What is the nFADP?

The law is generally compatible with the European Union's General Data Protection Regulation (GDPR). As many companies have already implemented the GDPR, they're likely to have minimal changes to make. However, some regulations are specifically Swiss and shouldn't be ignored. One such Swiss peculiarity is the data protection punitive regime, which makes provision for fines for individuals (not companies) of up to CHF 250,000.

What is personal data?

Personal data is data that can be used to directly or indirectly identify a person, such as name, employee/social security/patient number, location data, IP addresses, social media contributions or the mention of specific features (physical, physiological, genetic, mental, financial, cultural, social). A special category of personal data known as "sensitive personal data", such as data about religious, ideological, political or trade union views or activities, is subject to stricter legal requirements. For example, explicit consent is required before such data may be processed. Contrary to expectations, wage data isn't considered to be sensitive personal data.

Does the nFADP also apply to companies outside Switzerland?

Yes! The cross-border scope of application of the nFADP means that relationships that are managed outside Switzerland are affected if they have an impact in Switzerland. In other words, if you

• as an EU company have clients in Switzerland and offer services or products to these clients in Switzerland;
• have a branch office in Switzerland;
• observe the conduct of Swiss citizens in Switzerland (e.g. by analysing how they use your website or app);
• process data relating to employees at your Swiss branch office abroad (applies to global corporate groups).

Core elements of the nFADP

The following core elements of the nFADP regulate principles that have to be considered for any and all processing of personal data. To avoid redundancy, it's worth taking a look at the law. In this article, we specifically consider the principles of processing and the privacy-by-design and privacy-by-default concepts.

Processing principles

All processing of personal data must be lawful, and lawfulness can be established in various ways. The most common lawful basis is provided by the implementation of a contract and the consent of the person whose data is processed (data subject). Such consent is only valid if the data subject was informed about the purpose of processing and has voluntarily given their consent. Depending on the type of personal data, consent must be given explicitly. Tacit consent, for example, wouldn't be lawful in the case of sensitive personal data. In addition, a clearly defined purpose must be provided for each instance of processing of personal data. For example, an address provided for invoicing purposes may not be used for an entirely different purpose. Personal data may only be stored for as long as required for the purpose of processing. After this period, the data must be destroyed or anonymised.

Privacy-by-design and privacy-by-default

These two principles are related. Privacy-by-design requires that data protection be implemented during the process of developing a product, for example when programming software. Privacy-by-default, on the other hand, requires settings that promote data protection. The least invasive option must always be selected. A specific example is cookie settings for visits to websites. According to the privacy-by-default principle, only the technically necessary cookies may be set as standard. The active consent (opt-in) of the visitor to the website is required for additional cookies.

HR examples in practice

The following provides a description of three HR-specific situations from a data protection perspective, which are meant to serve as a guideline for further investigations.

What personal data may be collected at (physical or online) events?  

In most cases, people have to register for an event, during which process personal data is collected. It's important that only personal data that's required for the purpose of presenting the event is collected. For example, is a residential address really necessary, or would the participant's email address be sufficient? In addition, on the same page as the registration form or on the website, a data privacy statement must be available which provides answers to the following questions: What will be done with the personal data? Why is this data in particular collected (see comments on residential address above)? How long will the data be stored, and when will it be erased? What are the rights of the data subject regarding data protection? In summary, it must be emphasised that the data processing mentioned in the data privacy statement must be implemented in this exact manner, and may not simply pay lip service to the topic.

Someone starts a new job. The company asks them if their photo may be published on the intranet, in addition to the news that they joined the company. Is the new employee's consent lawful?

As mentioned before, the core requirement for valid consent is that the consent was given voluntarily. When it comes to the employee/employer relationship, it's questionable to what extent any consent by the employee can be given voluntarily. The balance of power in the employee/employer relationship is always unequal, which is already demonstrated by the authority to issue directives. In this situation it can easily happen that the new employee consents out of courtesy only, even though they don't really feel comfortable with the situation. Such consent is therefore problematic. On the other hand, it's necessary for employees working together to also know one another's faces. A pragmatic solution could be to give the new employee the option to choose their own photo.

An employee decides to leave the company or takes retirement. What data can and may be used going forward?

This situation is special in the sense that the employment or contractual relationship is cancelled when the employee leaves. This fundamentally changes the former relationship between the employer and the employee. If the company previously cited the employment contract to justify the use of personal data, a new lawful basis must be found after the termination of the employment contract.

The employer's interest changes when the employee leaves. However, the employer can still have a legitimate interest in storing the former employee's personal data past the end of the contract. In legal terms there could be risks, for example additional wage claims by the former employee. If such claims are asserted, a range of personal data could become relevant: working hours, bank data, social insurance data, etc. This lawful basis (possible additional wage claims as the reason for storing specific personal data) ends at the latest when the limitation period for additional wage claims expires, i.e. five years after the end of the employment relationship.

Other data processing is also possible. Companies often maintain contact with their former employees in order to invite them to events for alumni or pensioners. It's therefore a good idea to put measures in place when employees leave the company that will provide a lawful basis for the future processing of their personal data. When a former employee joins an alumni organisation or another association, the inclusion of a paragraph on data protection or a data privacy agreement would be a sensible measure to take. In this way, all future data processing can be agreed in advance, and former employees won't be surprised when they receive information.

Recommendations for action by HR managers: what you must do now

Many companies or specific departments are overwhelmed by the implementation of the provisions of the nFADP and don't know where to start. This is understandable, as many provisions aren't formulated clearly.

As the first step, I recommend setting up a register of processing activities. This isn't just explicitly prescribed by the law, it is also a practical necessity. A register of processing activities provides a clear overview of all the data processed by HR. It allows you to react to requests from data subjects and to formulate a data privacy statement that complies with the law. The register of processing activities is therefore an important prerequisite for complying with the new Data Protection Act and also an effective tool for the protection of data by your company.

In addition to the preparation of a register of processing activities, the periods for storing and erasing all personal data used by HR should be listed in a table. It should specifically be determined for all types of personal data how long the data may be stored, and when it must be erased. For example, it should be defined for how long doctor's certificates must be stored. The provisions of data protection law and other legal provisions (e.g. limitation periods) should be studied carefully in order to define these periods. It's also important to consider possible scenarios (e.g. what personal data must still be available for processing after an employee has left the company?).

Every company is responsible for providing proof of their compliance with data protection legislation. This means that you as a company must at all times be able to prove that you are observing the new legislation. Your company thus bears the burden of proof and obligation of strict documentation, and you must implement suitable measures to protect personal data. As a company you're responsible for erasing the data of applicants, current and former employees and clients as soon as the purpose for processing no longer applies or there is no other lawful basis for processing, e.g. statutory storage obligations. It's therefore of key importance to know exactly where and in what form the personal data is being stored. This can involve the following systems: ERP/HR system, CRM software, Excel lists or systematically structured paper dossiers, etc. Through careful data capture and documentation practices, you can ensure that you correctly observe the new provisions on data protection and guarantee the protection of the personal privacy of your stakeholder groups.

And finally, I recommend training new employees about data protection during the onboarding process and drawing their attention to all relevant documents – such as data protection guidelines, data privacy statements and provisions relating to data protection legislation in their employment contracts. When new employees are made aware of and given training about the company's data protection guidelines and regard these as an integral component of the corporate culture, it's more likely that they will be more responsible about the topic of data protection.

Conclusion: the journey is the reward

You now have to get started. Serious preparation for the new legislation is urgently recommended. Failing to take measures and to act will always be worse than starting. This is also made clear when we look at the sanctions for breaches. Not only in Switzerland but also in other countries the fact that private individuals can in future be prosecuted under criminal law for breaches of the nFADP has caused much shaking of heads. It's a widely criticised Swiss peculiarity that private individuals can be fined up to CHF 250,000 (cf. Art. 60 et seq. nFADP). This new provision could be interpreted as a general prevention measure, i.e. to warn people against breaching the nFADP.

But there's no question that there'll always be work to do with regard to improving your compliance with data protection legislation. Guaranteeing an appropriate level of data protection is an ongoing process. By actively pursuing the optimisation of your data protection measures, you'll ensure that you meet the requirements and protect the privacy of your stakeholders. With continuous engagement you can establish trust, minimise the risks to your reputation and meet the statutory requirements. Remain alert, learn from experience and constantly adjust your data protection strategy to changing requirements. This will equip you to successfully meet the challenges of data protection and to guarantee long-term data protection and compliance. Remember: the journey is the reward.

Author