data protection-compliant behaviour, which means that the company must be able to prove that it is complying with the new legislation at all times. Therefore, a strict documentation and verification obligation rests on the company, and personal data must be protected by appropriate security measures. As a company, we have a responsibility to delete the data of applicants, current and former Employees and Customers as soon as the purpose of processing no longer applies or no other legal basis exists, for example due to statutory retention obligations. It is therefore crucial to know exactly where and in what form personal data is stored. This can affect the following systems: ERP/HR system, CRM software, Excel lists or systematically structured paper dossiers and others. Careful data collection and documentation can ensure that the new data protection regulations are properly complied with and that the privacy of stakeholders is protected.

Finally, I recommend training new employees on data protection issues during onboarding and making them aware of all relevant documents - including any data protection guidelines, data protection declarations and data protection provisions in the employment contract. If new employees are made aware of and trained in the company's data protection guidelines and see them as an integral part of the corporate culture, it is more likely that their awareness and responsibility in dealing with data protection will grow.

Conclusion: The journey is the reward

Now you have to set off. Serious preparation for the new legislation is highly recommended. Not taking any measures and not acting are always worse than starting. This also becomes clear when looking at sanctions for offences. Not only in Switzerland, but also abroad, it was noted with a shake of the head that private individuals can be prosecuted in future if they violate the nDSG. It remains a widely criticised Swiss peculiarity that private individuals can be fined up to a quarter of a million Swiss francs (see Art. 60ff. nDSG). This new regulation could be understood in terms of general prevention, i.e. as a deterrent against violations of the nDSG.

There is no question that there will always be something to do in terms of improving your data protection compliance. Ensuring an adequate level of data protection is an ongoing process. By actively seeking to continuously optimise your data protection measures, you ensure that you meet the requirements and protect the privacy of your stakeholders. Through continuous engagement, you can build trust, minimise your reputational risks and comply with legal requirements. Stay alert, learn from experience and always adapt your data protection strategy to changing conditions. This way, you will be ideally equipped to successfully meet the challenges of data protection and ensure long-term data protection and compliance. Remember: the journey is the reward.