The topic of ensuring the highest level of data security and confidentiality is core to all businesses. With the new Swiss data protection regulations in force since September 2023, it is strongly recommended that Swiss companies deal with the new law and its requirements and make the necessary adjustments, especially to the data protection agreements, contracts and privacy policies. Already with the introduction of the GDPR back in 2018, Chorus Call has worked closely with its legal representatives to understand its impact and, by adopting a multi-department approach, ensured the smooth introduction of the regulation. So, what is relevant for the Investor Relations Officers (IROs), what needs to be considered and what measures should be taken? Thanks to the acquired expertise and being in line with the nFADP, we would like to provide some insights on the topic.
By Chorus Call
This overview is intended for information and awareness purposes only. It is not a substitute for legal advice.
Responsibility – Implication of the IROs
Federal Act on Data Protection (FADP)
The responsibility for ensuring the lawful and secure processing of personal data lies with the entity that processes or has personal data processed for the performance of its tasks; in other words, this entity is fully responsible for any unlawful activity or breach of security attributable to the third party entrusted with the processing of personal data; consequently, if the Company relies on an external service or on a third-party IT platform in the course of its activities, it must ensure that this external provider applies and is liable for a level of protection of personal data no lower than that applicable to the Company itself.
What are the purpose and scope of the new law Federal Act on Data Protection (nFADP)?
The new law (nFADP) aims to protect the personality and fundamental rights of natural persons who are in Switzerland and whose data is processed by private individuals or the state. Data from legal entities is no longer protected. The underlying idea is to give data subjects more transparency and thus strengthen their rights regarding their own data (“informational self-determination”). This is also intended to promote prevention and the personal responsibility of data processors. This involves strengthening data protection supervision and expanding criminal provisions. The law also creates new obligations for companies, particularly when it comes to the collection, loss or misuse of personal data.
What steps are necessary to become compliant with the new FADP? What measures are required?
Without going into the individual technical, legal and IT aspects of compliance with the nFADP, a pragmatic action plan should include at least the following measures:
- Determine responsibilities and functions
For project planning, it is important to determine responsibilities and assign functions in advance. A central data protection office (coordinator, contact person) should be created.
- Raising awareness
The following applies to both small and large companies: each employee at any level, regularly processing personal data, must be made aware of the issue of data protection: from apprentices to managing directors,.. Although neither the nFADP nor the GDPR explicitly require that training is carried out, in fact this is often necessary in order to create a certain sensitivity to the topic in the company.
- Transparency and information
Transparency in data processing remains an important principle under the new FADP. In addition, there is an obligation to provide information when obtaining data. The person responsible must inform the data subjects about various aspects of data processing(s). It is therefore essential to create or update data protection notices with a view to the entry into force of the nFADP (on the company website, but also in the correspondence).
- Internal organization and processes
In order to be able to respond in accordance with the law to requests from those affected (e.g. a customer's request for information or deletion) or to a breach of data security ("data breaches") in which personal data is lost, stolen or misused, clear internal processes must be established and appropriate instructions must be drawn up. Depending on the incident, these should define in particular which employees (including representatives) must take which measures within which deadline.
- Creation and maintenance of a register of processing activities
The nFADP stipulates that both the person responsible and the processor must keep a register of their processing activities. This obligation generally applies to all companies. However, the Federal Council can provide exceptions for companies with fewer than 250 employees. The creation of such directories requires that all processing of personal data within a company be identified and systematically compiled. Especially in cases where no corresponding directories are yet maintained and many different processes are carried out, this process involves considerable effort and should therefore be addressed at an early stage.
- Review of contracts
Companies should review their contracts with customers, suppliers and service providers as well as employees with a view to the innovations and, if necessary, adapt them. This requires early precautions. Rapid implementation is also advisable because it must be expected that many contractual partners will demand contracts or contractual adjustments in order to ensure data protection compliance.
- Stay informed
In order to become aware of the topic of data protection compliance under the nFADP, you must be able to understand the specific effects of the new law on your own processing processes. Find out more on the Data Protection Authority (FDPIC) website, on relevant blogs, in specialist magazines and take part in various training courses (e.g. from chambers of commerce and industry).
GAP analysis and assessment of risks
Using a gap analysis (comparison of the actual and target status), the necessary implementation work can be identified and then documented. Templates for processing directories can also be used for these purposes.
Some obligations of the nFADP, such as the requirements for data security, the obligation of Small and Medium-sized Entreprises (SMEs) to keep processing records or the obligation to carry out a data protection impact assessment, depend on the risk that the company's data processing entails. For this reason, a prior risk assessment is required to determine the specific implementation measures. To ensure adequate data security, the protection needs of personal data and the technical and organizational measures appropriate to the risk must be determined.
Increased risks and therefore higher requirements for data protection compliance (especially data security) may exist, for example, if:
- Companies process a large amount of personal data. For example, companies that specialize in online sales or import/export have a large customer base that generates a significant amount of personal data.
- Companies process particularly sensitive personal data (as defined in Art. 5 lit. c nFADP). For example, companies that process personal data about political or religious opinions, health, genetic or racial data, social welfare, law enforcement, etc. are affected.
- Companies carry out high-risk profiling.
- Companies carry out automated individual decisions.
In these cases, the requirements for data protection are higher than for companies that process data from a limited number of employees, suppliers, customers, etc.
Depending on the type and extent of personal data processed, data protection compliance work requires the development or use of data protection know-how as well as the regular establishment of internal processes in order to meet the requirements of the new law. The material resources (data management software, etc.), the human resources (data protection officers or employees responsible for data protection, etc.) and the time that must be spent on this should not be underestimated.
Depending on the scope of the compliance requirements, companies are strongly recommended to use the services of IT experts, lawyers and training offers from chambers of commerce.
- A comprehensive inventory is key Companies must fulfill certain information obligations under the nFADP, i.e. when obtaining personal data, they must provide information about the identity of the person responsible, the purpose of processing, any data recipients, etc. In addition, they must be able to fulfill the rights of those affected, for example to provide a data subject with information about the processing of their personal data. All of this requires that companies know which personal data is being processed and for what purposes, whether the data is being transferred to other countries and to other people, etc. As a result, companies should first carry out an inventory of all data processing. The new legally required directory (so-called processing directory) can serve as a template. This not only creates a good starting point for the development of further (mandatory) data protection documents (e.g. data protection declaration, NDAs, etc.), but at the same time the (possible) obligation to keep a processing directory can be fulfilled. Such an inventory is a collective effort that must involve all employees involved in processing personal data.
- IT security Under the heading of data security, companies must ensure that the security of their IT systems and software applications meets the requirements of the new law. This includes, in particular, technical and organizational measures (so-called TOMs, e.g. access rights, pseudonymization) to prevent cyberattacks, data manipulation, data theft and other data loss. The TOMs are intended to achieve the protection goals of data security in accordance with Art. 2 DSV (confidentiality, availability, integrity and traceability).
In this context, it should be mentioned that there is an obligation to review and, if necessary, adjust the measures taken “throughout the entire processing period” and that an intentional violation of the minimum data security requirements is subject to sanctions.
Some of Chorus Call GDPR regulations milestones include:
Chorus Call Certification HERE
Chorus Call supports a large number of companies listed on the Swiss Stock Exchange delivering digital conferencing solutions in the field of financial communication at executive level.
Our clients are very sensitive to confidentiality matters and continue to choose our services because our infrastructure guarantees the highest standards of data protection in daily business operations. By adhering to this rigorous framework, we ensure that the best practices are put in place to prevent data loss and other security incidents.
Ensuring data protection compliance is not a one-time exercise. Rather, this should be regularly reviewed and, if necessary, adjusted due to technical (e.g. new IT systems), legal (e.g. legal adjustments or official practice) and entrepreneurial (e.g. new services, branches in other countries) developments. No matter what your conferencing needs are, whether it be the type of applications, a selected audience, the facilities and locations involved, or any kind of additional service, you may need to ensure that your provider will meet those requirements and will have the necessary expertise to provide a trustworthy solution.
We found an interesting interview about the “Swiss FDPA what to know before September 2023”. Click here to view it.