GDPR vs Swiss DPA: Privacy Information Obligations

Authors: Sandra Ezri (Swiss DPA) and Klaudia Galué (GDPR)?

Privacy notices, often referred to as privacy policies, are important for organizations to communicate with individuals about how their personal data is collected, processed, and protected.??

Both, the General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (Swiss DPA) mandate that organizations provide clear and concise information regarding the processing of personal information, ensuring transparency and empowering individuals to make informed decisions about the use of their data.?

This article aims to compare the privacy notice requirements outlined by two data protection regulations: the General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (Swiss DPA).?

What are the (Content) Information Obligations under the GDPR?

Under the General Data Protection Regulation, the content of privacy notices will slightly differ when data is collected directly from an individual or not.?

When personal information is collected directly from a person, the following content must be provided in the notice:?

• Controller’s identity and contact details??
• Representative’s identity and contact details?
• Contact details of the data protection officer?
• Purposes of the processing?
• Legal basis for the processing?
• Legitimate interests?
• Data recipients or categories of recipients?

• Data transfers to a third country??
• Existence or absence of an adequacy decision?
• Reference to the appropriate or suitable safeguards and how to obtain a copy of them / where they have been made available?
• Storage period, or the criteria used to determine that period?
• Data subject rights: access, rectification, erasure, restriction, object and data portability?
• Right to withdraw consent?
• Right to lodge a complaint with a supervisory authority?
• Whether provision of data is a statutory or contractual requirement + whether it’s obligatory to provide it + consequences of failure to provide it?
• Existence of automated decision-making, including profiling + information about the logic involved + the significance and the envisaged consequences of such processing for the data subject?

When personal information is not collected directly from an individual, in addition to the above-mentioned details, organizations must also disclose the categories of personal data, sources from which the personal data originate, and if applicable, whether it came from publicly accessible sources.?

What are the (Content) Information Obligations under the Swiss DPA??

Although the requirements set out in the Swiss DPA are less detailed than under the GDPR, Swiss privacy notices generally look like the GDPR privacy notices and contain similar information.?

Legal requirements:??

• Data subjects must receive necessary information to exercise their rights and to guarantee transparency. As a minimum, the following content must be provided in the notice : ?

• Controller’s identity and contact details?
• Purposes of the processing?
• The recipients or the categories of recipients to which personal data is disclosed?

• If data is disclosed abroad, the state or the international body to which such data is disclosed + the appropriate or suitable safeguards (in the absence of an adequacy decision) or the applicable exceptions to the safeguards?
• The name and contact details of the Controller’s representative (where applicable)?

• The contact details of the data protection officer / adviser (where applicable)?

Similarly to the GDPR, when personal information is not collected directly from an individual, in addition to the above-mentioned details, organizations must also disclose the categories of personal data processed.?

Furthermore, although not strictly required by law in data privacy notices, the following additional information is required for data subjects to exercise their rights and therefore also usually present in privacy notices: ?

• Storage period, or the criteria used to determine that period?
• Existence of automated decision-making + information about the logic involved for the decision?
• Available information on the source from which the personal data originate if data is not collected directly from the individual?

Privacy Notices’ content in practice:??

The above sets out what the law requires as a minimum in privacy notices and for data subjects to exercise their rights. Below is what is commonly found in Swiss privacy notices despite what the law says:???

• Controller’s identity and contact details?
• Contact details of the data protection officer (if any)?
• Representative’s identity and contact details (if any)?
• Purpose of the processing?
• Legal basis for the processing?
• Source of data if not collected directly from an individual?
• Type of data collected and processed??
• Data protection principles?
• Storage period, or the criteria used to determine that period?

• Security information?
• Data recipients or categories of recipients (including outsourcing to processors)?
• If data are disclosed abroad, the state or the international body to which such data is disclosed + the appropriate or suitable safeguards (in the absence of an adequacy decision) or the applicable exceptions to the safeguards?
• Data subject rights: access, rectification, erasure, restriction, object and data portability and right to lodge a complaint?
• Existence of automated decision-making + information about the logic involved for the decision?
• Publication, modifications and entry into force of the document.?

Information Obligations: Differences between the GDPR and the Swiss DPA?

Although the Swiss DPA sets out a shorter list of mandatory information for privacy notices in practice Swiss privacy notices are very similar to EU privacy notices and contain about the same information.??

The major differences to take into consideration are the following:??

• What the GDPR requires which is not required under the Swiss DPA:??

• Mention about the right of individuals to withdraw their consent at any time?
• Mention whether the provision of personal data is a statutory or contractual requirement, and whether it is obligatory to provide it and the consequences of failure to provide such data?
• The means by which to obtain a copy of the safeguards in the absence of an adequacy decision when transfers are made abroad?

• What the Swiss DPA requires which is not required under the GDPR:??

• The name of countries or international organizations where personal data is transferred???

GDPR: When do we have to provide the information??

Privacy notices must be presented to individuals at the time of data collection. This could be when they first interact with a website or mobile app, sign up for a service, or provide personal information through other means. The goal is to ensure that individuals are informed about data processing activities before their data is collected or processed.?

When personal data is not obtained directly from individuals, the GDPR requires organizations to provide privacy information? within a reasonable period after obtaining the data, and no later than one month. However, if the organization plans to use the data for communication with the individual, the information should be provided at the time of the first communication. Additionally, if the organization plans to disclose the collected personal data to another recipient, the notice should be provided at the latest when the data is first disclosed.?

Swiss DPA: When do we have to provide the information???

Privacy notices must be presented to individuals at the time of data collection like under the GDPR.??

When personal data is not obtained directly from the individual the Swiss DPA required organizations to provide privacy information at the latest one month after receiving the data. Similarly to the GDPR, if the controller discloses the personal data before the expiry of this deadline, it shall inform the data subjects at the time of disclosure at the latest. The Swiss DPA is silent about the first communication with the data subject, but it would make sense like under the GDPR to provide the information to the data subject at the time of the first communication as well.??

The Swiss DPA and the GDPR requirements are essentially the same.??

GDPR: How to communicate the information??

While the GDPR does not dictate a specific format, it does emphasize the importance of clear and easily understandable language. The idea is to present information in a way that allows individuals to be informed about how their data is being used, even if they are not legal or technical experts. The GDPR requires that this information is provided in a concise, transparent, intelligible, and easily accessible form.?

In practice, organizations often present privacy notices in the form of written documents or web pages, using headings, bullet points, and other formatting techniques to enhance readability. Some organizations may also use layered approaches, providing concise summaries along with links to more detailed information for those who wish to delve deeper. This helps to ensure that the information is communicated effectively and in a manner that is accessible to the individuals whose data is being processed.?

Swiss DPA: How to communicate the information??

The Swiss DPA does not either require a specific format to provide the information. It could be provided orally, but for obvious (proof) reasons it is highly recommended to provide it in writing as a privacy notice. It is important to choose a simple form that guarantees transparency. The Swiss DPA requires that the information is provided in an appropriate manner and the Swiss Data Protection Ordinance adds that it should be provided in a concise, transparent, comprehensible and easily accessible manner. Therefore, the information should be complete, easily accessible and adapted to the targeted audience.??

The Swiss DPA and the GDPR requirements are the same.??

GDPR: Exemptions to Information Duties?

In certain circumstances, data controllers may be exempt from the obligation to provide privacy notices under the GDPR. When individuals already have the information through previous disclosures or alternative means, it will not be necessary to provide them with a notice. Additionally, legal obligations, national security concerns, and public safety considerations may justify exemptions, permitting controllers to withhold specific details. Instances involving preventive or occupational medicine, professional secrecy, or situations where providing information is impractical or involves disproportionate effort are also recognized as potential exemptions.?

Swiss DPA: Exemptions to Information Duties?

In similar circumstances, data controllers may be exempt from the obligation to provide privacy notices under the Swiss DPA.??

There is no obligation to provide privacy notices when:?

• data subjects already have the information,??
• processing is required by law,??
• the data controller is a private person who is required by law to preserve confidentiality, or???
• there is a limitation for the right to information for the media.??

In addition to the above, if the personal data is not collected directly from the individual, there is no duty to provide the information if it is impossible to provide or providing it would require disproportionate efforts.?

A data controller can also limit, delay or be dispensed from the provision of the information if:?

• it is required to do so because of overriding third party interests,??
• providing the information would defeat the purpose of the process, for a private controller??
• it is required to do so because of its own overriding interests and the controller does not intend to disclose the personal data to third parties (legal entities that belong to the same group of companies are not considered third parties), and?
• ?controllers are federal bodies and are required to satisfy overriding public interests, to protect Switzerland's internal or external security, or?
• the communication of the information would compromise an enquiry, an investigation or administrative or judicial proceedings.?

The exemptions under the GDPR and the Swiss DPA are very similar but subtle differences can be noted.?

The GDPR specifically provides an exemption in situations involving preventive or occupational medicine.??

The Swiss DPA offers exemptions i) when there is a limitation for the right to information for the media, ii) for overriding third party’s interest or a private controller’s own overriding interest and iii) in the case of federal bodies if the information may compromise an inquiry, an investigation or administrative or judicial proceedings.??

The exemption that applies in case it is impossible to provide the information or providing it would require disproportionate efforts only applies under the Swiss DPA when data is not collected from the data subjects.??

GDPR vs Swiss DPA: Summing up?

Whilst the Swiss DPA is less detailed and provides less requirements regarding the content of privacy notices, in practice privacy notices are very similar under the GDPR and the Swiss DPA.??

The timing and the means to provide privacy notices under the GDPR and the Swiss DPA are the same.??

Finally, the exemptions where a data controller is released from providing privacy notices is very similar under the GDPR and the Swiss DPA, but when looked at more closely some differences exist which are worth analyzing in detail when an entity wants to rely on an exemption.?

About the Authors ?

Klaudia Galué ?

As an independent Consultant and Data Protection Officer, Klaudia Galué helps companies navigate European data protection compliance by providing individual guidance and required documents. She specializes in organizations operating internationally, as well as health tech and life sciences industries. ?

Klaudia’s a Certified Information Privacy Professional (CIPP/E), ISO27001 information security management auditor, and listed as an External Expert to the European Data Protection Board. She has a LL.M. degree in Law and Technology from the Netherlands. She's based in Germany. ?

Sandra Ezri ?

As an independent Consultant and Data Protection Officer, Sandra Ezri assists companies with cross-border data protection laws across Switzerland, Europe, and the United Kingdom. She works with companies active in various industry sectors with a specialty in financial services entities, where she spent most of her legal career. ?

Sandra Ezri is a qualified UK solicitor and is admitted to the New York Bar. She has a law degree from Switzerland and is therefore knowledgeable under both Civil law and Common Law systems.?

?