To print this article, all you need is to be registered or login on Mondaq.com.
The new Swiss Data Protection Act introduces several key
provisions, including the requirement for entities processing
personal data to maintain detailed records of their data processing
activities. The regulation outlines specific elements that must be
included in the records of data processing, such as the objectives
behind data processing, the varieties of personal data processed,
and particulars of data transfers to foreign territories, among
other requirements. Let’s unpack what this means for businesses
and data handlers in Switzerland.
Applicability and Responsibility
A common query arises: are all businesses subject to this
requirement? Essentially, the answer is affirmative, with limited
exceptions. Regardless of whether you operate a global conglomerate
or a nascent startup, if your operations involve personal data
processing, the Swiss Data Protection Act obliges you to document
these activities. Responsibility for maintaining these records
falls on the shoulders of both data controllers (those who
determine the purposes and means of processing personal data) and
processors (entities that process data on behalf of the
controller).
Checklist for Data Controllers
- Data controller identification: identify the entity responsible
for data management. - Data processing purposes: indicate ‘the why’ behind
processing activities. - Categories of data subjects: define the groups of individuals
whose data is being processed. - Categories of personal data: specify the types of personal data
being handled. - Data recipients: identify any third parties granted access to
the data. - Data retention periods: specify the duration for which the data
will be stored or outline the criteria used to determine this
period. - Data security measures: describe the protocols established to
ensure data security. - International data transfers: for data shared across borders,
provide details of the destination countries and the protective
measures implemented.
Checklist for Data Processors
- Data processor identification: identify the entity processing
the data. - Data controller’s details: record the identity of the data
controller on whose behalf the processing is conducted. - Nature of processing activities: detail the types of processing
undertaken on behalf of the controller. - Data security measures: describe the protocols established to
ensure data security. - International data transfers: for data shared across borders,
provide details of the destination countries and the protective
measures implemented.
Limited Exemptions
Private entities with fewer than 250 employees and natural
persons are generally exempt from this record-keeping obligation.
However, there’s a catch: if the processing involves a
significant volume of sensitive data or entails high-risk
profiling, record maintenance is mandatory, irrespective of the
entity’s size.
Implementing Effective Data Processing
Records
Implementing an effective record-keeping system might seem
daunting, but it adheres to several key principles. First, ensure
clarity and accessibility of records. This means keeping records in
a format that’s easy to understand and readily available for
inspection by the relevant authorities. Second, adopt a proactive
approach to record-keeping. Regularly assess whether your data
processing activities or workforce size trigger the record-keeping
requirement.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from Switzerland
#Swiss #Data #Protection #Act #Records #Data #Processing #Data #Protection
