Switzerland's new Federal Act on Data Protection (nFADP): what you need to know

The General Data Protection Regulation (GDPR) is a strategic challenge for every European (and global) company. In Switzerland, organizations are facing an even bigger challenge: meeting both the requirements of Europe's GDPR and of the new Federal Act on Data Protection (nFADP).

After three years of debate, the total revision of the previous data protection law, the FADP, was adopted by the Federal Assembly in autumn 2020. Originally planned for the second half of 2022, the new Swiss data protection legislation (nFADP) came into force on September 1, 2023.

Under the new law, companies will have to comply with more stringent rules. Keep reading to learn more.

Summary

• Swiss nFADP: New guidelines

• 10 main changes between the Swiss FADP and the nFADP

• Scope of the Swiss nFADP

• How to comply with the new Federal Act on Data Protection in Switzerland?

• Swiss nFADP vs GDPR

• Frequently Asked Questions (FAQ)

Swiss nFADP: New Guidelines

Given the rapid technological evolution, the old Swiss federal act on data protection was outdated. The total revision of the FADP allowed it to adapt the directives to contemporary, technological, and social challenges.

By strengthening the text of the law, Switzerland aimed to bring Swiss legislation closer to the requirements of the GDPR. For the country, the challenge is to remain recognized as a third-party state, with an adequate level of protection to conduct data exchange with the rest of the world.

This new law applies to all Swiss nationals. It improves the way in which Swiss citizens' personal data is handled while granting them new rights.

10 Main Changes Between the Swiss FADP and the nFADP

The Swiss nFADP introduces new regulations for companies: 

• The new federal law only covers the protection of personal data for individuals or natural persons. It does not apply anymore to the data of legal entities (associations, foundations, trading companies, etc.)

• The definition of sensitive personal data (union membership, health, political opinions, etc.) also includes genetic and biometric data (fingerprints, DNA, etc.), when they give the possibility of recognizing a person univocally.
  

• Two new principles of data protection are included in the Swiss FADP:

  • "Privacy by Design," also called data protection by design, which defines the fact of taking into account, right from the design of applications or other media, the protection of users' data and respect for their privacy.

  • "Privacy by Default," which requires the processing of personal data to be limited to the minimum required for the intended purpose. Further authorization must be obtained by companies to process other data.

• A private company can appoint a data protection advisor, and they are mandatory for federal bodies. They shall not have any contractual relationship with the company. Their role is to advise, train, help to develop, and then apply measures related to the protection of personal data.

• In the event of data processing that is likely to result in a significant risk to users' fundamental and personal rights, the new FADP requires a prior assessment of the impact.

• The duty to provide information has been strengthened. To ensure transparency, the data manager responsible for the private processing of data has to inform the user of the collection of all their personal data, and not only of their sensitive data.

• It is now mandatory to keep a register of all activities related to data processing. Only SMEs with fewer than 250 employees are exempted since their processing does not present a high risk of violation of personality or fundamental rights.

• In the event of a data security breach that is likely to pose a high risk to the data subject's personality or fundamental rights, the Federal Data Protection and Information Commissioner (FDPIC) must be notified promptly.

• The new law introduces the concept of profiling. It deals with the automated processing of personal data.

• The new Swiss FADP imposes a penalty of up to 250,000 Swiss francs for intentional violations of the obligation to inform, notify, or report, as well as for violations of the duty of care or discretion.

Scope of the Swiss nFADP

The new federal law aims to protect the fundamental rights of individuals living in Switzerland. It regulates the processing and prevents the abusive use of their data by private companies or by the state. The security of legal entities, on the other hand, is no longer guaranteed.

The total revision of the law offers greater transparency to Swiss citizens. The law reinforces their rights (access, rectification, deletion, portability) regarding personal data. Within companies, the nFADP promotes the adoption of preventive measures. With its new penal provisions and increased supervision, it makes those responsible for data processing more accountable. 

The new Swiss FADP applies to all companies, regardless of their size. It also concerns economic actors "who have effects in Switzerland, even if they were produced abroad."

These actors may be foreign companies:

• Commercially active on the Swiss market;

• For which the data processing is related to Switzerland. For example, a photograph was taken in Switzerland and then published on a foreign website.

How to Comply With the New Federal Act on Data Protection in Switzerland?

To be compliant with the nFADP, Swiss companies must immediately take strong measures to protect personal data:

• Identifying personal data, and then assessing risk to determine compliance requirements;

• If necessary, checking and modifying the data protection declarations on websites, advertising content, in contracts, etc.;

• Building internal processes to bring quick answers to customers' requests related to their data;

• Creating a data processing register;

• Implementing a process for impact assessments;

• Analyzing contracts with subcontractors. Is the security of the data provided? Is it necessary to add clauses?

• Appointing a data protection advisor in the company.

Swiss FADP versus GDPR

In Switzerland, companies must respect two laws regarding data protection: the nFADP and the European General Data Protection Regulation (GDPR). Discover the application scope of the European regulation in the country as well as the main differences between the two texts.

The GDPR applies to Swiss companies in several situations. The regulation must be respected for any processing of personal data: 

• Carried out as part of the activities of a European branch or subsidiary of a Swiss company in the EU;

• Carried out by a Swiss company as a subcontractor of a company based in the European Union;

• Aimed at offering goods or services to concerned persons in the Union;

• Related to the tracking of the behavior of EU residents. 

Main differences Between the GDPR and the Swiss nFADP on Personal Data Protection

In many aspects, the Swiss nFADP is similar to the guidelines of Europe's GDPR. However, the new federal law presents some particularities:

• Its requirements are less stringent;

• In the new Swiss FADP, appointing a data protection advisor is recommended, but not mandatory for private companies. The GDPR requires a data protection officer (DPO) in some cases;

• In case of a data breach, the GDPR requires a 72-hour deadline to alert the relevant authorities. The revised FADP requires "as soon as possible" notice;

• The penalty limit is higher for the GDPR: 20 million euros versus 250,000 francs for the new Swiss Data Protection Act.

By choosing Didomi, you create value with trust worldwide, making privacy a unique customer experience. With our Consent Management Platform (CMP), you can:

• Collect compliant consent from your customers

• Protect your reputation

• Showcase your transparency in the collection of personal data

•  Track your consent metrics

• Synchronize consent data with your CRM and marketing automation tools

To learn how Didomi can help whether you are an editor, a bank, an e-commerce store, or a software provider, talk to one of our experts for more information:

Frequently Asked Questions (FAQ)

When does Switzerland's nFADP come into force?

The Swiss nFADP has come into action on September, 1st, 2023.

What is the main purpose of the new Swiss nFADP?

The nFADP updates Switzerland's data protection law to address technological and social changes, bringing it closer to GDPR standards. It aims to ensure personal data protection for Swiss citizens and grants them new rights.

How does the new Swiss nFADP differ from the old FADP?

Among other things, the nFADP introduces provisions like "Privacy by Design" and "Privacy by Default," strengthens businesses' duty to be transparent, mandates the appointment of a data protection advisor for federal bodies, and introduces penalties for violations.

Who does the nFADP apply to?

The nFADP applies to all individuals in Switzerland, regulating data use by private companies and the state. It also concerns actors who impact Switzerland, even if their actions originate abroad.

How do the nFADP and GDPR differ?

While they share many guidelines, the nFADP is less strict in some areas. For instance, the GDPR has a 72-hour breach notification rule, while the nFADP requires notification "as soon as possible." Also, GDPR penalties can be higher.