Among all the discussions about SCHREMS II and the new SCCs (Standard Contractual Clauses), one significant innovation of the revised Swiss Data Protection Act (FDPA) almost got lost. Namely, the extension of the previous duty of confidentiality to a general duty of confidentiality for all professionals.
Now, in principle, any person can qualify as a perpetrator of a secret. Whereas Art. 35 previously limited the scope of protection to personal data and personality profiles requiring special protection, Art. 62 of the revised FDPA speaks in general terms of "disclosing secret personal data." This leads to a considerably broader scope of protection of the data. Violations are now punishable by up to CHF 250,000 instead of up to CHF 10,000. At the same time, the limitation period is extended from three to five years. This is a significant increase, and all business owners and Data Protection Officers (DPOs) should be cautious when reviewing their existing policies covering confidentiality.
Much more data is covered by the new scope of protection, which inevitably increases the risk of errors. For companies, this raises the question of which areas and positions fall under this extension. Have these areas and employees been identified? Do employees have to be specially trained? Do your directives have to be adapted? Do you have specific 'need-to-know' principles built into your existing policies and prodedures? Are they being adhered to? All of these questions should be considered when you audit your organisations' data protection and cyber security procedures.
If you need support in preparing to implement the revised Data Protection Act requirements, or any element of data protection and cyber security policies and procedures, get in touch with our expert in-house team.