GDPR, FADP and data privacy in Switzerland & Europe

An interview with Elisabeth Illiano-Demacon, DPO at Calyps

Published in

Alliance Data

5 min readSep 13, 2021

Lawyer by training, Elisabeth Illiano-Demacon recently completed her academic career in law (private law, human rights) with a diploma in digital law — data protection officer. During her career, the human being has always been at the centre (protection of vulnerable persons, patients) and in this continuity she recalls that data protection is a fundamental right that it is important to defend. It is quite natural that she is heading towards the position of Data Protection Officer (DPO), and that she specialises in compliance with the GDPR in Europe and the FAPD in Switzerland.

She currently advises public administrations in France as a shared DPO. In Switzerland, she is acting as DPO for the company CALYPS on the Saniia artificial intelligence project presented in this blog last year. These two contexts allow her to be familiar with data protection regulations both in Switzerland and in Europe.

Data privacy

DPO is a new, cross-functional profession that allows collaboration with IT and archiving specialists, with the aim of designing information systems that respect users’ rights. IT must be at the service of the citizen — and particularly the patient — and not the other way round!

Earlier I mentioned “GDPR” and “FADP”. These acronyms probably ring a bell. In the first case, we are dealing with the “General Data Protection Regulation” (GDPR) which applies to the entire European Union (EU) since May 2018. In the second case, we are dealing with the “Federal Act on Data Protection” (FADP), the Swiss counterpart to the GDPR.

The GDPR is therefore a law that every professional organisation operating in Europe must follow: it applies as soon as its clients/users residing in the EU provide personal data. The same applies to the FADP, which protects Swiss citizens.

The FADP was completely revised by Parliament in September 2020 in order to better align with the GDPR and to update the laws that apply to technologies, which are advancing more rapidly. “The law is chasing the technology”, as Elisabeth says.

The new law is expected to be implemented in the second half of 2022 in Switzerland, giving companies more than a year to make the transition. Although only moderately restrictive, this law could nevertheless become a competitive factor in coveted markets such as medical IT. In practice, two cases are possible:

The software already exists: in this case, the existing solution will have to be adapted to comply with the new regulation and this is rather resource-intensive. To begin with, it will be necessary to list all the data collected, understand whether the company really needs it (since it is forbidden to collect unnecessary data!), update user data (it must be up to date, or confirm to a maximum archiving period), be able to inform users about all the data the company has collected on them, allow users to modify the data, download it if necessary or request its deletion with proof.
You are starting a new IT project: the project can then be designed from the ground up and regulations and best practices can be taken into account in its development, such as a design that incorporates the principle of Privacy by Design.

Is it necessary to have a DPO?

This is the question that companies will have to ask themselves. For a large company, there is no doubt that one is needed. However, for a small or medium-sized company, it is not necessarily easy to hire a new employee for this purpose. Here again, there are two solutions:

An employee of the company takes on the role of DPO, but has yet to be trained. This poses a risk, as the person could have a conflict of interest: the interests of the company versus those of the users. Some lawyers have already specialised in this area.
Hire a shared DPO, who officiates for several organisations working in the same ecosystem, with some exceptions: the case of public administrations, for example.

In 2021, DPOs have become commonplace in France, while the title of data protection officer is not yet widespread in French-speaking Switzerland, or Romandie.

A DPO should make a substantial contribution at the beginning of a project, but will be less essential later on to maintain it. In day-to-day management, only a few adjustments are necessary if everything is well planned at the beginning. A DPO will be in charge of answering some complex questions, such as:

How do we proceed when we outsource the processing of our customers’ data to a third party?
What if the third party company is based nearshore? And offshore?
How do we continue the collaboration with a cloud hosting company outside of Switzerland?

To turn the problem around, compliance with regulations such as the RGPD and FADP allow us to think about data issues in advance and, ultimately, to simplify our lives. Before collecting data, it is relevant to think about why it is needed and how it will be used. This means completely rethinking data management and even reducing the volume of data collected. Let’s say you have a customer file with obsolete information: for example, some customers who have asked not to receive any more e-mails and who receive them anyway. This could lead to:

Wasting the time of both users and the company (to process the user’s opt-out request, or the deletion of their personal data with evidence, in the most extreme case).
Tarnishing the company’s reputation.
Using up unnecessary storage space.

Complying with the RGPD and FADP regulations also means being more professional and ecological!

Data is everyone’s business

An interesting example given by Elisabeth, the Swiss Post has set up a Bug Bounty programme, a system which allows to financially reward Internet users who find security flaws in its information systems:

Swiss Post bug bounty programme

In order to continuously improve the security of its digital products, Swiss Post operates a private bug bounty…

www.post.ch

However, there is still a paradox… if a system has been designed with the “Privacy by Design” approach, it should logically be free of flaws by design. But therein lies the difference between theory and practice. According to a study by Steve McConnell revealed in his book Code Complete, software has between 1 and 25 bugs per 1,000 lines of code. (Ok ok, this study is dated and the error rate is lower nowadays). The Swiss Post initiative represents a sound practice, which works for the common good (the privacy of users and the reputation of this public organisation).

Want to know more?

Are you interested in GDPR/FADP and user data protection? Developing software and no clue about how to protect personal data? Do you work for an SME in French-speaking Switzerland and wonder what kind of surprise you may face?

I invite you to participate in our next afterwork “Our data facing uncertainty” organized by LaData at the Biopôle Lausanne on Thursday 23 September 2021! Simply register for the Meetup event, it’s free: https://www.meetup.com/LaData/events/279276635/

Jacky Casas