Employees and Data Protection: Is a Signature Really Necessary?

Since September 1, 2023, the new Federal Data Protection Act (NLPD) has been in force in Switzerland. This legislation imposes new obligations on businesses regarding the processing of personal data. In particular, human resources (HR) departments must manage not only current personal data (names, employee numbers, financial information), but also sensitive data (criminal record extracts, medical certificates). The NLPD requires data subjects to be informed about the processing of their personal data, including within the framework of an employment contract.

NLPD requirements

The NLPD states that employees must be informed in a clear and transparent manner on several aspects:

• Responsibility: The information should specify who is responsible for processing the data and how that person can be contacted.
• Purposes of processing: The purposes of data processing must be clearly stated (management of personal files, training planning, etc.).
• Transmission to third parties: If data is shared with third parties, this should be mentioned (for example, with payroll service providers or insurers).
• International transfer: If data is transferred abroad, the destination state and legal data protection guarantees must be disclosed.

Information modalities

The law and its implementing ordinance (OPdO) specify that information must be accurate, transparent, understandable and easily accessible. This means that the information should be written in simple language and tailored to the recipients. In practice, this can be done via a data protection declaration made available to employees, for example on the company's intranet, by email, or in the welcome package.

The Need for Signature

Contrary to an employment contract or personnel regulations, the data protection declaration is unilateral information. Therefore, it does not require the signature of employees. The idea that the declaration needs to be signed is a myth. The main thing is that employees have access to this information and be able to get acquainted with it.

Practical recommendations

It is recommended to provide complete and transparent information, even for data processing provided for by law. This increases transparency for employees and shows that the company complies with best practices in terms of data protection.

Conclusion

In summary, although the NLPD imposes an obligation to inform employees about the processing of their personal data, it does not require this information to be signed by employees. The important thing is that the information is accessible and understandable, thus ensuring transparency and legal compliance.

The Key Points

• Obligation to inform: The NLPD imposes an obligation to inform with minimal content.
• Accessibility: The data protection declaration should be easily accessible to employees.
• Signature not required: The data protection declaration is one-sided information and does not require a signature.

By following these guidelines, companies can ensure compliant and transparent management of their employees' personal data, while complying with the legal requirements of the NLPD.