Generally speaking, every employer processes a great deal of personal data in the course of its operational activities. When the new Federal Data Protection Act (nLPD) comes into force on September 1, 2023, employers’ obligations in this area will increase. In particular, employers will be responsible for training employees in these aspects.
Under article 8 para. 1 nLPD, data controllers and processors must ensure, through appropriate organizational and technical measures, adequate security of personal data in relation to the risk incurred, the minimum requirements of which will be specified in the implementing ordinance (art. 8 para. 3 nLPD).
Without defining the minimum security requirements in concrete terms, the chosen approach is a risk-based analysis, so that the minimum security measures must be adequate to the risk incurred, in the light of all the circumstances.
While neither the nLPD nor its ordinance expressly take up the minimum requirements applicable under the RGPD, one of the aims pursued by the revision of the law was the harmonization of Swiss law for the purposes of ensuring free and secure data transmission between Swiss and European companies (FF 2017 6565). As a result, the minimum requirements laid down by European regulations and the rulings handed down in application of these regulations can serve as a guide as to the minimum requirements to be met by Swiss companies, employers and subcontractors.
In a decision dated October 18, 2021, the English Information Commissioner’s Office (ICO) sanctioned the HIV Scotland association for failing to take adequate security measures and thus violating the principle of data security (art. 32 (1) and (2) RGPD and 5 (1) (f) RGPD). The inadequate security measures had resulted in the disclosure of e-mail addresses of identifiable persons likely to be HIV-positive or at risk of contracting the virus. The breach consisted in an employee sending a grouped e-mail to 105 people by carbon copy (cc) and not by blind copy (cci), thus making all addresses visible to all recipients.
The interest of this decision with regard to the nLPD lies not in the penalty imposed by the authority, but rather in the measures which, in its view, should have been adopted by the convicted association in order to adequately protect the data of the persons concerned.
According to the ICO, an organization such as HIV Scotland – which processes sensitive data – should have set up specific training courses for its staff, covering data handling, the use of IT tools in this context and confidentiality. The authority adds that simply referring to the confidentiality policy was not enough, and that real specific training should have been put in place, prior to employees actually processing personal data, or even, at the latest, one month after taking up their duties.
Assuming that these requirements are to be transposed to the new Swiss data protection law – which, according to the Federal Council’s Message, seems to be the case – this implies that Article 8 nLPD and the implementing ordinance require the data controller, i.e. in particular the employer, to effectively train his staff in the handling of personal data and in confidentiality, to an extent to be determined according to the concrete risk involved and the sensitivity of the data processed.
In labor law, Article 328 of the Swiss Code of Obligations (CO) imposes a dual obligation on employers: to protect their employees’ personal data and not to harm it. Article 328b CO stipulates that the employer may only process data concerning the employee insofar as this data relates to the employee’s ability to perform his or her job or is necessary for the performance of the employment contract, with the Federal Data Protection Act applying in all other respects.
Article 328b CO thus establishes a presumption of lawful processing, but does not exempt the employer from complying with the provisions of the DPA (TF 4A_518/2020 of August 25, 2021).
Although the employer’s duty of protection predates the entry into force of the nLPD, the new minimum safety requirements will, in our view, imply a more extensive duty of training on the part of the employer, as of the entry into force of the new law. Failing this, employers risk incurring liability, both towards people harmed by non-compliant data processing, and towards their own employees.
To meet its obligations under article 8 nLPD, the employer must ensure that its employees are properly trained in the handling of personal data and confidentiality. To this end, as in the case of employee health risks, the employer must in particular:
- identify risks ;
- inform employees of these risks;
- provide adequate instructions on the safety measures to be taken to avoid them; and
- ensure strict compliance with these instructions (WYLER R./HEIZER B., Droit du travail, p. 406).
In the event of a breach of the above, the employer risks being guilty, either negligently or intentionally, of a violation of article 8 nLPD, which could result in the payment of a fine of up to CHF 250,000 (art. 61 let. c nLPD), and/or the payment of compensation for moral damages to an aggrieved employee (TF 4A_518/2020 DU 25 août 2021).
Furthermore, a dismissal due to the employee’s violation of the internal security policy or the nLPD could, in the absence of adequate training, instructions and follow-up, be considered as an abusive dismissal, pronounced by an employer who would exploit his own violation of his obligations.
It is clear from the foregoing that the adoption of regulations – sometimes extensive and unclear to those required to follow them – is no longer sufficient for companies today.
In conclusion, data protection law is becoming clearer, more important and an indisputable element of personality, following the logical evolution initiated a few years ago in the field of health and safety at work, and then in the fight against psychological and sexual harassment. In the light of forthcoming regulations, we would strongly recommend that all employers implement, at the very least, training in the handling of personal data and confidentiality, accompanied by the establishment of clear internal processes.
Kevin Guillet and Nina Aguiar