What are the new Swiss federal data protection legal requirements?
The revised Swiss Federal Act on Data Protection introduced several new legal requirements aimed at strengthening data privacy protections for individuals in Switzerland.
Here's a summary of the key changes:
Scope
The nFADP applies to the processing of personal data of natural persons within Switzerland, regardless of the organization's location. This means even foreign businesses processing data of individuals in Switzerland must comply with the act.
Clear and informed consent
Organizations must provide easily accessible information about data collection purposes, intended use, and retention periods, before or at the point of collection. This ensures individuals understand how their data will be used and have a meaningful opportunity to choose.
"Opt-in" consent
Generally, organizations must obtain "opt-in" consent, requiring individuals to actively agree to data processing before it occurs. This strengthens individual control over their personal data compared to the previously allowed "implied consent" in certain scenarios.
Sensitive Personal Data
The FADP recognizes genetic and biometric data as "sensitive" categories requiring stricter safeguards and limitations on processing. This reflects the increased risk associated with the misuse of such sensitive information.
Automated Decision Making
If the data controller makes an automated decision about a person by processing their personal data, that person can object to such processing and ask for a manual check.
Persons have such right under the GDPR. This update grants the same right to Swiss citizens as well as to all other persons whose data is being processed that way by Swiss companies.
"Privacy by Design and Default"
This principle emphasizes embedding data protection considerations from the outset of any process or system involving personal data. Organizations must prioritize privacy throughout the data lifecycle, minimizing data collection and ensuring it's used only for legitimate purposes.
Register of processing activities
Maintaining a comprehensive record of all data processing activities is now obligatory. This register should detail the purpose of each activity, the categories of data involved, and the recipients of the data. This log provides transparency and facilitates oversight.
International Data Transfers
International data transfers are allowed to countries with an adequate level of protection. The Federal Data Protection and Information Commissioner (FDPIC) has published the list of adequate countries.
The data controller can transfer data to those countries without obtaining approval from anyone or without asking for additional consent from the user.
When it comes to transfers to third countries, the data controller needs to employ additional legal tools, such as a user’s consent, Standard Contract Clauses, and others.
Data Breach Notifications
Promptly reporting data breaches to the Federal Data Protection and Information Commissioner (FDPIC) is mandatory when there's a high risk of harm to individuals. While the specific timeframe is yet to be defined, organizations are expected to act quickly and transparently in such situations.
Data Protection Impact Assessment
Companies that process personal data have to make an estimate of whether the processing would involve a risk to the fundamental rights of the individual whose data is about to be processed. If there are such risks, the business has to conduct a Data Protection Impact Assessment (DPIA).
There is no prescribed form for the DPIA. As long as there is a proper assessment of the risks and the possible undesirable outcomes, as well as measures for prevention and remedy of such outcomes.
Data Protection Officer
Businesses have no obligation to appoint a DPO to meet the new FADP requirements. Unlike the GDPR and LGPD, which require businesses passing certain thresholds to appoint DPOs, the new FADP does not require it. See some common problems GDPR DPOs face.
Businesses are encouraged to have a data protection advisor but they are not obligated to have one.
What are the penalties for non-compliance with the new Swiss FADP?
The new FADP prescribes criminal penalties for violations of the law. Unlike the GDPR and almost any other data protection law in Europe, the new FADP does not prescribe administrative penalties. The Federal Data Protection and Information Commissioner (FDPIC), the government agency in charge of the protection of personal data in Switzerland, oversees the enforcement of the FADP.
The maximum fine for violating the FADP is CHF 250,000 (around EUR 263,000). This heavy fine can be imposed on individuals who intentionally commit serious infringements of the nFADP. This could involve deliberately circumventing safeguards, unauthorized data processing, or leading an organization to violate the law through intentional actions.
The FDPIC investigates possible violations and if they find that a data controller has violated the law, they can issue binding orders to the violator requiring them to do or cease doing something. If the data controller remedies the violation, they may forego penalties.
In some cases, the FDPIC can choose to pass the case to prosecution bodies which could lead to further penalties.
New FADP v. GDPR: What are the key differences?
Although the new FADP and GDPR share a lot of similarities, there are some differences as well. The most notable of them include:
- The new FADP does not require the appointment of a Data Protection Officer at all, whereas GDPR requires it in some cases.
- The new FADP creates a longer procedure from the discovery of a violation to a penalty. There are no administrative penalties and no enforcement body to fine the violators. Unlike the new FADP, GDPR is famous for its huge fines and the ease of enforcement of the penalties.
- For GDPR a valid consent must be given unambiguously. This means that the user has to take action to give consent and it cannot be given passively. The new FADP does not mention such a requirement, although that’s the only way to obtain a valid consent, given the other requirements around consent.
Do Swiss businesses need to comply with GDPR?
While Switzerland has its own robust data protection law, the General Data Protection Regulation (GDPR) of the European Union (EU) can still apply to Swiss companies in certain situations. Here's a breakdown of when Swiss companies need to comply with the GDPR:
- Processing EU resident data: If a Swiss company processes the personal data of individuals located in the EU, regardless of the purpose of processing, they must comply with the GDPR. This includes data like names, email addresses, and online identifiers.
- Offering goods/services to the EU: When a Swiss company offers goods or services directly to individuals in the EU, the GDPR applies even if the company itself is not physically located in the EU. This could involve online sales, targeted advertising, or providing access to subscription services.
- Monitoring EU individuals' behavior: If a Swiss company monitors the online behavior of individuals located in the EU, such as tracking website visits or user activity on social media platforms, they must comply with the GDPR, regardless of the purpose of the monitoring.
If any of these scenarios apply to your Swiss company, it's crucial to take the necessary steps to comply with the GDPR. This may involve:
- Appointing a data protection officer (DPO): If your company processes personal data of a certain number of EU residents, you may need to appoint a DPO who is responsible for overseeing data protection compliance.
- Implementing appropriate technical and organizational measures: This includes measures to secure personal data, ensure data breach notification, and facilitate individual rights regarding their data.
- Obtaining consent for data processing: When required by the GDPR, you need to obtain explicit and informed consent from EU individuals before processing their personal data.
How to ensure Swiss FADP compliance
To comply with the new FADP, ensure to:
- Have a compliant privacy policy in place
- Not use cookies before obtaining users’ consent
- Have a compliant cookie banner
- Maintain records of processing activities, if required
- Have data breach procedures in place
- Transfer personal data internationally only to adequate countries or employ additional legal tools for transfers to third countries
- Conduct a data protection impact assessment, if required.
