The Swiss Data Protection Act – BSI puts new requirements into action

The revised Swiss Data Protection Act (DPA) will become effective in September 2023. Along with the Data Protection Regulation (DPR) adopted last fall, it seeks compatibility with the European General Data Protection Regulation (GDPR), thus maintaining the EU’s adequacy decision for Switzerland. To that end, Swiss companies may want to review their data protection measures. With its BSI Customer Suite, BSI offers a Customer Data Platform (CDP) solution that meets this challenge.

BSI’s software provides support to users with data protection requirements arising from the GDPR and the DPA. With the extensive record-keeping obligations the new DPR requires for processing sensitive personal data and demands from federal bodies, Swiss data protection is striking out on its own.

Swiss health insurers – A need for action

Health insurers are considered federal organizations in the realm of the Health Insurance Act (KVG; Krankenversicherungsgesetz) and are treated as private data processors under the Insurance Contract Act (VVG; Versicherungsvertragsgesetz). Since health insurance companies typically offer KVG as well as VVG, they do not benefit from the transitional period federal organizations are granted. Rather, they must have implemented the legal requirements by the effective date of September 1, 2023. At odds with this narrow time frame, however, is the regulation that leaves a great deal unanswered regarding its design. This involves both the definition of individual data processing activities when it comes to electronic data processing and the scope of the record-keeping itself. Hence, there is little time left to take on a major challenge.

From regulation to implementation in the BSI Customer Suite

As a software company processing personal data, BSI had to find an all-inclusive yet practical solution. To this end, BSI has developed a comprehensive concept in which requirements under the DPR are analyzed, classified and put into context with the processing of personal data. This concept is the foundation of the requirements for the BSI Customer Suite’s CDP solution, which will become available by the middle of this year starting with Version 22.

The objective of accountability, which is to be achieved with the record-keeping requirement, has significantly contributed to defining the requirements: It must be possible to verify later whether personal data has been disclosed, changed, deleted or lost. Within the framework of data security, this topic is becoming increasingly important beyond Switzerland and is also being discussed at the EU level in the context of data protection.

Sandra Witte, a data protection expert at BSI, notes: “As a Swiss company, we inherently keep an eye on the Swiss data protection law and make sure our customers do have, with the BSI Customer Suite, a resource available to meet their data protection obligations – under the DPA as well as under the GDPR.”