#preloader { display: none }

New data protection law

In the 2020 fall session, Parliament adopted the new Federal Data Protection Act. The main goal is to improve the processing of personal data and to grant more rights to the Swiss population. It has been in force since the beginning of September 2023.

The first federal law on data protection was introduced in 1992. In the meantime, digitization became an important part of everyday life through the use of the Internet, smartphones as well as other mobile devices. The importance of social networks, cloud services and other Internet-based services also grew steadily. Against this backdrop, it became clear that in order to guarantee appropriate data protection adapted to the technological and social changes of the time, a complete revision of the Data Protection Act was essential.

The most important changes:

  • Only data of natural persons are affected, those of legal entities are no longer.
  • Genetic and biometric data are defined as requiring special protection and are included in the law.
  • The principles of "Privacy by Design" and "Privacy by Default" are introduced. "Privacy by Design means that developers must build protection and respect for the privacy of users into the structure of products or services that will collect personal data. The principle of "privacy by default" ensures that all necessary measures for data protection and the restriction of data use are already in place by default - i.e., without user intervention - at the highest level of security when the product or service is placed on the market. In other words, all software and hardware products and services must be configured in such a way that data is protected and the privacy of users is guaranteed. This is implemented by website and practice software providers.
  • Impact assessments must be carried out if there is a high risk to the personality or fundamental rights of the data subjects.
  • The duty to inform is extended: Data subjects must be informed in advance whenever personal data is obtained - and no longer only of so-called particularly sensitive data.
  • A register of processing activities is mandatory. However, the Ordinance to the Act provides for an exception for SMEs whose data processing involves only a low risk of violations of the personality of data subjects.
  • Rapid notification is required if data security has been breached. It must be sent to the Federal Data Protection and Information Commissioner (FDPIC).
  • The term "profiling" (the automated processing of personal data) was included in the law.

The entire article, which also deals with the processing and storage of personal data, can be found in the members area. There you will also find a factsheet with all the important changes, a privacy policy, from which you can take out the relevant passages for you to adapt them on your website and a consent form for your patients / clients to download and print.

Helpful links:

Federal website on the new data protection law

Guideline for the retention and archiving of personal data