The nLPD, the new Data Protection Act, is the total revision of the Federal Data Protection Act (DPA), which governs the processing of personal data.

This was approved by parliament on September 25, 2020 and will soon come into force from September 2023.

Today, on the Internet, we all leave a trace of our passage, our behavior, our habits, our knowledge, describing who we are.

Find out more about nLPD (Swiss) in this blog post.

What is the Data Protection Act?

The nLPD (Swiss) Data Protection Act is the new data protection regulation in addition to the new Data Protection Certification Ordinance (DPCO), which will come into force on September 1, 2023.

What changes will the new Swiss data protection law bring?

First of all, this new Swiss data protection law will make all data collection more transparent for companies.
It is no longer just a question of sensitive data, but of all data.
On this point, this federal data protection law LPD is more framed than the RGPD.

The new scope of the Data Protection Act is limited to the protection of data relating to natural persons, rather than legal entities, as is still the case today.
Sensitive personal data includes genetic and biometric data.

As far as the register of processing activities is concerned, this means that each company must keep an up-to-date register of their data processing activities, containing the prescribed information.
At present, the Federal Council is considering making an exception for companies with up to 250 employees.

Finally, the nLPD (Switzerland) requires companies to take account of data protection principles in the design of processing and applications.
This is known as Privacy-by-Design and Privacy-by-Default.

What’s the difference with RGPD?

The revision of the nLPD aims to move closer to European legislation in terms of data protection, better known by the acronym RGPD.

Some differences between the (Swiss) nLPD and the RGPD are good to know.
For these reasons, swissprivacy.law has created a comprehensive comparison table between these two legislations, which we invite you to consult.

Generally speaking, the nLPD is intended to be less restrictive than the RGPD.

What you need to do to comply with the new Swiss Federal Data Protection Act

To make your company nLPD (Swiss) compliant, here’s a (non-exhaustive) list of what you need to do:

  • Identify personal data and assess risks to determine compliance requirements;
  • Add and update the various data protection declarations on your website, your advertising and marketing content, your contracts, etc;

  • Implement internal procedures to be able to respond quickly to requests from prospects and customers relating to their data;

  • Establish a data processing register ;
  • Set up a process for impact analysis ;
  • Review current contracts (subcontractors) to ensure that data security is guaranteed;

  • Appoint an in-house Data Protection Officer (DPO) or call in an external specialist firm.

What happens in the event of non-compliance with the Federal Data Protection Act?

After its entry into force on September 1, 2023, no transitional period is envisaged for the time being.
This means that if you are not yet in compliance with this dtae, the Federal Data Protection and Information Commissioner may open an investigation and implement strict measures (modifications or interruptions to data processing, etc.).

At the same time, civil redress procedures will be available to people affected by data breaches.
These procedures will be free of charge.

Finally, in the most unreasonable cases, a fine may be imposed.

In summary, putting measures in place now to design a coherent nLPD compliance strategy is necessary to be in good standing for its implementation in September 2023.

Please do not hesitate to contact us if you have any questions.

nLPD TRAINING

Train yourself and your teams in Switzerland'snew
Data Protection Act
now!

Discover training nLPD TRAINING