Best practices for pragmatic and functional compliance
On September 25, 2020, the Swiss parliament passed the new Act on Data Protection (nFADP). This revises in its entirety the 1992 Federal Act on Data Protection (FADP), which previously governed the processing of personal data.
The new Act on Data Protection (nFADP) improves the processing of personal data by granting new rights to Swiss citizens. This legislative change is accompanied by new obligations for companies, which will have to comply with them from September 1, 2023, when the nFADP comes into force.
The nFADP should also enable compliance with its European Union equivalent, the GDPR, and thus facilitate exchanges, particularly of data, and avoid a loss of competitiveness for Swiss companies.
Companies that have already complied and familiarized themselves with the GDPR will therefore have little change to undertake.
For others, the main new features introduced by this act are:
- The introduction of data protection advisors
- The notion of the duty to inform, which guarantees the transparency of processing and helps to strengthen the rights of the data subject.
- The notion of the right of access to data, which enables any person to ask the data controller whether personal data concerning him or her is being processed.
- The definition of the role of the Federal Data Protection and Information Commissioner (FDPIC).
- The definition of the penal provisions attached to breaches of the obligations introduced by the FDPA.
- The establishment of a monitoring activity that includes the examination of violations of data protection regulations and, where necessary, the adoption of administrative measures to enforce compliance with these rules.
- The introduction of certification of systems, products and services that promotes transparency in data processing
Depending on its nature, this data can be distinguished as follows:
- under the obligation of discretion inherent in the employment contract, as part of the obligation of loyalty. The aim here is to avoid harming the company by revealing information that is not shared internally between all employees – sometimes referred to as “sensitive” data, but this term should henceforth be reserved for data deemed as such by law;
- confidential, such as certain contracts
- covered by business secrecy – mainly manufacturing secrets, customer lists, intangible assets, preferential purchase prices…
- personal
Personal data protection for the Human Resources function
As the Human Resources function is at the heart of relations between employees and the company, it is essential to comply with current legislation in order to guarantee respect for the privacy and rights of employees with regard to the processing of their personal data.
Most of the data collected and used in HR departments falls into the category of personal data, and is therefore :
- Subject to no obligation (e.g. marital status, number of children), even if it is customary not to distribute them in order to respect employees’ privacy
- Subject to discretion (e.g. management salaries, major bonuses, salary deductions),
- Sensitive (e.g. details of sick leave, union membership, etc.) – as listed in the LIPAD law.
The human resources department should therefore pay particular attention to the following key points:
- Obtain the explicit consent of employees to collect and process their personal data, and to be transparent with them so that they are aware of how it will be used.
- Ensure the protection of “sensitive” data, such as medical, religious or trade-union membership data, which are particularly protected by their very nature.
- Ensure the right of access to their personal information and request its correction if necessary
- Have a secure data management system in place to prevent unauthorized access, loss or disclosure of employees’ personal data.
- Know and respect data retention periods.
Action plan for rapid compliance - Best practices and pragmatism
1. Drawing up a data confidentiality matrix
Drawing up a data confidentiality matrix to map all data and assign it the degree of confidentiality it deserves. In addition to formally and durably recording the decisions made, and thus ensuring the long-term viability of the company’s policy, this matrix has a co-benefit:
- this approach, in conjunction with the IT department, allows questions to be asked about the current and target HRIS.
- the various communications that conclude this stage are an opportunity to raise awareness among all employees of the importance of data protection in general, and personal data in particular, and the potential risks associated with privacy breaches.
2. Appointing a contact person
Designating a contact person for personnel data, preferably within human resources or the legal department, who will act as a link with :
- Regulatory and legal watch
- Main point of contact for employee queries;
- liaison with the IT department, in the forefront for all aspects of data security and protection, and with the purchasing department for obligations concerning subcontractors
3. Documenting and mapping
- What tools and files use personal data?
- What data is processed, and why?
- Taking the opportunity to document information flows, interfaces, e-mail exchanges, paper documents.
- A summary of this documentation can be made available to managers and employees (obligation to inform).
4. Verifying compliance
Verifying compliance in terms of:
- access control, protection of personnel data against unauthorized access, leaks and breaches ;
- contracts and certificates for third-party software
- access by subcontractors and third parties to this data (e.g. software maintenance).
5. Conducting annual internal audits
Conducting annual internal audits to ensure that your data management practices comply with applicable regulations.
Confidentiality degree | |||||
|---|---|---|---|---|---|
Data type | Professionnal | Discretion | Privacy | Secret | |
Non personal | |||||
Personal – non sensitive | Employees | ||||
Other third parties (e.g. customers, contacts, prospects) | |||||
Personal – sensitive | Employees | ||||
Other third parties (e.g. customers, contacts, prospects) | |||||
Employee data protection - Case study
Although the issue of employee data protection is a subject in its own right, and requires real thought and structuring, it is rarely tackled by HR departments as a project in its own right. It is rarely dealt with by Human Resources as a project in its own right, but as part of an IT project.
One of our customers in the public sector took advantage of an ERP migration project (from SAP ECC to SAP S/4Hana) to initiate the digitization of personnel files.
Faced with this desire for digitalization, all the concepts surrounding the personnel data protection were addressed, namely :
- Which tools are involved, and what is the target application landscape? Where will the data be stored (cloud or on premises)?
- Which people and/or departments are authorized to consult and/or manipulate the documents?
- What data will be transferred from previous systems?
- What are the service requirements?
- What legislation applies to each type of document?
- How long must data be kept, and what are the organization’s internal management rules?
- How will employee consent be collected? (e.g. during the recruitment process on the SuccessFactors application, via a checkbox, or when signing a contract, via a signed letter).
To answer all these questions, we based ourselves on an analysis of HR processes. These processes were finely modeled as part of the project, and included the following information:
- Process details at transactional level
- SAP functional object linked to the document
- List of stored documents
- Document trigger
- Document generation tool
- Workflow
- Storage tool
- History transfer from ECC
The purpose of this document was twofold:
- To validate processes by listing all stored documents with the customer
- To validate the various interfaces involved in the process to handle the documents.
Once this work had been completed, we used the process data to determine the storage and access authorization rules to feed various matrices (confidentiality, access, migration strategy, etc.).
In this way, a large part of the personnel file was dematerialized, combining the change of ERP, the implementation of document management and compliance with the nFADP.
- ERP : Enterprise Resrouce Planning
- FADP : Federal Act on Data Protection
- HRIS – Human Resources Information System
- GDPR – General Data Protection Regulation
Federal Act on Data Protection
Main new features introduces by the nFADP
In the public sector, we find the notion of official secrecy, with its own definitions, obligations and operation.
For certain regulated professions (lawyers, doctors, etc.), there is also the notion of professional secrecy, with its own obligations and duties.
