The new and completely revised Data Protection Act (nDPA)and its implementing provisions will come into effect on September 1, 2023, in agreement with the Federal Council's decision of August 31, 2022.
This legislation aims to reinforce individuals' privacy rights and impose stricter obligations for companies and organizations dealing with personal data.
Which data are concerned?
Data to be protected under the new Data Protection Act (DPA) includes any information that relates to an identified or an identifiable individual. This includes a wide range of data, from the most obvious information to the more subtle and technical components. The following are some examples of the types of personal data that must be protected:
- Personal Identification Data: This includes first and last names, physical addresses, e-mail addresses, telephone numbers, AHV numbers, personal identity card numbers, etc.
- Financial Data: Information related to a person's finances, such as bank account numbers, credit card information, account statements, tax information, must be protected.
- Location Data: Information concerning a person's location in real time or history, such as smartphone geolocation data, must be handled with care.
- Health Data: Physical or mental health data, such as medical records, prescriptions and treatment information, are highly sensitive and require reinforced protection.
- Biographical data: This may include information on race, ethnic origin, religion, sexual orientation, which require specific protection due to their sensitivity.
- Online Data: Information collected online, such as IP addresses, cookies, browsing data, social media profiles, are also part of the personal data that should be protected.
- Behavioral Data: Data related to online or offline behavior, such as buying habits, browsing preferences, activities on social networks, must be protected.
- Biometric Data: Biometric characteristics, such as fingerprints, retinal scans and voiceprints, are also part of the personal data requiring protection, due to their unique and identifiable nature.
- Professional Data: Professional information, such as job title, employer, work background, is also considered personal data that should be protected.
- Communication Data: Information exchanged in private communications, such as e-mails, instant messages, phone calls, are also personal data to preserve.
In a nutshell, any information that can be linked to an identifiable physical person must be considered as personal data and be treated with great care and respect under the new Data Protection Act (DPA). The protection of these data is crucial to preserving the privacy and rights of individuals in a fast-changing digital world.
Highlights of the new DPA
- Broadening the Definition of Personal Data: The nDPA broadens the definition of personal data to cover all information relating to an identified or identifiable person. This will now include items such as IP addresses, cookies and other online identification.
- Enhanced consent: Companies will need to obtain explicit and fully informed consent from individuals before collecting, handling or using their personal data. Consent must be given in a free, specific, informed and unequivocal manner.
- Greater rights for individuals: Individuals' rights regarding their personal data are reinforced. Individuals will have the right to access, rectify, delete and refuse the use of their data.
- Transparency: Organizations will be required to provide clear and comprehensible information on how they gather, handle and use personal data. Privacy policies will need to be more detailed and accessible.
- Enhanced accountability: Companies will need to implement measures to demonstrate their conformity with the nHPA. This may include keeping internal data processing registers, carrying out privacy impact assessments and appointing a data protection officer (DPO).
Measures for Conformity
- Update privacy policies: Review and update your privacy policies to reflect new transparency regulations. Communicate clearly which data are collected, how they are used, who has access to them, and how individuals can exercise their rights.
- Obtaining consent: Review your methods for obtaining consent. Ensure that consent is given in an explicit, specific and informed manner. Put in place mechanisms to enable individuals to withdraw their consent at any time.
- Individual Rights Management: Put a process in place to deal with individuals' demands for access, modification, removal and objection of their personal data. Ensure that these requests are processed in accordance with the deadlines set out by the DPA.
- Data security: Reinforce the security of personal data by implementing appropriate technical and organizational measures. Encrypt sensitive data, ensure that systems are kept up to date, and implement access and monitoring controls.
- Data Protection Officer (DPO): If required by the DPA depending on the size and nature of your data processing operations, appoint a Data Protection Officer to supervise compliance and act as a point of contact for data protection issues.
- Staff training: Educate and train your staff in new data protection rules and practices. Make sure they understand the importance of compliance and security best practices.
- Contracts with Third Parties: If you use outsourcers to process personal data, check that your contracts includes the necessary clauses to ensure that these outsourcers also respect the obligations of the DPA.
- Informed Consent: In conformity with the nDPA, websites must obtain specific and informed consent from users before placing cookies on their devices. Users must be provided with explicit information about the intended purpose of the cookies and the types of information collected.
- Cookie Management Options: Websites must provide users with clear options for managing their cookie preferences. This may include the ability to choose the types of cookies they authorize, disable them or delete them.
- Cookie policies: Website privacy policies should be updated to include detailed information on the kinds of cookies used, their purpose, the data collected and the third parties involved. Users must be able to access this information conveniently.
- Cookie retention period: Websites must limit the period for which cookies are stored and explain to users the period for which their data will be kept. Cookies should not be kept longer than necessary.
- Third-party cookies: Cookies placed by third parties, such as advertisers or social media, also require explicit authorization. Websites must explain which third-party companies are involved and for which aim.
- Analytical cookies: Cookies used for analytical purposes to track user behavior must also be subject to consent. Users must be informed about the use of these cookies and how the data is processed.
- Revocable consent: Users must be able to withdraw their consent at any time. Websites must make this procedure as simple as the initial consent process.
- Children and Cookies: The DPA pays particular attention to the protection of children's data. When cookies are used on websites aimed specifically at children, the consent of parents or tutors may be required.
In conclusion, Switzerland's new Data Protection Act reinforces the protection of personal data in the context of cookie management. Websites must obtain users' informed consent, provide transparency about which cookies are used, provide cookie management options and respect users' privacy preferences. These measures aim to ensure that users have greater control over their personal data and to ensure that their online privacy is respected.
Mediamix may help you
When you track and collect conversions on your website during an online campaign (Google Ads, Facebook, programmatic, TikTok, etc.), such as purchases, subscriptions or downloads, you are using cookies.To ensure that your cookie management complies with Switzerland's new Data Protection Act (DPA), specific measures are required, including the use of tools such as Google Tag Manager (GTM) and Consent Management Platforms (CMP).
- Cookie evaluation: Make an inventory of the cookies used on your website via GTM. Identify the types of cookies (essential, functional, analytical, advertising, etc.) and their purposes.
- Cookie tagging: Use GTM to add tags to each cookie script. This will allow cookies to be enabled or disabled based on user consent.
- Update GTM: Update GTM to load cookie tags only after user consent.
- Customize Tags: Use GTM to customize tags according to user consent preferences. For example, if a user refuses advertising cookies, these tags should not be loaded.
- CMP integration: Integrate a consent management platform on your website. This will allow users to give their specific consent for each type of cookie.
- Customize Options: Set up the CMP to offer different consent options based on cookie categories. For example, users could choose to accept functional cookies but refuse advertising cookies.
- Transparent Explanation: The CMP should provide clear and comprehensible information on the types of cookies, their aims and which third parties are involved. This can help users make informed decisions.
- Active Opt-in: Set the CMP so that cookies are only activated after the user has given active consent. Tick boxes should not be pre-ticked.
- Withdraw consent option: Make sure that CMP offers users the option of withdrawing their consent at any time and modifying their cookies preferences.
It is also necessary to store evidence of consent obtained via CMP, including date, time and user choices. This will help you demonstrate your compliance when necessary.
By implementing these measures, using tools such as Google Tag Manager and a Consent Management Platform, you will be able to manage your cookies in accordance with the new Swiss Data Protection Act. This will help build user trust for your personal data handling practices.
Please do not hesitate to contact us to ensure that your website and tracking plan are compliant with the nDPA. This will also be an opportunity to upgrade to Google Analytics 4 if you have not already done so!