'Most Innovative Startup 2020' by RSA - Watch the pitch video

View More
swiss data protection act

On 25 September 2020, the parliament of Switzerland replaced its long-existing Federal Act on Data Protection of 1992 (“1992 Law”) with a modernized version, the Federal Act on Data Protection 2020 (“revised FADP”). The referendum period will end in January 2021 and the revised FADP is expected to come into effect in January 2022.

The revised FADP has brought several significant changes to the previous data protection law in line with the recent technological advancements. Some of the key changes introduced in the revised FADP are explained below:

Personal Data:

Both 1992 Law and revised FADP define personal data as any information relating to an identified or identifiable natural person. As per the 1992 Law, the processing of information relating to an identified or identifiable legal person is considered as personal data. However, the revised FADP does not govern the processing of personal data relating to legal persons. All other categories of information that are present in the 1992 Law such as any information that directly identifies a person or information that allows identification indirectly by reference to additional information continues to be considered personal data under the provisions of the revised law.

Sensitive Personal Data:

As per the 1992 Law, the following categories of personal data are considered sensitive:

  • Personal data concerning religious, ideological, political, or trade union-related views or activities,
  • Personal data concerning health, the intimate sphere, or the racial origin of an individual,
  • Personal data concerning social security measures, and
  • Personal data concerning administrative or criminal proceedings and sanctions.

Retaining the above categories, the revised FADP has added two additional categories:

  • Genetic data, and
  • Biometric data that uniquely identifies an individual.

Data subjects’ rights:

In the 1992 Law, data subjects have the following rights:

  • The right to receive information about the processing,
  • The right to access,
  • The right to rectification and deletion,
  • The right to receive a copy of the personal data,
  • The right to transfer personal data to another controller,
  • The right to object to the processing of the personal data,
  • The right to complain to the Federal Data Protection and Information Commissioner (FDPIC)

In addition to the aforementioned rights of data subjects, the revised FADP has introduced the following two new rights:

  • The right to data portability: it allows data subjects to receive and transmit their data in a commonly used electronic format,
  • The right to intervene in case of automated decision making: it requires data controllers to inform data subjects of decisions that are solely based on automated processing and which has legal effects on the data subjects or affects them significantly so that data subjects can choose to not be subject to automated decision making.

Increased Obligations on Organizations:

The data processing principles of lawfulness, good faith, transparency, purpose limitation, accuracy and data security of the 1992 Law continue to apply in the revised FADP. However, the revised FADP has introduced further responsibilities on organizations which are as follows:

  • Enhanced information obligation: Data controllers must inform data subjects about the controller’s identity, contact details, the purpose of the processing of data, the identity of recipients of data and categories of data recipients in case of data transfer to third parties, the jurisdiction where the data is transferred to and requisites safeguards implemented in case of cross-border data transfer.
  • Records of processing activities: Both data controllers and data processors must maintain records of their data processing activities. This obligation does not apply to companies that have less than 250 employees and whose processing entails only a low risk of infringing the personality of the data subjects.
  • Data protection impact assessments: Data protection impact assessments are mandatory whenever data processing activity is likely to cause a high risk to an individual's personality or fundamental rights. Where the processing involves sensitive personal data on a broad scale or systematic monitoring of extensive public areas, data controllers must carry out a data protection impact assessment to assess the risks of such processing and mitigate those risks.

Mandatory breach notification obligation:

Under the revised FADP, data controllers must notify all data losses that are expected to cause a high risk to the personality rights or the fundamental rights of data subjects to the FDPIC as soon as possible. Data controllers may also be required to notify personal data breaches to data subjects if there is a need to protect data subjects or if requested by the FDPIC. With the introduction of the mandatory breach notification obligation, data controllers are no longer required to register their data files with the FDPIC if they process sensitive personal data or regularly disclose personal data to third parties, as they are required to do so in the 1992 Law.

Cross-border data transfers:

The revised FADP allows cross-border data transfers to only those countries that provide an adequate level of data protection. For all other countries and in the absence of an adequacy decision by the Federal Council, data controllers and data exporters may rely on treaties and use contractual measures such as the standard contractual clauses and binding corporate rules. The FDPIC maintains a list of countries that provide an adequate level of data protection, that is reviewed at least once annually. The list currently includes countries of the European Union and the EEA and some non-European countries such as Argentina, Canada, New Zealand, and Uruguay, as providing an equivalent and adequate level of data protection. Following the decision of the Court of Justice of the European Union in the Schrems II case, the FDPIC has removed the United States from the list of “adequate level of protection under certain circumstances” and has declared that data protection is insufficient in the United States. As a result, the Swiss-US Privacy Shield can no longer be relied on for cross-border data transfer.

Swiss representatives:

Under the revised FADP, all organizations that are established outside Switzerland are required to have a representative in Switzerland where the data processing

  • is related to the offering of goods or services in Switzerland or monitoring of their behaviour,
  • is extensive,
  • takes place regularly in Switzerland, and
  • is likely to result in a high risk to the personality of data subjects. There is no such obligation to appoint a Swiss representative under the 1992 Law.

Severe fines:

Under the revised FADP, data controllers may be held criminally liable to pay a fine up to CHF 250K for any wilful misconduct. This amount is significantly high in comparison to the amount of CHF 10,000 in the 1992 Law and applies to a broad range of violations. Any such fine will be imposed by a court of law of competent jurisdiction.

What’s Next?

The FDPIC has stated that it will offer a more detailed statement on the revised law once the ongoing referendum period has expired. Till that time, organizations must proactively manage and avoid potential personal data breaches and review their data protection policies in line with the requirements of the upcoming Swiss Federal Act on Data Protection.

Ask for a DEMO today to understand how SECURITI.ai can help you comply with the Swiss revised Federal Act on Data Protection, GDPR, e-Privacy Directive, and a whole host of other global privacy laws and regulations, with ease.

 

The government of Thailand has passed its first-ever data protection law, the Personal Data Protection Act (PDPA) that came into effect in May 2020. Like the European Union’s General Data Protection Regulation (GDPR), the PDPA ensures an appropriate level of security of personal information of users and grants them several protections and rights.

The PDPA protects the collection, use or disclosure of the personal information by data controllers or data processors that are in Thailand regardless of whether such collection, use or disclosure takes place in Thailand or not. It also applies to the collection, use or disclosure of the personal data by data controllers or data processors that are outside Thailand, where such collection, use or disclosure relates to the offering of goods or services to data subjects in Thailand, whether or not the payment is made by the data subject or where the data subject’s behaviour is being monitored in Thailand. The law, however, does not apply to foreign public authorities, international organizations and public entities including those that are engaged in duties with respect to the prevention and suppression of money laundering, forensic sciences, or cybersecurity.

Consent for data processing:

The PDPA requires data controllers and processors to obtain the free consent of users by way of an explicit written request before processing their information. Any such request must be in clear and plain language informing users of the purposes of the processing of their information. Data subjects have the right to withdraw their consent at any time and the option of withdrawal of consent should be made as easy as giving consent. A data subject’s consent is not needed where data is being processed for any public interest purpose, to suppress a danger to a person’s life, body and health, for the performance of a contract to which a data subject is a party to or for the purpose of compliance with any law.

Data Subjects’ Rights:

Under the PDPA, data subjects have the following rights:

  • Right to access: Data subjects have a right to access and obtain a copy of their personal data from controllers and processors. This right must be acted upon without delay and shall not exceed one month from the date of the receipt of the data subject’s request.
  • Right to information: Data subjects have a right to receive their personal data from controllers and processors in a readable format. This right must be acted upon within a reasonable time and shall not exceed one month from the date of the collection of the data, or at the time of the first communication with the data subject, or when personal data is first disclosed to the recipient.
  • Right to object: Data subjects will have a right to object when their data is collected without fulfilling the consent requirements, or is being processed for direct marketing purposes, or is being processed for scientific, historical or statistical research purposes. There are exceptions that controllers and processors can rely on, such as the objection of the data subject can be overruled where the processing is necessary for public interest reasons.
  • Right to erasure: Data subjects have a right to erasure available where the data of the data subjects must be deleted by the controller or processor if the data subjects withdraw their consent, or where data is no longer necessary for the purpose it was collected or processed for, or where data was collected unlawfully.
  • Right to restriction of processing: Data subjects also have a right to request the restriction of the use of personal data. This right applies where the data subject opposes erasure or destruction of the personal data but still objects to further processing and thus requests the restriction of the processing of personal information in certain situations, such as, when data is no longer needed for the purpose it was acquired.
  • Right to rectification: Data subjects have a right to request the rectification of their inaccurate data and have incomplete data stored about themselves completed.
  • Right to data portability: Data subjects also have a right to request that data transmitted from one controller to another is in a readable format and can be used or disclosed by automatic means. This right may not be exercised due to technical reasons.

PDPA and GDPR:

While most of the provisions of the PDPA in relation to data subjects’ rights are based on the content of the GDPR, certain changes can be observed. Some of the notable differences concerning data subjects’ rights between the two regulations are as follows:

  • Where the GDPR provides a list of information to be included while responding to an access request, the PDPA does not prescribe any such list or what needs to be included.
  • The PDPA does not prescribe any specific timeline within which the data controller needs to respond to an erasure request. The GDPR, on the other hand, requires controllers to facilitate the exercise of a data subject’s right to erasure without undue delay and in any event within one month of the receipt of the data subject’s request.
  • Where the GDPR provides an explicit right of the data subject to not be subject to a decision based solely on automated processing including profiling, the PDPA does not provide so.

Breach Response Framework:

Under the PDPA, data controllers and processors are required to adopt appropriate security measures to prevent any data loss or security incident. However, in case of any personal data breach that is likely to result in a risk to the rights and freedoms of persons, the data controller must notify the Office of the Personal Data Protection Committee without delay and where feasible, but within 72 hours, after having become aware of the breach. Where a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller must inform the affected individual without any delay of the personal data breach along with the remedial measures that can be taken.

Cross-border data transfer:

The law requires that the destination country or international organization that receives personal data from controllers and processors in Thailand have an adequate data protection standard. This requirement may be exempted where any cross-border transfer complies with any law, or the transfer is necessary for the performance of a contract to which the data subject is a party to, or where the consent of data subject has been obtained provided that he or she has been informed of the inadequate protection standards of the destination country.

Penalties:

A violation of the PDPA may result in civil liability, criminal liability and administrative fines. For example, a data controller may be liable to pay compensation to the data subject for the damage suffered by the data subject. The amount of such compensation shall include all necessary expenses incurred by the data subject for the prevention or suppression of damages. Under the PDPA, the maximum penalty that can be awarded is a fine of Baht five million and imprisonment for a term not exceeding one year depending on the type of the violation.

Concluding thoughts:

In light of the recent technological changes and challenges arising out of COVID-19, Thailand’s Personal Data Protection Act is a welcome initiative in the privacy legal landscape. It indicates that governments have started recognizing data privacy as an individual’s basic human right. In today’s era of the digital economy, it is high times that transnational and multinational companies accept data privacy as an individual’s human right and not just as a consumer right and ensure that their privacy policies are fully compliant with applicable laws.

How SECURITI.ai can help?

SECURITI.ai is the leader in AI-powered PrivacyOps and data governance. Similar to DevOps for software, PrivacyOps re-imagines how to efficiently implement privacy management throughout an organization. SECURITI.ai is a recognized innovator in this market, having been awarded "Most Innovative Startup" at RSA Conference 2020, and Leader in the Forrester Wave: Privacy Management Software. SECURITI.ai's PrivacyOps solution uniquely combines real-time data intelligence harnessing bot and AI technology with full workflow automation of all the major privacy compliance functions.

Schrems II Ruling & Resources
Get started for FREE

View