The new revised Swiss Federal Act on Data Protection means that important provisions governing the processing of personal data will change from 2023 onward. In future, companies will have to comply with stricter rules – and should therefore adapt their existing guidelines and data protection statements by the time those rules come into force, which is expected to be on the first of September 2023.
Firstly, it’s about adapting the Data Protection Act to the changed technological and social circumstances (cloud computing, big data, social networks, Internet of Things): The aim is to strengthen data subjects’ self-determination in relation to their data. Secondly, the revision will align the FADP with European data protection rules: The aim here is to ensure that the EU continues to recognize Switzerland as a third country with an adequate level of data protection – and that straightforward data transfers between Switzerland and the EU continue to be possible in the future.
If the EU Commission were no longer to recognize the adequacy of the Swiss level of data protection, Swiss companies would be at a competitive disadvantage in the future, as the exchange of data with companies in the EU would become more difficult.
The new FADP will enter into force on the first of september 2023 together with the related Ordinance to the FADP, which has yet to be issued by the Federal Council.
By the entry into force of the revised FADP.
The revised FADP does not include any transition periods.
The powers of the FDPIC to enforce the revised FADP have been expanded. It can initiate an investigation into a company ex officio or upon notification and, in the event of breaches of data protection regulations, order far-reaching measures such as the adjustment or suspension of data processing, or even the deletion of data.
Furthermore, under the revised FADP, data subjects have civil law remedies to enforce their claims. At the same time, changes made to the Civil Procedure Code stipulate that the relevant court proceedings are to be free of charge.
In September 2020, the National Council and Council of States passed the completely revised Swiss Data Protection Act after a legislative process lasting almost four years. In many – but not all – respects, this revised Data Protection Act is aligned on the EU General Data Protection Regulation (GDPR). However, significant differences also remain.
In the event of intentional breaches of the revised FADP, such as breaches of obligations to provide information, to cooperate, or to exercise duties of care, private individuals may be fined up to CHF 250,000. In the case of infringements in business operations, companies can be fined up to CHF 50,000 if identifying the offending persons would involve disproportionate effort – and a fine of no more than CHF 50,000 would be considered for such persons.
This is a big difference to the GDPR, which does not fine natural persons but imposes much higher fines on companies.
FADP is the Swiss Data Protection Act (Federal Act on Data Protection). The revised FADP refers to the completely revised new Data Protection Act as opposed to the current FADP.
OFADP is the Ordinance of the Federal Council relating to the FADP. It contains the implementing/detailed provisions. The final version of the new ordinance is not yet available. The Federal Council sent the draft ordinance for consultation on June 23, 2021.
GDPR is the EU’s General Data Protection Regulation of April 27, 2016. It has been directly applicable to all EU countries since May 25, 2018. Although this is a European regulation, it is also applicable to Swiss companies under certain conditions.
Unlike the GDPR, which requires a legal basis for every data processing operation, the revised FADP does not fundamentally change the way data is processed. As in the past, and in contrast with the GDPR, no consent or other justification is required for the processing of personal data by private companies, provided:
Explicit consent is only required for processing particularly sensitive personal data and now for high-risk profiling.
Yes – in relation to the geographical scope of application, the new FADP is based on the so-called “effects doctrine”. It also applies to foreign companies operating in the Swiss market or whose data processing has an impact in Switzerland, just as the GDPR also applies to Swiss companies operating in the EU area.
Foreign-domiciled companies must designate a representative in Switzerland if they regularly process a large volume of personal data in Switzerland in connection with offers of goods or services or for the purpose of monitoring behavior and if the processing entails a high risk for the data subjects.
Conversely, under the FADP, Swiss companies must always appoint a data protection officer if they process personal data of EU residents. Not only when there is a high risk.
These include companies that process large amounts of personal data or particularly sensitive personal data, that carry out profiling, operate webshops, generate automated individual decisions, or transfer personal data abroad (outside the EU).
The effort required will depend on whether the company’s activities mean that it is among those companies particularly affected and on the extent to which it has already adapted in line with the new developments. Companies that are already GDPR-compliant will need to make virtually no adjustments. On the other hand, companies that only operate in Switzerland and have not yet taken any action should start a gap analysis immediately.
No, in contrast with the position under the GDPR, the appointment of a data protection advisor is voluntary, but it does bring certain benefits. Firstly, this advisor is the point of contact for employees, customers (when exercising their data protection rights), and authorities on data protection issues. Secondly, mandatory consultation of the FDPIC in connection with high-risk data protection impact assessments is not required if the data protection advisor is consulted instead.
This depends on whether the company has the relevant skills, such as a competent data protection officer in accordance with the old FADP or a legal department. Otherwise, we strongly recommend seeking external support.
Instructions and templates can be found on these sites, among others: