Security and legal

New Data Protection Act: What do Swiss companies need to be aware of?

Share on Facebook Share on Twitter Share on LinkedIn Share on Xing Share by email

The new revised Swiss Federal Act on Data Protection means that important provisions governing the processing of personal data will change from 2023 onward. In future, companies will have to comply with stricter rules – and should therefore adapt their existing guidelines and data protection statements by the time those rules come into force, which is expected to be on the first of September 2023. 

  • Teaser Image
    Heinz Suter

    Heinz Suter, lawyer and Head of Legal, Compliance & Risk Management at AXA-ARAG, answers the most important questions relating to the new FADP and gives tips on how companies can prepare for these new regulations.

What exactly is the new FADP all about?

Firstly, it’s about adapting the Data Protection Act to the changed technological and social circumstances (cloud computing, big data, social networks, Internet of Things): The aim is to strengthen data subjects’ self-determination in relation to their data. Secondly, the revision will align the FADP with European data protection rules: The aim here is to ensure that the EU continues to recognize Switzerland as a third country with an adequate level of data protection – and that straightforward data transfers between Switzerland and the EU continue to be possible in the future.

Why is the revision so important?

If the EU Commission were no longer to recognize the adequacy of the Swiss level of data protection, Swiss companies would be at a competitive disadvantage in the future, as the exchange of data with companies in the EU would become more difficult.

When does the new FADP come into force?

The new FADP will enter into force on the first of september 2023 together with the related Ordinance to the FADP, which has yet to be issued by the Federal Council.

By when will companies have to implement the new data protection regulations?

By the entry into force of the revised FADP.

What transition periods apply?

The revised FADP does not include any transition periods.

What happens if a company fails to implement the FADP regulations by this time?

The powers of the FDPIC to enforce the revised FADP have been expanded. It can initiate an investigation into a company ex officio or upon notification and, in the event of breaches of data protection regulations, order far-reaching measures such as the adjustment or suspension of data processing, or even the deletion of data. 

Furthermore, under the revised FADP, data subjects have civil law remedies to enforce their claims. At the same time, changes made to the Civil Procedure Code stipulate that the relevant court proceedings are to be free of charge.  

GDPR vs revised FADP

In September 2020, the National Council and Council of States passed the completely revised Swiss Data Protection Act after a legislative process lasting almost four years. In many – but not all – respects, this revised Data Protection Act is aligned on the EU General Data Protection Regulation (GDPR). However, significant differences also remain. 

What fines can a company expect for a breach of the revised FADP in the worst case scenario?

In the event of intentional breaches of the revised FADP, such as breaches of obligations to provide information, to cooperate, or to exercise duties of care, private individuals may be fined up to CHF 250,000. In the case of infringements in business operations, companies can be fined up to CHF 50,000 if identifying the offending persons would involve disproportionate effort – and a fine of no more than CHF 50,000 would be considered for such persons.

This is a big difference to the GDPR, which does not fine natural persons but imposes much higher fines on companies.    

  • Teaser Image
    Cyber insurance from AXA

    Hacking, extortion, malware: More and more Swiss companies are falling victim to cybercriminals. Cyber insurance from AXA protects companies against the financial losses a cyber attack might cause.

    To cyber insurance

What are the most important changes?

  1. New scope: Like the GDPR, the revised FADP confines itself to protecting the data of natural persons – rather than also covering the data of legal entities, as was previously the case.
  2. Expanded scope: Genetic and biometric data are now also regarded as particularly sensitive.
  3. Improved transparency: Companies have more extensive obligations to provide information than they have had up until now. They are now required to inform data subjects appropriately about every instance of data collection – not only about the collection of particularly sensitive data, as was previously the case – and they are required to do so even if the data is not collected from the data subject himself/herself. The identity and contact details of the data controller must be disclosed, as must the purpose of the processing, the recipients or categories of recipients, and the recipient country if the data is exported abroad. Here, the revised FADP is even stricter than the GDPR.
  4. List of processing activities: Companies are required to keep a register of processing activities with the prescribed information, but are no longer obliged to keep a register of data collections. However, it is advisable to link these two directories intelligently, particularly if the same application or database is accessed for several data processing activities. The Federal Council may provide for exceptions for companies with up to 250 employees. The new ordinance is not yet available.
  5. Data protection impact assessment: Companies are now required to conduct a data protection impact assessment if the data processing entails a high risk to the personal or fundamental rights of the data subjects. This must be documented.
  6. Profiling: The revised FADP also regulates profiling, i.e. automated data processing to evaluate certain personal aspects of a person, such as their economic circumstances, health, interests, behavior, location, etc. Unlike the GDPR, the revised FADP does not provide for a general obligation to obtain consent. Such an obligation is only imposed for high-risk profiling.
  7. Swift reporting to the FDPIC: Data security breaches, i.e. accidental or unlawful loss, deletion, destruction, alteration, or unauthorized accessing of personal data, must now be reported to the FDPIC as soon as possible (within 72 hours under the GDPR) if they are likely to put the data subjects at high risk (under the GDPR, “simple” risk is sufficient). As a rule, the controller must also inform the data subject if this is necessary for his or her protection or if required to do so by the FDPIC.
  8. Privacy-by-design and privacy-by-default: This provision obliges companies to already take account of data processing principles at the planning and design stage of applications and, for example, not to use default settings to obtain data subjects’ consent for more than the data processing that is absolutely necessary.    

What do the abbreviations mean?

FADP is the Swiss Data Protection Act (Federal Act on Data Protection). The revised FADP refers to the completely revised new Data Protection Act as opposed to the current FADP.

OFADP is the Ordinance of the Federal Council relating to the FADP. It contains the implementing/detailed provisions. The final version of the new ordinance is not yet available. The Federal Council sent the draft ordinance for consultation on June 23, 2021.

GDPR is the EU’s General Data Protection Regulation of April 27, 2016. It has been directly applicable to all EU countries since May 25, 2018. Although this is a European regulation, it is also applicable to Swiss companies under certain conditions.

What remains unchanged?

Unlike the GDPR, which requires a legal basis for every data processing operation, the revised FADP does not fundamentally change the way data is processed. As in the past, and in contrast with the GDPR, no consent or other justification is required for the processing of personal data by private companies, provided:

  • the processing principles of transparency – in particular the fulfillment of information obligations –, linkage to a specific purpose, proportionality, and data security are observed,
  • the data subject has not objected to the processing,
  • and no particularly sensitive personal data (i.e. personal data requiring particular protection) is disclosed to third parties.

Explicit consent is only required for processing particularly sensitive personal data and now for high-risk profiling. 

Will foreign companies also have to comply with the new law?

Yes – in relation to the geographical scope of application, the new FADP is based on the so-called “effects doctrine”. It also applies to foreign companies operating in the Swiss market or whose data processing has an impact in Switzerland, just as the GDPR also applies to Swiss companies operating in the EU area.

Foreign-domiciled companies must designate a representative in Switzerland if they regularly process a large volume of personal data in Switzerland in connection with offers of goods or services or for the purpose of monitoring behavior and if the processing entails a high risk for the data subjects.

Conversely, under the FADP, Swiss companies must always appoint a data protection officer if they process personal data of EU residents. Not only when there is a high risk.

Which companies are at particularly high risk of breaching the new FADP?

These include companies that process large amounts of personal data or particularly sensitive personal data, that carry out profiling, operate webshops, generate automated individual decisions, or transfer personal data abroad (outside the EU).   

  • Teaser Image
    Legal tips for businesses

    On MyRight you will find up-to-date information on the new Data Protection Act. You will also find many other helpful articles, tips, and templates, as well as a job reference generator.

    To MyRight

How much work will the complete revision of the FADP create for company owners?

The effort required will depend on whether the company’s activities mean that it is among those companies particularly affected and on the extent to which it has already adapted in line with the new developments. Companies that are already GDPR-compliant will need to make virtually no adjustments. On the other hand, companies that only operate in Switzerland and have not yet taken any action should start a gap analysis immediately.

Does every company now have to appoint or hire a data protection advisor?

No, in contrast with the position under the GDPR, the appointment of a data protection advisor is voluntary, but it does bring certain benefits. Firstly, this advisor is the point of contact for employees, customers (when exercising their data protection rights), and authorities on data protection issues. Secondly, mandatory consultation of the FDPIC in connection with high-risk data protection impact assessments is not required if the data protection advisor is consulted instead.    

As an SME, can I develop a new data protection concept on my own? Are there templates?

This depends on whether the company has the relevant skills, such as a competent data protection officer in accordance with the old FADP or a legal department. Otherwise, we strongly recommend seeking external support. 

Instructions and templates can be found on these sites, among others:

https://www.edoeb.admin.ch/edoeb/en/home.html

www.swissdataprotctionlaw.ch (EN)

What does a company need to do to comply with the new data protection regulations from 2022 onward?

  • Review and customize privacy statements on the Internet and on promotional and contractual documents
  • Create or update internal data processing guidelines
  • Set up a data processing register
  • Implement a process that ensures the timely processing of data subject rights (e.g., requests for information or deletion)
  • Implement a data breach notification process
  • Implement a data protection impact assessment process, especially where there is extensive processing of particularly sensitive data or extensive systematic monitoring of public areas, or where new high-risk processing technologies are used
  • Contracts with data processors (third parties) should be reviewed. In particular, it is advisable to include a notification requirement in the event of data breaches or where data is passed on to subcontractors. Furthermore, the responsible party must ensure that data security is guaranteed.   
  • Ensure that personal data is deleted or anonymized as soon as it is no longer required for the purpose of processing.
  • Clarify in which countries personal data is disclosed and ensure that this only happens in countries that ensure adequate protection. This also applies to storage on systems abroad (cloud). The Federal Council publishes a corresponding list (previously the FDPIC). If countries do not appear on this list, data may still be exported under certain conditions, such as with the express consent of the data subjects.  
  • Ensure data security through appropriate technical and organizational measures. In short: Data security breaches should be avoided. The Federal Council has yet to define the minimum requirements. Since data transmission by email is insecure, email encryption should be available at least for particularly sensitive personal data.  
  • Ensure data portability, i.e. data output in a common electronic format (along similar lines to the GDPR), if the data is processed electronically and especially in the direct context of concluding or executing a contract.
  • Appointment of a data protection advisor (data protection officer) with notification of the FDPIC (recommended). This advisor’s contact details must be published. However, under the GDPR, notification of a data protection officer is mandatory.

Associated articles

AXA & You

Contact Report a claim Broker Job vacancies myAXA Login Customer reviews GaragenHub myAXA FAQ

AXA worldwide

AXA worldwide

Stay in touch

DE FR IT EN Terms of use Data protection Cookie Policy © {YEAR} AXA Insurance Ltd