On 1 September 2023, the new Federal Data Protection Act (DPA) will come into force in Switzerland. Many data controllers located in the EU or third countries who process personal data from Swiss data subjects will then need a representative in Switzerland. We summarise the important information on the new Switzerland representative for you.
The most important questions and answers about the Switzerland representative
The new Swiss data protection law is based in large parts on the EU General Data Protection Regulation (GDPR). It is therefore not surprising that a mirror image has also being created of the EU representative, as required by Art. 27 GDPR for companies outside the EU, or the UK representative, as required by Art. 27 of the United Kingdom General Data Protection Regulation (UK GDPR) from companies outside the UK.
In addition to many similarities between Swiss representative and EU representative, there are also some differences resulting from ancillary Swiss laws:
Art. 14 DPA contains the requirement for the mandatory designation of a representative in Switzerland. Accordingly, private data controllers must designate a Swiss representative if the data controller’s registered office or place of residence is outside Switzerland and the data controller processes personal data from people who are in Switzerland.
The data processing must meet one of the following requirements:
- The processing is related to the offer of goods and services or the observation of the behaviour of persons in Switzerland.
- This is an extensive processing.
- This is a regular processing.
- Processing entails a high risk for the personality of the persons concerned.
In addition, the Eidgenössische Datenschutz- und Öffentlichkeitsbeauftragte (EDÖB) (the Swiss data protection authority) may also order, as an administrative measure within the meaning of Art. 51 DPA, that a company domiciled or resident abroad designate a Swiss representative.
Authorities or public bodies as well as data processors do not have to designate a Swiss representative.
For private data controllers, there are only the following exemptions from the obligation to name a representative:
If the processing of data
- is only done occasionally,
- is not extensive or
- does not entail a high risk for the personality of the persons concerned.
Data controllers must take into account the nature, circumstances, purpose and risks to the rights and freedoms of data subjects. Especially for online businesses, such an exception is unlikely to apply.
Attention: The exceptions to the obligation to appoint a Swiss representative listed here only apply if all the processing operations of a data controller are covered. If even only one processing activity is extensive or not only occasionally, a Swiss representative must be appointed.
Controllers may designate natural persons as well as companies or other organisations that have their registered office in Switzerland as representatives in Switzerland.
The DPA does not require any verifiable professional qualification. However, from the experience of the now established EU representative under the GDPR, the following minimum requirements for Swiss representatives can be formulated:
- Very good knowledge of Swiss data protection law (Data Protection Act, Data Protection Ordinance (DPA), Ordinance on Data Protection Certifications (VDSZ)) and related regulations;
- Very good knowledge of the GDPR in order to be able to assess and, if necessary, explain data processing to the commissioning company;
- Very good knowledge of information and IT security as well as corresponding legal regulations,
- Practical experience in the implementation of legal requirements regarding personal data processing,
- Experience in dealing with supervisory authorities and affected data subjects.
In addition, it is advisable for a Swiss representative to be able to communicate with affected data subjects in the official languages of Switzerland (German, French, Italian and Romansh).
Art. 394 et seq. of the Swiss Code of Obligations (OR) (SR 220) sets out the requirements for the contractual relationship between the Swiss representative and the responsible party. Accordingly, the representative is obliged to act diligently and must have the personal and organisational capacity to perform the representative’s duties.
Art. 15 DPA regulates the tasks and duties of the representative in Switzerland. Accordingly, the primary task of the Swiss representative is to be the point of contact for data subjects and the Eidgenössische Datenschutz- und Öffentlichkeitsbeauftragten (EDÖB). In this context, the Swiss representative can make legally effective declarations and receive such declarations by proxy.
Swiss supervisory authorities can oblige the representative to provide all relevant information necessary to clarify data protection facts. If the Swiss representative does not cooperate sufficiently with the EDÖB, the latter can impose sanctions.
The Swiss representative must also maintain a register of all processing activities that occur in or in relation to persons in Switzerland (Art. 12 DPA). It is not prescribed whether the creation, maintenance and completion of the register must be ensured by the Swiss representative. However, this can be contractually transferred to the representative.
Even if a Swiss representative is designated, the responsible party remains liable according to the principles of the DPA and must accept responsibility for the conduct of its representative. The representation in Switzerland is not liable itself, at least externally.
If, on the other hand, the Swiss representative breaches his or her agreement with the data controller, they may be held liable vis-à-vis the data controller depending on the contract.
How to find and choose the best Swiss representative
Your representation in Switzerland is the first point of contact for both supervisory authorities and affected data subjects. That is why you should pay particular attention to legal professionalism and communication skills when choosing a representative in Switzerland. After all, the reputation of your company in one of the most lucrative markets in Europe is at stake.
Furthermore, it is advantageous if your Swiss representative has a comprehensive understanding of your data flows and processing activities. Demonstrable experience from different industries as well as in dealing with supervisory authorities and in court, if necessary, is strongly advised.
Our partner activeMind.ch offers companies the appointment of an expert as Swiss representative. Benefit now from many years of experience with Swiss data protection law and the GDPR all in one!
This article was first published in German by our partner activeMind AG.