Swiss Federal Data Protection Act

Switzerland has an updated data protection law that will come into force in 2022 or in early 2023. Its existing Data Protection Act (DPA) has many similarities with the GDPR, which made the European Commission reach an adequacy decision for Switzerland. However, it still needed some improvements to ensure that the law affords greater protection to the personal data of Swiss citizens.

The new Swiss privacy law introduces new provisions on consent, processing records, data breaches, data protection impact assessment, among others.

The law was passed on 25 September 2020 by the Swiss Parliament. To come into force, Swiss legislation bodies need to amend ordinances for the implementation of the law. The ordinances will contain more detailed guidelines on the implementation of the provisions and will set the exact date of the law coming into effect. Until then, businesses should prepare for the new Swiss Federal Data Protection Act (FADP) requirements.

Does the FADP apply to your business?

The Swiss FADP applies to all businesses that:

• Are incorporated in Switzerland
• Offer or provide products and services to persons in Switzerland.

Aside from businesses, the Switzerland data protection law also applies to individuals who process personal data, as long as they are from Switzerland or process data of persons in Switzerland.

What does the FADP apply to?

The FADP differs from the existing Data Protection Act because it does not protect the legal entities’ data. It sticks to the protection of individuals’ personal data which aligns with the GDPR.

The data of legal entities can be protected under the Swiss Civil Code but not under the new FADP. 

What are the new Swiss FADP legal requirements?

The new FADP has new requirements. The most important of them include:

Consent

The Swiss law cookie consent requirements have been less strict than those prescribed in the GDPR. While GDPR requires a specific consent for each specific processing purpose, the DPA allows the data controller to bundle all the processing purposes into one single consent request but that has changed. Data controllers will have to obtain specific consent for one or more specific processing purposes. Otherwise, the processing wouldn’t be valid.

Sensitive Personal Data

The new FADP expands the list of categories of sensitive personal data previously prescribed by the previous FADP. The new law updates the list with genetic and biometric personal data.

Automated Decision Making

If the data controller makes an automated decision about a person by processing their personal data, that person can object to such processing and ask for a manual check.

Persons have such right under the GDPR. This update grants the same right to Swiss citizens as well as to all other persons whose data is being processed that way by Swiss companies.

Register of processing activities

The data controller with more than 250 employees has to maintain records of their processing activities. Data controllers are held accountable under the law and have to be able to prove at any time that they process data according to the law.

Records of data processing are essential for accountability. However, small and medium companies are exempt from this requirement.

International Data Transfers

International data transfers are allowed to countries with an adequate level of protection. The Federal Data Protection and Information Commissioner (FDPIC) has published the list of adequate countries.

The data controller can transfer data to those countries without obtaining approval from anyone or without asking for additional consent from the user.

When it comes to transfers to third countries, the data controller needs to employ additional legal tools, such as a user’s consent, Standard Contract Clauses, and others.

Data Breach Notifications

Similar to the GDPR, the new FADP has a requirement for a data breach notification. It requires data controllers to inform the authorities and possibly the affected individuals if the breach poses a risk to the fundamental rights of affected persons.

This requirement is clearly in line with the GDPR requirement for data breach reporting. Most of the breaches have to be reported to the data protection authority and individuals also have to be informed if there are any risks to them.

Data Protection Impact Assessment

Companies that process personal data have to make an estimate of whether the processing would involve a risk to the fundamental rights of the individual whose data is about to be processed. If there are such risks, the business has to conduct a Data Protection Impact Assessment (DPIA).

There is no prescribed form for the DPIA. As long as there is a proper assessment of the risks and the possible undesirable outcomes, as well as measures for prevention and remedy of such outcomes.

Data Protection Officer

Businesses have no obligation to appoint a DPO to meet the new FADP requirements. Unlike the GDPR and LGPD, which require businesses passing certain thresholds to appoint DPOs, the new FADP does not require it. See some common problems GDPR DPOs face.

Businesses are encouraged to have a data protection advisor but they are not obligated to have one.

What are the penalties for non-compliance with the new Swiss FADP?

The new FADP prescribes criminal penalties for violations of the law. Unlike the GDPR and almost any other data protection law in Europe, the new FADP does not prescribe administrative penalties.

The FDPIC investigates possible violations and if they find that a data controller has violated the law, they can issue binding orders to the violator requiring them to do or cease doing something. If the data controller remedies the violation, they may forego penalties.

In some cases, the FDPIC can choose to pass the case to prosecution bodies which could lead to further penalties.

The prescribed penalties are up to CHF 250.000 for the individual who has caused the violation. The individual is criminally liable even if they have violated the law in the course of working for their company. If the investigation cannot reveal who has been responsible for the violation, the company may be fined a monetary fine of up to CHF 50.000.

New FADP v. GDPR: What are the key differences?

Although the new FADP and GDPR share a lot of similarities, there are some differences as well. The most notable of them include:

• The new FADP does not require the appointment of a Data Protection Officer at all, whereas GDPR requires it in some cases.
• The new FADP creates a longer procedure from the discovery of a violation to a penalty. There are no administrative penalties and no enforcement body to fine the violators. Unlike the new FADP, GDPR is famous for its huge fines and the ease of enforcement of the penalties.
• For GDPR a valid consent must be given unambiguously. This means that the user has to take action to give consent and it cannot be given passively. The new FADP does not mention such a requirement, although that’s the only way to obtain a valid consent, given the other requirements around consent.
  

How to comply with the Swiss FADP?

To comply with the new FADP, ensure to:

• Have a compliant privacy policy in place
• Not use cookies before obtaining users’ consent
• Have a compliant cookie banner
• Maintain records of processing activities, if required
• Have data breach procedures in place
• Transfer personal data internationally only to adequate countries or employ additional legal tools for transfers to third countries
• Conduct a data protection impact assessment, if required.

If you operate in Europe and you need to comply with the new FADP, we have a solution for compliance.

Other GDPR Fines

Germany's 1&1 Telecom Fined $10.6 Million for a GDPR Violation