Understanding the New Swiss Federal Act on Data Protection (FADP)

Switzerland has an updated data protection law that came into force in 1 September 2023. Its previous Federal Data Protection Act has many similarities with the GDPR, which made the European Commission reach an adequacy decision for Switzerland. However, it still needed some improvements to ensure that the law affords greater protection to the personal data of Swiss citizens.

The new Swiss privacy law introduces new provisions on consent, processing records, data breaches, data protection impact assessment, among others.

What is the New Federal Act on Data Protection (FADP) of Switzerland?

The Federal Act on Data Protection is the key Swiss law governing data protection for individuals. It regulates how personal data is collected, stored, used, and transferred. The revised version, the New Federal Act on Data Protection (FADP), came into effect on 1 September 2023, significantly strengthening data privacy protections.

Before this revision, the previous Federal Data Protection Act (established in 1992) was the primary ldata privacy law in Switzerland. However, because of the advances in technology, it was necessary to revise the privacy law to ensure that the population has sufficient data protection that aligns with current technology and social progress.

The revised FADP was passed on 25 September 2020 by the Swiss Parliament. Before coming into force, Swiss legislation bodies needed to amend ordinances for the implementation of the law. The ordinances contained more detailed guidelines on the implementation of the provisions, including the exact date of the law coming into effect. Because of this, businesses should adhere to the new Swiss FADP requirements.

Does the Swiss Data Protection Act apply to your business?

The New Federal Act on Data Protection of Switzerland applies to a broad range of businesses, including:

• Businesses operating in Switzerland: This includes any company physically located within Switzerland, regardless of its size or industry.
• Businesses outside Switzerland that process the personal data of individuals in Switzerland: This broadens the scope beyond physical location. Even if your company is located outside Switzerland, you are still subject to the FADP if you process the personal data of individuals residing there.

Here are some specific examples of businesses that the FADP applies to:

• Retailers: If a retailer collects customer data for online purchases or loyalty programs, they must comply with the FADP if the customers are in Switzerland.
• Social media platforms: If a social media platform has users who are residents of Switzerland, the platform must comply with the FADP when processing their data.
• Healthcare providers: Any healthcare provider that collects and processes patients' personal data in Switzerland, regardless of their location, must comply with the FADP.
• Financial institutions: Banks and other financial institutions that offer services to individuals in Switzerland, regardless of their location, must comply with the FADP when handling their data.

It's important to note that the FADP doesn't apply to the processing of data related to legal entities like companies or organizations. It solely focuses on protecting personal data of natural persons.

Which data does the revised FADP apply to?

The revised FADP applies to a broad range of personal data, meaning any information relating to an identified or identifiable individual. Here's a breakdown of the types of data covered by the FADP:

1. Basic personal information Names and contact information: This includes full names, email addresses, phone numbers, physical addresses, and other information that can directly identify an individual. Demographic information: This could include age, gender, nationality, language, and other relevant data.
2. Online identifiers and digital data IP addresses and device identifiers: These are used to track individuals online and identify their devices. Location data: This includes GPS coordinates, Wi-Fi data, and other information revealing an individual's location. Online identifiers: This covers cookies, social media profiles, online usernames, and other unique identifiers used online.
3. Sensitive personal data
4. The FADP introduces stricter protection for specific categories of sensitive data, which require additional safeguards and restrictions for processing. These include:
5. Genetic data: Information about an individual's genetic makeup and inherited traits. Biometric data: Physical and physiological data used for unique identification, such as fingerprints, facial recognition data, and voice recordings. Health data: Any information about an individual's physical and mental health, including medical records, diagnoses, and treatment information. Religious beliefs, political opinions, and membership of trade unions: Due to their sensitive nature, these categories require greater caution and justification for processing under the FADP.

What are the data subject rights under the Swiss data protection law?

Under the revised Swiss Federal Act on Data Protection , individuals (data subjects) have several key rights to control and manage how their personal data is processed. These include:

1. Right of Access: Individuals have the right to access their personal data and obtain a copy of it. They can request information about how their data is processed, including the purposes, recipients, and storage periods.
2. Right to Rectification: Individuals can request the correction of inaccurate or incomplete personal data.
3. Right to Erasure (Right to be Forgotten): Under certain circumstances, individuals have the right to request the deletion of their personal data. This could apply if the data is no longer necessary for its original purpose, consent has been withdrawn, or there's no legal basis for processing it.
4. Right to Restriction of Processing: Individuals may request that their data processing is restricted while certain concerns are addressed (e.g., during an investigation into the accuracy of the data).
5. Right to Data Portability: Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format. This allows them to easily transfer their data between different data controllers/processors.
6. Right to Object to Processing: Individuals can object to data processing when it's based on legitimate interests or for direct marketing purposes. Organizations must then demonstrate compelling legitimate grounds to continue processing.

What are the new Swiss federal data protection legal requirements?

The revised Swiss Federal Act on Data Protection introduced several new legal requirements aimed at strengthening data privacy protections for individuals in Switzerland. 

Here's a summary of the key changes:

Scope

The nFADP applies to the processing of personal data of natural persons within Switzerland, regardless of the organization's location. This means even foreign businesses processing data of individuals in Switzerland must comply with the act.

Clear and informed consent

Organizations must provide easily accessible information about data collection purposes, intended use, and retention periods, before or at the point of collection. This ensures individuals understand how their data will be used and have a meaningful opportunity to choose.

"Opt-in" consent

Generally, organizations must obtain "opt-in" consent, requiring individuals to actively agree to data processing before it occurs. This strengthens individual control over their personal data compared to the previously allowed "implied consent" in certain scenarios.

Sensitive Personal Data

The FADP recognizes genetic and biometric data as "sensitive" categories requiring stricter safeguards and limitations on processing. This reflects the increased risk associated with the misuse of such sensitive information.

Automated Decision Making

If the data controller makes an automated decision about a person by processing their personal data, that person can object to such processing and ask for a manual check.

Persons have such right under the GDPR. This update grants the same right to Swiss citizens as well as to all other persons whose data is being processed that way by Swiss companies.

"Privacy by Design and Default"

This principle emphasizes embedding data protection considerations from the outset of any process or system involving personal data. Organizations must prioritize privacy throughout the data lifecycle, minimizing data collection and ensuring it's used only for legitimate purposes.

Register of processing activities

Maintaining a comprehensive record of all data processing activities is now obligatory. This register should detail the purpose of each activity, the categories of data involved, and the recipients of the data. This log provides transparency and facilitates oversight.

International Data Transfers

International data transfers are allowed to countries with an adequate level of protection. The Federal Data Protection and Information Commissioner (FDPIC) has published the list of adequate countries.

The data controller can transfer data to those countries without obtaining approval from anyone or without asking for additional consent from the user.

When it comes to transfers to third countries, the data controller needs to employ additional legal tools, such as a user’s consent, Standard Contract Clauses, and others.

Data Breach Notifications

Promptly reporting data breaches to the Federal Data Protection and Information Commissioner (FDPIC) is mandatory when there's a high risk of harm to individuals. While the specific timeframe is yet to be defined, organizations are expected to act quickly and transparently in such situations.

Data Protection Impact Assessment

Companies that process personal data have to make an estimate of whether the processing would involve a risk to the fundamental rights of the individual whose data is about to be processed. If there are such risks, the business has to conduct a Data Protection Impact Assessment (DPIA).

There is no prescribed form for the DPIA. As long as there is a proper assessment of the risks and the possible undesirable outcomes, as well as measures for prevention and remedy of such outcomes.

Data Protection Officer

Businesses have no obligation to appoint a DPO to meet the new FADP requirements. Unlike the GDPR and LGPD, which require businesses passing certain thresholds to appoint DPOs, the new FADP does not require it. See some common problems GDPR DPOs face.

Businesses are encouraged to have a data protection advisor but they are not obligated to have one.

What are the penalties for non-compliance with the new Swiss FADP?

The new FADP prescribes criminal penalties for violations of the law. Unlike the GDPR and almost any other data protection law in Europe, the new FADP does not prescribe administrative penalties. The Federal Data Protection and Information Commissioner (FDPIC), the government agency in charge of the protection of personal data in Switzerland, oversees the enforcement of the FADP.

The maximum fine for violating the FADP is CHF 250,000 (around EUR 263,000). This heavy fine can be imposed on individuals who intentionally commit serious infringements of the nFADP. This could involve deliberately circumventing safeguards, unauthorized data processing, or leading an organization to violate the law through intentional actions.

The FDPIC investigates possible violations and if they find that a data controller has violated the law, they can issue binding orders to the violator requiring them to do or cease doing something. If the data controller remedies the violation, they may forego penalties.

In some cases, the FDPIC can choose to pass the case to prosecution bodies which could lead to further penalties.

New FADP v. GDPR: What are the key differences?

Although the new FADP and GDPR share a lot of similarities, there are some differences as well. The most notable of them include:

• The new FADP does not require the appointment of a Data Protection Officer at all, whereas GDPR requires it in some cases.
• The new FADP creates a longer procedure from the discovery of a violation to a penalty. There are no administrative penalties and no enforcement body to fine the violators. Unlike the new FADP, GDPR is famous for its huge fines and the ease of enforcement of the penalties.
• For GDPR a valid consent must be given unambiguously. This means that the user has to take action to give consent and it cannot be given passively. The new FADP does not mention such a requirement, although that’s the only way to obtain a valid consent, given the other requirements around consent.

Do Swiss businesses need to comply with GDPR?

While Switzerland has its own robust data protection law, the General Data Protection Regulation (GDPR) of the European Union (EU) can still apply to Swiss companies in certain situations. Here's a breakdown of when Swiss companies need to comply with the GDPR:

• Processing EU resident data: If a Swiss company processes the personal data of individuals located in the EU, regardless of the purpose of processing, they must comply with the GDPR. This includes data like names, email addresses, and online identifiers.
• Offering goods/services to the EU: When a Swiss company offers goods or services directly to individuals in the EU, the GDPR applies even if the company itself is not physically located in the EU. This could involve online sales, targeted advertising, or providing access to subscription services.
• Monitoring EU individuals' behavior: If a Swiss company monitors the online behavior of individuals located in the EU, such as tracking website visits or user activity on social media platforms, they must comply with the GDPR, regardless of the purpose of the monitoring.

If any of these scenarios apply to your Swiss company, it's crucial to take the necessary steps to comply with the GDPR. This may involve:

• Appointing a data protection officer (DPO): If your company processes personal data of a certain number of EU residents, you may need to appoint a DPO who is responsible for overseeing data protection compliance.
• Implementing appropriate technical and organizational measures: This includes measures to secure personal data, ensure data breach notification, and facilitate individual rights regarding their data.
• Obtaining consent for data processing: When required by the GDPR, you need to obtain explicit and informed consent from EU individuals before processing their personal data.

How to ensure Swiss FADP compliance

To comply with the new FADP, ensure to:

• Have a compliant privacy policy in place
• Not use cookies before obtaining users’ consent
• Have a compliant cookie banner
• Maintain records of processing activities, if required
• Have data breach procedures in place
• Transfer personal data internationally only to adequate countries or employ additional legal tools for transfers to third countries
• Conduct a data protection impact assessment, if required.