General Data Protection Regulation (GDPR), formulated by the European Union
and applicable in the EU and the European Economic Areas. It is a regulation in
EU law for data privacy and protection. The GDPR's primary aim is to enhance
individuals' control and rights over their personal data and to simplify the
regulatory environment for international business.
This particular regulation replaced the directive on the protection of personal
data. A wide array of data protection and privacy rights are in the given
regulation. The Swiss Data Protection Act, formulated by the Swiss Federal
court, does not follow the regulations under the GDPR drafted by the EU.
However, one can find a lot of similarities between the two. The Federal
Constitution of the Swiss confederation provides the right to privacy. The
revised FADP only intends to protect the privacy of natural persons, about whom
personal data is processed.
The basic principles of data processing remain unchanged in the new DPA. The DPA
continues to deviate from the EU General Data Protection Regulation (GDPR):
There, the processing of personal data is generally prohibited unless there is a
legal ground such as consent, the performance of a contract, a sufficient
legitimate interest or a legal provision in the law.
Switzerland also does not go as far as the GDPR in terms of the requirements for
valid consent; essentially nothing changes here compared to the current legal
situation in Switzerland, with the exception of a minor change with respect to
profiling. The grounds on which data processing activities can be justified
remain more or less the same as in the current DPA. The right to impose fines
lies with the Cantonal law enforcement authorities (which are not specialised in
data protection), and the catalogue of fines has been significantly expanded.
GDPR applies to more companies in more places and protects more data. The DPA
applied only to companies that control the processing of personal data
(Controllers). The GDPR extended the law to those companies that process
personal data on behalf of Controllers (Processors). The fines imposed for the
breach of the regulations of the GDPR are greater than the DPA.
The regulator continues to emphasise the need for accountability within
organisations and diligent record keeping. Organisations are required to
demonstrate compliance with the GDPR. under the DPA the regulator recommended
that organisations notify it if they experienced a data breach. However, under
the GDPR there is a requirement to notify the regulator and individuals'
affected under certain circumstances. Under the DPA, personal data of legal
entities are no longer protected, even though certain general protections
continue to apply.