Is the new Swiss data protection law compatible with Europe? Which law governs your organization?

by | 23.6.2023 | Privacy | 0 comments

Update 2019: The current draft of the BR is not GDPR compatible. This amounts to the next conflict with the EU. It is unbelievable how some politicians in Bern have committed themselves to the protection of privacy on paper, but at the same time torpedo the most important law, which aims to protect precisely this.

Shortly before Christmas 2016, the Federal Council had presented the first draft of Switzerland’s new data protection law (E-DSG). On 15.9.2017, a revised and adjusted version was prepared, in which the consultation results were taken into account. Dr. Bruno Wildhaber has written an article comparing the two laws and drawing the consequences for companies in Switzerland.

Download our comprehensive position statement on the topic (as of 10 2019):


    Due to the significant deviations of the e-DSG from the GDPR mentioned above, it must be assumed that the current draft will not meet the EU requirements. Essential principles of the GDPR were not adopted in the Swiss draft. Based on the discussions we have with regulators in the context of certifications, it is safe to assume that at least the German authorities will take a hard line. Since these also dominate the relevant working groups within the EU, the opinion is not necessarily likely to be in Switzerland’s favor.

    Apply the principles of the GDPR. The additional expense is low and it should be well worthwhile to implement a uniform regime. You can find out what this means in the attached article.

    GDPR: What you need to have under control

    • They know where your personal data is stored and can also provide information about it on the basis of documentation.
    • You can delete personal data: you know the data lifecycles and can actively manage them (information governance).
    • They know their IT risks and ideally have a risk management system in place (ISMS).
    • Their contracts do not contain any inadmissible clauses and are transparent with regard to data retention.
    • They prioritize checking new data stores/projects for potential privacy issues (risk impact assessment BEFORE the solution goes live).
    • You know your data flows (and are thus also equipped for the data protection impact assessment according to DSGVO).
    • In short, you have mastered your IT processes and implemented information governance, at least for personal data.

    What does data protection have to do with information governance?

    The background information on the development of data protection can be found in the basic article on the revision of the Data Protection Act. These considerations serve as a guide to help you assess the importance of “information governance” in the context of data protection.

    The person responsible for processing the personal data (“processor”) as well as the commissioned data processor are held much more accountable than was previously the case. ” Processing” now explicitly includes all possible forms and phases of handling personal data.

    Thus, the draft law explicitly refers to all phases of the data lifecycle in several places (Art. 3(1)(d)). Already at the procurement stage, the responsible party has comprehensive obligations (Art. 13) and must inform the data subject, for example, which data is to be processed for which purpose.

    The data controller must have full control over the personal data throughout its processing (from creation to destruction). In concrete terms, this means that the person responsible must know at all times:

    • which data is processed by whom,
    • where they are stored,
    • how old they are,
    • whether they are correct,
    • how long they have been stored,
    • whether they have been modified and
    • who edited them.

    KRM services

    The KRM has been dealing with the issue of data protection for many years. This will allow our customers to consider and implement the high requirements of data protection as early as possible.

    The following actions are necessary for data protection implementation:

    1. Establishment of
      Information Governance Organizations
      and structures
    2. The
      certification of procedures
      according to the new data protection law
    3. Carrying out data protection impact assessments and preparing risk analyses
    4. Conception, setup and operation of
      Data Clean Up Service
    5. Support in the creation of legally compliant
      procedural documentation
    6. Assumption of mandates as data protection officer and coaching in companies



    Submit a Comment

    Your email address will not be published. Required fields are marked *

    Related articles

    On 16.3. is Digital Cleanup Day

    On 16.3. is Digital Cleanup Day

    Tidying up is clearly not everyone's cup of tea, but we all know the good feeling that a tidy room, a tidy desk or ... a tidy drive! You can feel proud with a clear conscience, because deleting data also has an important effect on energy consumption. I have calculated...

    read more
    Dealing with data risks: Data breach notification

    Dealing with data risks: Data breach notification

    A data breach notification or "data breach notification" refers to the process by which an organization or company is required to notify the relevant data protection authorities and, if applicable, data subjects of a data breach that is likely to result in a high risk...

    read more