Privacy Policy for Swiss Companies

The Privacy Policy

As soon as you process personal data, you are obliged under Article 19 of the Data Protection Act (FADP) to inform the affected individuals in a transparent and understandable manner about how their data is processed.

With the privacy policy, you inform the individuals affected by your processing activities.

The privacy policy must inform at least about the following points:

• Identity and contact details of the company or organization (and in particular a responsible person who can also be contacted)
• Nature, purpose of processing, and duration of storage of the collected personal data
• Recipients when disclosing to third parties and purpose of disclosure
• Guarantees for ensuring data protection when transferring data abroad
• Rights of the individuals and how they can exercise them

If you collect data online, you must also explain these processing steps and disclose your use of cookies and similar technologies. If the privacy policy is addressed to third parties, it is usually published on the website.

Note on the Cookie Banner: A cookie banner is not necessary for Swiss websites - provided they target visitors from Switzerland. It is sufficient to inform about the use of cookies within the privacy policy and how to oppose their processing.

Since inevitably data of employees is also collected in the company, they must also be informed about the data processing in an appropriate manner. Usually, an internal privacy policy is created for this purpose and referred to in the employment contract or in the personnel regulations.

Data Processing Register

According to Article 12 FADP, companies that meet certain requirements must keep a register in which all processing activities related to personal data of the company are recorded. The register generally only needs to be kept if a company employs more than 250 employees or if data processing poses a high risk of infringement of the privacy of the affected individuals (e.g., because particularly sensitive personal data are processed on a large scale or profiling is used).

Even if your company does not meet these requirements and is not obliged to create a register, it may be worthwhile to do so. During the creation, you can check when you actually process data, for what purpose you process it, how long you keep it, or to whom you pass on this data. You should also examine what measures you have taken to ensure the protection of this data. This way, you can directly take stock of your processing activities and assess whether there is a need for action in your company.

Data Protection Impact Assessment

According to Article 22 FADP, a data protection impact assessment (DPIA) is intended to assess the potential effects of planned data processing on the privacy and rights of the individuals concerned. This is intended to ensure that risky data processing is identified, and appropriate measures can be taken and documented.

Conducting a DPIA is specifically required when data processing could pose a significant risk to the privacy or fundamental rights of a person. This risk can arise from various factors such as the use of new technologies, the scope of data processing, and the purpose of data processing. Such a risk exists, for example, with extensive processing of particularly sensitive personal data and systematic monitoring of large public areas.

An example of this could be the use of data analysis algorithms to monitor the behavior of users on social media and draw conclusions from it. This can have implications for the privacy and freedom of the affected individuals.

Technical and Organizational Measures

Appropriate technical and organizational measures ensure that personal data are adequately and risk-appropriately protected - this is mandatory and enshrined in Article 8 of the FADP. All processing activities must be evaluated, and it must be assessed whether the data are adequately protected in these steps. The higher the risk, the more comprehensive measures must be taken to protect the data accordingly.

The measures taken should be regularly reviewed and, if necessary, adjusted. In general, it is advisable to carefully document all activities for risk mitigation to be able to demonstrate the company's duty of care in case of emergency.

Internal Organization

The responsibility for compliance with data protection lies with the management. By means of organizational measures, it must ensure that all departments and employees comply with the applicable data protection laws. To this end, as a company, you must consider whether to appoint a data protection advisor and how to ensure implementation in the individual departments and among the employees themselves.

Data Protection Advisor

According to Article 10 FADP, a data protection advisor can be appointed. If you have a data protection advisor, he or she is an independent consultant and central point of contact in the company for all matters and questions concerning data protection. In this function, he or she develops data protection guidelines and is responsible for their communication, monitoring, and compliance. The data protection advisor acts, decides, and recommends independently and independently.

Responsibles in Sub-areas

When a company reaches a certain size, it becomes difficult to keep track of all business processes. Department heads often take on the role of the first point of contact for employees for information and questions regarding data protection, as well as monitoring business processes in their department.

Employees

To ensure that all employees comply with data protection obligations, various measures can be taken to train them accordingly. The way in which employees are adequately informed is up to you and also depends on the organization and size of the company (e.g., on-site training or e-learning).

The following documents or guidelines are considered useful in this context:

• Internal data protection regulations: In internal data protection regulations, the essential information, guidelines, and processes can be recorded. This document can also contain practical advice on specific business cases in the company, new tools, or other important documents on data protection and serve as a reference for employees.
• Internal guide with key explanations: Not all employees are data protection experts or have little contact with the law. When informing employees about data protection, this should be done in a simple and understandable way. With an internal guide that explains the key points understandably.
• Confidentiality agreement: If employees have access to personal data, the company must ensure that this data is treated confidentially. This is particularly true when, for example, data is processed that is subject to professional secrecy. It is therefore advisable to conclude a confidentiality agreement with the employees.

If employees are well informed and sensitized about data protection in the company, there is another important point that companies must consider regarding their employees:

• Internal data protection declaration: Employees must be informed about which data about them is processed in the company. As a company, you must therefore also create an internal data protection declaration for the employees, informing them why and how their data is processed and what rights they have regarding this processing.

Agreements for Order Processing

According to Article 9 FADP, data processing can be delegated to a data processor. Specifically, responsible parties may only transfer the processing of personal data to a data processor through an order processing agreement (or by law) if the data is processed only as permitted by the responsible party. In this case, the responsible entity remains accountable for data protection. Therefore, they must ensure that the data processor can guarantee data security.

Additionally, personal data may only be processed in countries that provide a level of data protection equivalent to Swiss standards. The annex to the FADP contains a list of states with an adequate level of data protection, which is continuously updated by the FDPIC (Federal Data Protection and Information Commissioner). If a country does not guarantee adequate data protection, Swiss data protection standards apply.

Request for Information

According to Article 25 FADP, every individual has the right to request information from the data controller about whether personal data concerning them is being processed. If personal data is being processed, the individual must be informed of:

1. what data is being processed about them
2. the purpose of the processing
3. how long the data will be stored
4. where the data originated from
5. whether it involves automated individual decision-making
6. whether the data has been or will be disclosed to third parties

The information must be provided within 30 days. Therefore, it is essential to always have an overview of the processing processes in the company. While an information request form is not mandatory, it can ensure a standardized, legally compliant, and prompt processing of the request.

It is advisable to designate a clear position within the company that is responsible for implementing the applicable data protection measures and maintaining oversight. If the company lacks expertise or resources, an external entity can also be appointed to address these concerns. If you are seeking legal advice on data protection matters, GetYourLawyer can assist you in finding a suitable lawyer.