Switzerland has an updated data protection law that will come into force in 2022 or in early 2023. Learn about the new Swiss Federal Data Protection Act (FADP) requirements here.
Switzerland has an updated data protection law that will come into force in 2022 or in early 2023. Its existing Data Protection Act (DPA) has many similarities with the GDPR, which made the European Commission reach an adequacy decision for Switzerland. However, it still needed some improvements to ensure that the law affords greater protection to the personal data of Swiss citizens.
The new Swiss privacy law introduces new provisions on consent, processing records, data breaches, data protection impact assessment, among others.
The law was passed on 25 September 2020 by the Swiss Parliament. To come into force, Swiss legislation bodies need to amend ordinances for the implementation of the law. The ordinances will contain more detailed guidelines on the implementation of the provisions and will set the exact date of the law coming into effect. Until then, businesses should prepare for the new Swiss Federal Data Protection Act (FADP) requirements.
Explore more privacy compliance insights and best practices
The Swiss FADP applies to all businesses that:
Aside from businesses, the Switzerland data protection law also applies to individuals who process personal data, as long as they are from Switzerland or process data of persons in Switzerland.
The FADP differs from the existing Data Protection Act because it does not protect the legal entities’ data. It sticks to the protection of individuals’ personal data which aligns with the GDPR.
The data of legal entities can be protected under the Swiss Civil Code but not under the new FADP.
The new FADP has new requirements. The most important of them include:
The Swiss law cookie consent requirements have been less strict than those prescribed in the GDPR. While GDPR requires a specific consent for each specific processing purpose, the DPA allows the data controller to bundle all the processing purposes into one single consent request but that has changed. Data controllers will have to obtain specific consent for one or more specific processing purposes. Otherwise, the processing wouldn’t be valid.
The new FADP expands the list of categories of sensitive personal data previously prescribed by the previous FADP. The new law updates the list with genetic and biometric personal data.
If the data controller makes an automated decision about a person by processing their personal data, that person can object to such processing and ask for a manual check.
Persons have such right under the GDPR. This update grants the same right to Swiss citizens as well as to all other persons whose data is being processed that way by Swiss companies.
The data controller with more than 250 employees has to maintain records of their processing activities. Data controllers are held accountable under the law and have to be able to prove at any time that they process data according to the law.
Records of data processing are essential for accountability. However, small and medium companies are exempt from this requirement.
International data transfers are allowed to countries with an adequate level of protection. The Federal Data Protection and Information Commissioner (FDPIC) has published the list of adequate countries.
The data controller can transfer data to those countries without obtaining approval from anyone or without asking for additional consent from the user.
When it comes to transfers to third countries, the data controller needs to employ additional legal tools, such as a user’s consent, Standard Contract Clauses, and others.
Similar to the GDPR, the new FADP has a requirement for a data breach notification. It requires data controllers to inform the authorities and possibly the affected individuals if the breach poses a risk to the fundamental rights of affected persons.
This requirement is clearly in line with the GDPR requirement for data breach reporting. Most of the breaches have to be reported to the data protection authority and individuals also have to be informed if there are any risks to them.
Companies that process personal data have to make an estimate of whether the processing would involve a risk to the fundamental rights of the individual whose data is about to be processed. If there are such risks, the business has to conduct a Data Protection Impact Assessment (DPIA).
There is no prescribed form for the DPIA. As long as there is a proper assessment of the risks and the possible undesirable outcomes, as well as measures for prevention and remedy of such outcomes.
Businesses have no obligation to appoint a DPO to meet the new FADP requirements. Unlike the GDPR and LGPD, which require businesses passing certain thresholds to appoint DPOs, the new FADP does not require it. See some common problems GDPR DPOs face.
Businesses are encouraged to have a data protection advisor but they are not obligated to have one.
The new FADP prescribes criminal penalties for violations of the law. Unlike the GDPR and almost any other data protection law in Europe, the new FADP does not prescribe administrative penalties.
The FDPIC investigates possible violations and if they find that a data controller has violated the law, they can issue binding orders to the violator requiring them to do or cease doing something. If the data controller remedies the violation, they may forego penalties.
In some cases, the FDPIC can choose to pass the case to prosecution bodies which could lead to further penalties.
The prescribed penalties are up to CHF 250.000 for the individual who has caused the violation. The individual is criminally liable even if they have violated the law in the course of working for their company. If the investigation cannot reveal who has been responsible for the violation, the company may be fined a monetary fine of up to CHF 50.000.
Although the new FADP and GDPR share a lot of similarities, there are some differences as well. The most notable of them include:
To comply with the new FADP, ensure to:
If you operate in Europe and you need to comply with the new FADP, we have a solution for compliance.
Germany's 1&1 Telecom Fined $10.6 Million for a GDPR Violation
Schedule a call to learn more
