Criminal Liability in Swiss Data Protection Compliance

The revised Swiss Data Protection Act (DPA), slated to come into effect on September 1, 2023, has sparked a flurry of queries and concerns. Notably, this legislative overhaul, while generally less stringent and formalistic than its European counterpart, the General Data Protection Regulation (GDPR), has introduced a significant shift. The DPA has adopted a stricter stance by stipulating personal criminal liability, whereas the GDPR primarily imposes administrative fines.

This has thrust the roles of Data Protection Compliance Officer (DPCO) and Data Activity Owner (DAO) into sharper focus. A comprehensive understanding of their functions, coupled with an awareness of how criminal liability manifests in data protection compliance, becomes paramount.

Decision-Making Power - How Less Can Be More

In the nuanced world of data protection, sometimes exercising restraint is the greatest display of power. Particularly when it comes to the role of the Data Protection Compliance Officer (DPCO), the decision-making power can be a double-edged sword.

Role of DPCO

In many organizations, the DPCO plays a pivotal role in guiding the company's data protection strategy. However, the key to navigating this role effectively lies in the strategic delegation of decision-making powers. When the DPCO is engaged in certain compliance-related activities, such as drafting a privacy notice or responding to a data subject access request, some degree of decision-making is inevitable. Yet, this power should be utilized judiciously, primarily focusing on advisory capacity rather than conclusive decision-making.

Challenging decisions, such as engaging a service provider in a country lacking adequate data protection standards or addressing a complex data subject access request, should be left to the Data Activity Owner (DAO) or management. The DPCO should primarily function as an advisor, clearly expressing their professional opinion but leaving the ultimate decision to others.

Avoidance of Decision-Making Authority Over Data Processing

A critical aspect of mitigating the risk of criminal liability for the DPCO lies in abstaining from decision-making authority over data processing activities. While the DPCO often has a legal obligation to report non-compliance to management or the board, they should neither accept nor be given the right to issue binding instructions concerning the processing activities in question or intervene in non-compliant conduct.

This approach is crucial to avoid the DPCO becoming liable if they fail to halt non-compliant conduct when confronted with it. While the DPCO can issue warnings and advice on legal requirements, the ultimate decision should be made by those with the decision-making power.

Practical Perspective

Practicing the principle of non-decision-making power involves a clear and concise delineation of roles and responsibilities. This can be achieved through the internal data protection policy and the job description of the DPCO.

It is common, however, for organizations to overlook this aspect during policy drafting or for DPCOs to seek authority over data processing or give binding instructions. But a DPCO should not have such authority, nor should they try to assume it by de facto decision-making. Their primary role should be to report findings to the DAO and management, which aligns with their function as a second line of defense. Adopting this approach not only ensures clear role definition but also shields the DPCO from potential criminal liability.

Adopting Robust Reporting Mechanisms - An Antidote to Complacency

In our evolving data-rich business landscape, an organization's ability to maintain a robust reporting mechanism is pivotal. Management, especially, needs to adopt an active supervisory role rather than a passive bystander's stance regarding data protection compliance.

The Imperative of Supervisory Oversight by Management

Management holds the reins to guide the organization's compliance journey. Often, the difference between strict adherence to data protection regulations and lax compliance lies in management's hands. The cornerstone of their approach should be thorough supervision, a facet that transcends simply issuing instructions to subordinates to ensure compliance.

Common Pitfalls in Delegating Responsibility for Data Protection Compliance

One of the primary misconceptions in the delegation of responsibility for data protection compliance involves the role of the Data Protection Officer (DPO). While it's essential to have a DPO to oversee data protection compliance, management often mistakenly assigns ultimate responsibility for compliance to this role. In reality, the DPO is responsible for the execution, not the outcome or strategic direction. Clear demarcation of responsibility, or accountability in terms of a RACI matrix, is vital for smooth operations.

Institutionalizing Accountability in Data Processing Activities

Accountability for data processing activities often resides with the Data Activity Owner (DAO). The internal data protection policy of an organization should define who is accountable for ensuring compliance with data processing principles and other legal requirements. This accountability should ideally lie with an individual for each distinct data processing activity.

Busting the Myth of "Fire and Forget": A Proactive Approach to Data Protection

Management often approaches data protection compliance as a one-off task, adopting a "fire and forget" mentality. This strategy can lead to a lack of oversight, making it harder to identify and correct non-compliance issues. Management should, therefore, implement ongoing oversight and feedback mechanisms to track how their instructions are being followed.

Choosing the Right Personnel, Providing Clear Instructions, and Monitoring Compliance Diligently

Management's responsibilities in ensuring data protection compliance can be distilled into three key roles: selection, instruction, and supervision. Not only should they choose competent individuals to ensure compliance, but they should also provide clear instructions and the necessary resources. Most importantly, management must diligently monitor compliance, with any failure in these responsibilities potentially resulting in legal consequences.

Reporting on Data Protection Compliance

Periodic reporting on data protection compliance is crucial for management to stay informed about the organization's compliance status. Regular reports provide a mechanism for management to respond promptly to non-compliance and ensure measures are taken to rectify the situation. By instituting this practice, management can maintain a broad understanding of the organization's data protection landscape, allowing for proactive intervention when necessary.

Ensuring No Non-Compliance Goes Unnoticed

Gray Areas of Responsibility for Non-Compliance

When it comes to data protection, the lines of responsibility can often blur, creating gray areas that could potentially lead to non-compliance. The pivotal roles in the organization, such as the Data Protection Compliance Officer (DPCO) and the Data Activity Owner (DAO) should be clear on their respective responsibilities. An organization must ensure that the respective roles are well-defined, distinct, and designed to ensure compliance with the data protection norms.

The DPCO should have a broad understanding of the company's data processing activities, while the DAO should take full responsibility for ensuring that each data processing operation complies with the regulatory framework. When these roles are clearly defined and managed, the chances of non-compliance slipping through the cracks are significantly minimized.

DISCLAIMER: The information provided is not legal, tax, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be AI-generated. The information provided is for general educational purposes only and is not investment advice. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information. A professional should review any action based on the information discussed. The author is not liable for any loss from acting on the information discussed.