Explore the significant changes brought by Switzerland's New Federal Act on Data Protection (FADP) effective from September 2023. Learn about its impact on businesses, the key differences from GDPR, and essential guidelines for ensuring compliance.
Switzerland has an updated data protection law that came into force in 1 September 2023. Its previous Federal Data Protection Act has many similarities with the GDPR, which made the European Commission reach an adequacy decision for Switzerland. However, it still needed some improvements to ensure that the law affords greater protection to the personal data of Swiss citizens.
Explore more privacy compliance insights and best practices
The new Swiss privacy law introduces new provisions on consent, processing records, data breaches, data protection impact assessment, among others.
The Federal Act on Data Protection is the key Swiss law governing data protection for individuals. It regulates how personal data is collected, stored, used, and transferred. The revised version, the New Federal Act on Data Protection (FADP), came into effect on 1 September 2023, significantly strengthening data privacy protections.
Before this revision, the previous Federal Data Protection Act (established in 1992) was the primary ldata privacy law in Switzerland. However, because of the advances in technology, it was necessary to revise the privacy law to ensure that the population has sufficient data protection that aligns with current technology and social progress.
The revised FADP was passed on 25 September 2020 by the Swiss Parliament. Before coming into force, Swiss legislation bodies needed to amend ordinances for the implementation of the law. The ordinances contained more detailed guidelines on the implementation of the provisions, including the exact date of the law coming into effect. Because of this, businesses should adhere to the new Swiss FADP requirements.
The New Federal Act on Data Protection of Switzerland applies to a broad range of businesses, including:
Here are some specific examples of businesses that the FADP applies to:
It's important to note that the FADP doesn't apply to the processing of data related to legal entities like companies or organizations. It solely focuses on protecting personal data of natural persons.
The revised FADP applies to a broad range of personal data, meaning any information relating to an identified or identifiable individual. Here's a breakdown of the types of data covered by the FADP:
Under the revised Swiss Federal Act on Data Protection , individuals (data subjects) have several key rights to control and manage how their personal data is processed. These include:
The revised Swiss Federal Act on Data Protection introduced several new legal requirements aimed at strengthening data privacy protections for individuals in Switzerland.
Here's a summary of the key changes:
The nFADP applies to the processing of personal data of natural persons within Switzerland, regardless of the organization's location. This means even foreign businesses processing data of individuals in Switzerland must comply with the act.
Organizations must provide easily accessible information about data collection purposes, intended use, and retention periods, before or at the point of collection. This ensures individuals understand how their data will be used and have a meaningful opportunity to choose.
Generally, organizations must obtain "opt-in" consent, requiring individuals to actively agree to data processing before it occurs. This strengthens individual control over their personal data compared to the previously allowed "implied consent" in certain scenarios.
The FADP recognizes genetic and biometric data as "sensitive" categories requiring stricter safeguards and limitations on processing. This reflects the increased risk associated with the misuse of such sensitive information.
If the data controller makes an automated decision about a person by processing their personal data, that person can object to such processing and ask for a manual check.
Persons have such right under the GDPR. This update grants the same right to Swiss citizens as well as to all other persons whose data is being processed that way by Swiss companies.
This principle emphasizes embedding data protection considerations from the outset of any process or system involving personal data. Organizations must prioritize privacy throughout the data lifecycle, minimizing data collection and ensuring it's used only for legitimate purposes.
Maintaining a comprehensive record of all data processing activities is now obligatory. This register should detail the purpose of each activity, the categories of data involved, and the recipients of the data. This log provides transparency and facilitates oversight.
International data transfers are allowed to countries with an adequate level of protection. The Federal Data Protection and Information Commissioner (FDPIC) has published the list of adequate countries.
The data controller can transfer data to those countries without obtaining approval from anyone or without asking for additional consent from the user.
When it comes to transfers to third countries, the data controller needs to employ additional legal tools, such as a user’s consent, Standard Contract Clauses, and others.
Promptly reporting data breaches to the Federal Data Protection and Information Commissioner (FDPIC) is mandatory when there's a high risk of harm to individuals. While the specific timeframe is yet to be defined, organizations are expected to act quickly and transparently in such situations.
Companies that process personal data have to make an estimate of whether the processing would involve a risk to the fundamental rights of the individual whose data is about to be processed. If there are such risks, the business has to conduct a Data Protection Impact Assessment (DPIA).
There is no prescribed form for the DPIA. As long as there is a proper assessment of the risks and the possible undesirable outcomes, as well as measures for prevention and remedy of such outcomes.
Businesses have no obligation to appoint a DPO to meet the new FADP requirements. Unlike the GDPR and LGPD, which require businesses passing certain thresholds to appoint DPOs, the new FADP does not require it. See some common problems GDPR DPOs face.
Businesses are encouraged to have a data protection advisor but they are not obligated to have one.
The new FADP prescribes criminal penalties for violations of the law. Unlike the GDPR and almost any other data protection law in Europe, the new FADP does not prescribe administrative penalties. The Federal Data Protection and Information Commissioner (FDPIC), the government agency in charge of the protection of personal data in Switzerland, oversees the enforcement of the FADP.
The maximum fine for violating the FADP is CHF 250,000 (around EUR 263,000). This heavy fine can be imposed on individuals who intentionally commit serious infringements of the nFADP. This could involve deliberately circumventing safeguards, unauthorized data processing, or leading an organization to violate the law through intentional actions.
The FDPIC investigates possible violations and if they find that a data controller has violated the law, they can issue binding orders to the violator requiring them to do or cease doing something. If the data controller remedies the violation, they may forego penalties.
In some cases, the FDPIC can choose to pass the case to prosecution bodies which could lead to further penalties.
Although the new FADP and GDPR share a lot of similarities, there are some differences as well. The most notable of them include:
While Switzerland has its own robust data protection law, the General Data Protection Regulation (GDPR) of the European Union (EU) can still apply to Swiss companies in certain situations. Here's a breakdown of when Swiss companies need to comply with the GDPR:
If any of these scenarios apply to your Swiss company, it's crucial to take the necessary steps to comply with the GDPR. This may involve:
To comply with the new FADP, ensure to:
