The Impact of the Revision of the Swiss Federal Act on Data Protection on Employment Law – The Most Important Questions and Answers


Your contacts

On 1 September 2023, the revised Swiss Federal Act on Data Protection (FADP) will enter into force. The FADP regulates various new obligations for companies with regard to data processing and also provides for stricter sanctions in the event of breaches of obligations. To what extent the revised FADP will also affect the handling of job applicants’ and employees’ data is explained below in the form of a brief overview (without claim to completeness).

 

1. Which changes in data protection law have an impact on employment law?

As of 1 September 2023, a formal duty to inform will be introduced for all data processing. Companies that process personal data must adequately inform the persons concerned about the acquisition and processing of the corresponding personal data (cf. Art. 19 FADP). This duty to inform includes the disclosure of the identity and contact details of the data controller (i.e., the employer), the purpose of the processing and the recipients or categories of recipients to whom personal data are disclosed. In addition, the revised FADP stipulates which duties to inform exist for companies in the case of cross-border data transfer and acquisition of personal data that is not obtained from the persons concerned/data subject.

Furthermore, from 1 September 2023, companies are obliged to keep a register of processing activities (cf. Art. 12 FADP). This register must record all of the company’s data processing activities, whereby precise information must be provided on the purpose of the processing, the categories of personal data processed, and the persons concerned, as well as the retention period for the personal data. Companies are exempted from the obligation to keep a corresponding register only if they employ fewer than 250 employees as of 1 January of the year in question and also neither “process personal data requiring special protection on a large scale” nor “carry out high-risk profiling” (cf. Art. 24 of the new Ordinance to the Federal Act on Data Protection, DPO). Whether the conditions for exemption from the obligation to keep a register of processing activities are met must be determined on a case-by-case basis through careful examination of the actual circumstances of the individual case.

The introduction of both, the formal duty to inform and the newly applicable duty to keep a register of processing activities mean that employers must firstly become aware of which personal data they process in connection with job advertisements and employment relationships, so that they can secondly fulfil their duty to inform the persons concerned to the extent determined by law.

2. How can these new data protection obligations be implemented in practice from an HR perspective?

Before a company can fulfil its legal duty to inform (former) employees and job applicants, it must firstly determine which personal data of employees and job applicants are processed and to what extent. This is done by creating a register of processing activities. Even if a company is not legally obliged to do so, it is still advisable to create such a register. In this case, the register can be limited, in the sense of a minimum scope, to the information that must be provided anyway in accordance with the formal duty to inform (Art. 19 FADP). Only if a company knows what personal data is being processed in the first place, it is able to provide information on the acquisition and processing of personal data to the extent determined by law.

If a company has already initiated a project to create a register of processing activities, it is advisable to also involve HR. In this case, HR must check to what extent personal data is being processed in connection with job advertisements and existing as well as former employment relationships. Subsequently, the corresponding data processing procedures must be recorded in the register of processing activities in accordance with the legal requirements.

Based on the register of processing activities, HR must then draw up a data privacy policy for employees in a second step, which fulfils the company’s formal duty to inform. With the data privacy policy for employees, the company informs employees (as well as job applicants, if applicable) about the following among other things, (i) what personal data is being processed and for what purpose, (ii) to whom personal data is disclosed and (iii) to what extent personal data is also disclosed across borders (cross-border data transfer). When drawing up the data privacy policy for employees, it must be determined whether there is an exemption from the duty to inform pursuant to Art. 20 FADP for specific data processing or information (e.g., if the data processing is required by law). However, according to the will of the legislator, exceptions are to be handled restrictively, i.e., in case of doubt, information is to be provided.

In respect to job applicants, it regularly makes sense to integrate the duty to inform directly into the company’s general data privacy policy. Depending on the specific implementation, it may no longer be necessary to inform job applicants in the data privacy policy for employees, as this is done directly through the general data privacy policy, e.g., on the company’s website.

3. What form does the data privacy policy for employees need to take and what should HR pay attention to?

For reasons of evidence, the data privacy policy for employees should be in writing and made accessible to the employees before any data processing is to take place. Making it accessible means that the company must ensure that the persons concerned have the opportunity to take note of the corresponding data privacy policy. It is therefore not necessary for the persons concerned by the data processing to actually take note of the data privacy policy for employees.

Since the individual scope of the company’s formal duty to inform can always change, it is advisable to issue the data privacy policy for employees in a separate document and thus detached from the employment agreements. In this way, the company ensures the greatest possible flexibility with regard to the content of the data privacy policy for employees and can, if necessary, unilaterally amend it at any time. Of course, this also requires HR to constantly and repeatedly review to what extent data processing with regard to employees (and job applicants, if applicable) has changed within the company, so that the actual circumstances can also be reflected in the data privacy policy for employees.

4. What should be considered with regard to existing employment agreements and regulations due to the revised FADP?

In existing employment agreement templates, personnel regulations and employer instructions, companies should check whether the data protection provisions contained therein are compliant with the revised FADP or whether the aforementioned documents may need to be amended.

 


Share post



most read


Highlights

MLL Legal

MLL Legal is one of the leading law firms in Switzerland with offices in Zurich, Geneva, Zug, Lausanne, London and Madrid. We advise our clients in all areas of business law and stand out in particular for our first-class industry expertise in technical-innovative specialist areas, but also in regulated industries.

MLL Meyerlustenberger Lachenal Froriep

Newsletter

Much is still unclear in relation to liability questions around AI tools.

Read our latest post about “Liability during the Lifecycle of an AI Tool” and download our white paper.

Show article.

Our Story

MLL Legal is a leading Swiss law firm with a history that dates back to 1885. The firm has grown both organically and by means of strategic mergers, the latest of which took place on 1st July 2021 between Meyerlustenberger Lachenal and FRORIEP.

The merger establishes MLL Legal, a combined new entity as one of the largest commercial law firms in Switzerland with 150 lawyers in four offices in Switzerland and two offices abroad, in London and Madrid serving clients seeking Swiss law advice.

Our firm has a strong international profile and brings together recognised leadership and expertise in all areas of law affecting commerce today, with a focus on high-tech, innovative and regulated sectors. 

About us

Publications

Click here for our latest publications

COVID-19

Read all our legal updates on the impact of COVID-19 for businesses.

COVID-19 Information

Job openings

Looking for a new challenge?

Our talented and ambitious teams are motivated by a common vision to succeed. We value open and straightforward communication accross all levels of the organisation in a supportive working environment.

Job openings

Firm News

Click here for our latest firm news.

Our Team

The regulatory and technological landscape continually require businesses to adapt and evolve.
Our 150+ lawyers are continuously innovating and striving for improvement in everything they do. We embrace new ideas and technologies, combining our wealth of expertise with creative thinking and diligence. With our hands-on approach, we implement viable solutions for the most complex legal challenges.

Our Team.

LexCast – the podcast series by MLL NexGen

Smart legal education on the go. The LexCast hosted by MLL NexGen provides legal insights in a short format that allows listeners to educate themselves on and about legal issues wherever they are and whenever they find the time.

Listen to our podcast series – stay tuned.

MLL Legal on Social Media

Follow us on LinkedIn.