Annonce des violations de la sécurité des données: une nouvelle obligation de la nLPD

The data security principle (art. 8 of the revised Federal Act on Data Protection (rFADP) requires that the controller and when applicable the processor take all the necessary measures to maintain a sufficient level of security when processing personal data, including to prevent any data breach. Nevertheless, data breaches can occur and when so, the controller shall react quickly in order to regain control of the situation. Among the changes brought by the total revision of the FADP, there is a new obligation to notify data breaches, laid down in art. 24 rFADP. In case of a data breach and if the severity threshold has been reached, it shall inform the Federal Data Protection and Information Commissioner (FDPIC) and, under circumstances, the data subjects too. Art. 24 rFADP also provides an obligation for the processor to notify any data breaches to the controller, in order for him to fulfill his obligations. It remains, however, to be seen how this obligation, which can lead to…