The General Data Protection Regulation (GDPR) is a strategic challenge for every European (and global) companies. In Switzerland, organizations are facing an even bigger challenge: meeting both the requirements of the GDPR and of a national law, the Swiss Federal Act on Data Protection (FADP).

 

 

The total revision of the FADP was adopted by the Federal Assembly in Fall 2020 after three years of debate. Initially planned for the second half of 2022, the implementation of the new Swiss Federal Act on Data Protection (nFADP) is expected to begin on September, 1st, 2023.

 

The Ordinance to the Federal Act on Data Protection (DPO) will be issued at the same time, after consultation with the Federal Council. Under the new law, companies will have to comply with more stringent rules.

 

Summary

 

 


 

Swiss nFADP: New Guidelines and Scope

 

Given the rapid technological evolution, the old Swiss federal act on data protection is outdated. The total revision of the FADP allows it to adapt the directives to contemporary, technological and social challenges.

 

By strengthening the text of the law, Switzerland aims to bring Swiss legislation closer to the requirements of the GDPR. For the country, the challenge is to remain recognized as a third party state, with an adequate level of protection to conduct data exchange with the rest of the world.

 

This new law improves the processing of personal data for Swiss citizens, while providing them with new rights.

 

10 Main Changes Between the Swiss FADP and the nFADP

 

The Swiss nFADP introduces new regulations for companies: 

 

  • The new federal law only covers the protection of personal data for individuals or natural persons. It does not apply anymore to the data of legal entities (associations, foundations, trading companies, etc.)

  • The definition of sensitive personal data (union membership, health, political opinions, etc.) also includes genetic and biometric data (fingerprints, DNA, etc.), when they give the possibility of recognizing a person univocally.

  • Two new principles of data protection are included in the Swiss FADP:

    The first is "
    Privacy by Design". It requires companies to develop applications that systematically anonymize or delete data when they are no longer used.


    The second is "Privacy by Default". It improves user security for private online offers without reading the general terms and conditions of use, nor the information on the right to object. Only essential data about them can be processed. The company will have to collect additional processing authorization to use other data.

  • A private company can appoint a data protection advisor. He shall not have any contractual link with the company. Federal bodies will have to designate one. His role is to advise, train, help to develop and then apply conditions of use, measures related to the protection of personal data.

  • In the event of data processing that is likely to result in a significant risk to users' fundamental and personal rights, the new Swiss FADP requires a prior assessment of the impact.

  • The duty to provide information has been strengthened. To ensure transparency, the data manager responsible for the private processing of data will have to inform the user of the collection of all their personal data, and not only of their sensitive data.

  • It is now mandatory to keep a register of all activities related to data processing. Only SMEs with fewer than 250 employees are exempted, since their processing does not present a high risk of violation of personality or fundamental rights.

  • If a violation of data security occurs, the Federal Data Protection and Information Commissioner (FDPIC) should be notified immediately.

  • The new law introduces the concept of profiling. It deals with the automated processing of personal data.

  • The new Swiss FADP imposes a penalty of up to 250,000 Swiss francs for intentional violations of the obligation to inform, to notify or to report, as well as for violations of the duty of care or discretion.

 

Scope of the Swiss nFADP

 

Didomi-suisse-cookie-loi-lpd-1

 

The new federal law on the protection of personal data aims to protect the personality and fundamental rights of individuals living in Switzerland. It regulates the processing and prevents the abusive use of their data by private companies or by the State. The data security of legal entities is no longer ensured.

 

The total revision of the law offers greater transparency to the Swiss. The law reinforces their rights (access, rectification, deletion, portability) regarding their personal data. Within companies, the nFADP promotes the adoption of preventive measures. With new penal provisions and increased supervision, it makes data processors more accountable.

 

The new Swiss FADP applies to all companies, regardless of their size. It also concerns economic actors "who have effects in Switzerland, even if they were produced abroad".

 

They may be foreign companies:

 

  • Commercially active on the Swiss market;

  • For which the data processing is related to Switzerland. For example, a photograph taken in Switzerland and then published on a foreign website.

How to Comply With the New Federal Act on Data Protection in Switzerland?

 

To be compliant with the nFADP, Swiss companies must immediately take strong measures to protect personal data:

 

  • Identifying personal data, and then assessing risk to determine compliance requirements;

  • If necessary, checking and modifying the data protection declarations on websites, advertising content, in contracts, etc.;

  • Building internal processes to bring quick answers to customers' requests related to their data;

  • Creating a data processing register;

  • Implementing a process for impact assessments;

  • Analyzing contracts with subcontractors. Is the security of the data provided? Is it necessary to add clauses?

  • Appointing a data protection advisor in the company.

 

Good to know: does the Swiss FADP allow for a transition time to comply with the new requirements?

A significant part of the directives in the new federal act will be applicable as soon as it comes into force. To ensure efficient data protection on September 1, 2023, it is crucial to anticipate as much as possible the identification of possible measures to take.

 

Discover our CMP

 

Swiss FADP versus GDPR

 

In Switzerland, companies must respect two laws regarding data protection: the new FADP and the GDPR. Discover the application scope of the European regulation in the country as well as the main differences between the two texts.

 

The GDPR applies to Swiss companies in several situations. The regulation must be respected for any processing of personal data: 

 

  • Carried out as part of the activities of a European branch or subsidiary of a Swiss company in the EU;

  • Carried out by a Swiss company as a subcontractor of a company based in the European Union;

  • Aimed at offering goods or services to concerned persons in the Union;

  • Related to the tracking of the behavior of EU residents. 

 

Main differences Between the GDPR and the Swiss FADP on Personal Data Protection

In many aspects, the Swiss nFADP is similar to the guidelines of the European General Data Protection Regulation (GDPR). However, the new federal law presents some particularities:

 

  • Its requirements are less stringent;

  • In the new Swiss FADP, appointing a data protection advisor is recommended, but not mandatory. The GDPR requires a data protection officer (DPO) in some cases;

  • In case of a data breach, the GDPR requires a 72-hour deadline to alert the relevant authorities. The revised FADP requires "as soon as possible" notice;

  • The penalty limit is higher for the GDPR: 20 million euros versus 250,000 francs for the new Swiss data protection act.

 

By choosing Didomi, you create value with trust worldwide, making privacy a unique customer experience. With our consent and preference management solution, you can:

 

  • Collect consent from your customers with full compliance;

  • Protect your reputation;

  • Showcase your transparency for the collection of personal data;

  •  Track your consent metrics;

  • Synchronize personal data between CRM and marketing automation tools.

Do you want to make the Swiss GDPR/FADP compliance a commercial asset? Whether you are an editor, a bank, an e-merchant, or a software provider: book a demo!

 

Book a demo

 

3 Key Points to Keep in Mind

 

  • The new Swiss Federal Act on Data Protection will come into force on September 1, 2023;

  • The FADP strengthens the personal data protection of natural persons;

  • Despite some specificities, the nFADP is essentially inspired by the measures of the GDPR.