Quelles adaptations pour la Suisse ?

As of 25 May 2018, the EU's General Data Protection Regulation (GDPR UE) will also apply directly to Swiss companies. The Swiss Data Protection Act is currently being consulted, and the revised Federal Data Protection Act is also due to come into force in autumn 2018 - the pressure on Swiss companies to align themselves with the requirements is considerable. This article explains some of the key aspects of the EU's General Data Protection Regulation from Switzerland's point of view.

Protection de la personne juridique
The European Parliament has formulated a number of new amendments in order to bring the EU GDPR into line with all European countries, including, among others, the Swiss labour market (reason for consideration 137). Thus, all procedures concerning EU citizens and personal data of EU citizens or collaborators must be carried out in accordance with the GDPR. The introduction of the European regulation therefore does not put pressure on the only companies in the EU, but also on exporters, companies that sell by correspondence, owners of online sites in Switzerland, as well as the sectors of the Swiss ICT industry, communication, legal/controlling, the public sector and the data economy in general. The protection of legal persons will, however, be grouped together. The evaluation of the risks as such will be transmitted to the collaborators in charge of data protection or to the data protection officers as of 2018.

Rights of the persons concerned
The basic principle of 'free access to education' remains valid. It is to be noted that the rights and obligations of the persons concerned have been improved. Ces obliga- tions sont mentionnées à l'art. 7 of the GDPR UE. However, the data subject has the right to withdraw his or her consent at any time. On the one hand - from the perspective of possible sanctions and criminal prosecutions - certain persons, namely individual entrepreneurs, may nevertheless be confronted with greater organisational handicaps in terms of data protection, contract types, policies and data protection procedures. On the same token, the en- quêtes pénales du Commissaire fédéral à la protection des données PFPDT seront sollici- tées plus souvent. The list of tasks of the PFPDT has been greatly expanded (among others, art. 37, art. 5, art. 7, art. 16, art. 17), which could lead to a "bureaucratisation" of the authority (source: Management & Quality 06/2017).

Obligations of the persons responsible
What is new is that certain breaches of the data protection law must be reported to the supervisory authority within 72 hours of their discovery, and without delay to the persons concerned. The provision of a data protection officer (internal or external) is also an important issue for Swiss employers.

Thus, the data controller must be in a position to present, or rather to rectify, the data to whomever it may be and to inform the data protection officer immediately in the event of manipulation or loss of personal data (Article 17). There is now a permanent right to information concerning all data bases and facts relating to changes in data (Article 20). This right shall also apply in an explicit manner to the duration of conservation.

Attention : processus automatisés
(FR) The adoption of new techniques that have been used on the Internet over the last few years is a new and significant development. For example, profiling (Article 3(1)(f)), i.e. the generation of personal profiles on the basis of public data (so-called 'big data').

Également de grande importance, les décisions dites automatiques ou autonomes (art. 15). These are online decisions made on the basis of automated processes (no human interaction, e.g. fully automated solvency examinations). Personal data such as genetic, biometric or criminal investigations will not be included in this area.