Switzerland: New Data Protection Law passed parliament

Next step, is waiting if there will be a referendum. (100 day period)
The FDPIC will make detailled statements on the new law once the referendum period has passed.

There is a good write-up in German by Noémi Ziegler at
https://datenrecht.ch/die-dsg-revision-ist-abgeschlossen/

David Rosenthal (VISCHER) has a summary at
https://www.vischer.com/know-how/blog/neues-datenschutzgesetz-das-muessen-sie-wissen-38752/

Final text (in parliament) is here:
https://www.parlament.ch/centers/eparl/curia/2017/20170059/Schluzssabstimmungstext%203%20NS%20D.pdf

The VUD published an overview here:
http://www.vud.ch/view/data/2124/vud_rohstoff_revidiertes_dsg.pdf

CNIL guidance on data deletion and retention

In July 2020, the CNIL (DPA for France) published guidelines on data retention (Guide pratique – Les durées de conservation). https://www.cnil.fr/sites/default/files/atoms/files/guide_durees_de_conservation.pdf

These reflect early CNIL recommendations from 11-Oct-2005 on the archiving of personal data.
They aim to provide practical help to define the data retention rules and periods.
Similar to DIN-66398 (German industry standard on data retention/deletion) they don’t include guidance on specific data categories. https://din-66398.de/

However, CNIL does define data retention periods in separate dcouments (“Référentiel”). Up to now, two such Référentiels have been published for the health sector:

EU commission response on contractual form of data processing agreements

“The GDPR further provides that such contract or legal act shall be in writing, including in electronic form. [..] In principle, automated contract processes are lawful. It is not necessary to append an electronic signature to contracts for them to have legal effects. E-signatures are one of several means to prove their conclusion and terms.[..]”

Full text:
http://www.europarl.europa.eu/sides/getAllAnswers.do?reference=E-2018-003163&language=EN

Belgium: new Belgian Data Protection Act (September 5, 2018)

The new Belgian Data Protection Act
http://www.ejustice.just.fgov.be/eli/wet/2018/07/30/2018040581/staatsblad

Sidley has an article on it here:
https://datamatters.sidley.com/new-belgian-data-protection-act-takes-effect/

“Genetic, Biometric and Health-Related Data Processing

Additional organizational and security measures must be put in place by data controllers and/or processors that process genetic, biometric or health-related data. On the basis of the Belgian Act, they must designate specific personnel authorized to access such data, and identify their capacity in relation to the data processing. A list with this information should be compiled and kept at the disposal of the competent Supervisory Authority. In addition, they must ensure that these individuals are bound by confidentiality with regard to this data on the basis of either statutory or contractual requirements.”