New Data Protection Law – Legal Aspects Companies Definitely Need to Consider

What is FADP?

After more than 30 years in its initial form, the revised Swiss Data Protection Act (revFADP or nFADP) came into force on 1 September 2023. It reflects today's digital reality by strengthening the privacy of natural persons and aligning with the General Data Protection Regulation of the EU (EU GDPR).

Companies are advised to take action as they are facing new obligations. For example:

• They must now justify why they collect data about their customers and disclose to which third parties they make this data available. 
• Individuals have the right to know how long their data will be stored and for what purposes it will be used. 
• Companies must correct inaccurate data upon request, even if the individual does not provide any reasons. 

 So, how can I play it safe from a legal point of view?  

This is exactly the question we asked four legal experts specializing in data protection. Clara-Ann Gordon, Partner with Niederer Kraft Frey AG, Alexander Hofmann, Senior Advisor with Laux Lawyers AG, Roland Mathys, Partner with Schellenberg Wittmer Ltd., and Cornelia Stengel, Partner with Kellerhals Carrard, give us an overview and recommend specific measures. 

What is the greatest impact of the new Federal Act on Data Protection (nFADP) on companies? 

The new Data Protection Act wants to promote personal responsibility of data processors – It introduces personal fines – It requires companies to act, mostly in terms of documentation

Cornelia Stengel:

The main idea of the nFADP is to increase transparency for individuals and thus strengthen their rights with regard to their own data («informational self-determination»). In addition, the nFADP intends to promote prevention and personal responsibility on the part of data processors. For companies, this means above all new obligations, especially with regard to the collection, loss, or misuse of personal data.  

Clara-Ann Gordon:

Among other things, the nFADP aims to achieve a similar standard of protection as the GDPR. Companies that have not implemented the provisions of the GDPR in 2018 therefore face a major task. Furthermore, personal fines are introduced for violations of the nFADP. Therefore, management and BoD of companies are likely to pay more attention to compliance with the nFADP.

Alexander Hofmann:

There is no doubt that the GDPR, digitalization, and cybercrime have raised awareness of data protection and security issues. With the revision of the FADP, much of what has already been good practice will now become mandatory for everyone. The nFADP introduces new obligations that companies can no longer meet through «good behavior» alone, but which require them to act, mostly in terms of documentation. 

Which changes have to be considered in particular from a legal point of view? 

Companies need to gain an overview on the data they process – The nFADP is about understanding, control, and transparency – It introduces new aspects, such as extraterritoriality, extended duty to inform, data breach notifications, and stronger sanctions 

Roland Mathys:

Documentation is also the keyword here. Those who have not yet implemented the EU GDPR have to address fact finding, for example: What data do we process? What data flows are in place? How are we documented?

Alexander Hofmann:

The FADP is primarily about understanding (if you want to control, you have to understand yourself and your environment), control (protect personal data against access by unauthorized persons), and transparency (say what you do and do what you say).

Clara-Ann Gordon:

In addition, particularly the following aspects are new:

Extraterritoriality: The nFADP is now also applicable to companies domiciled abroad if they process personal data and this data processing has an impact on Switzerland. This means that all group companies of a business that process personal data from Switzerland is subject to the nFADP.

Extended duty to inform: When transferring data abroad, it is mandatory to specify the countries abroad in the data privacy statement. This applies not only to third countries, but to all countries outside Switzerland. Furthermore, the guarantees for adequate data protection (e.g., the EU standard contractual clauses) or the exception if no such guarantees are given must be stated.

Data breach notifications: Data security breaches (e.g., data loss) that may lead to a high risk to the personality or fundamental rights of the individual must be reported immediately to the Federal Data Protection and Information Commissioner (FDPIC) and, if applicable, to the individual.

Stronger sanctions: The nFADP stipulates criminal sanctions in the form of a fine of up to CHF 250'000. In addition, the FDPIC may open an administrative investigation and issue rulings. The criminal sanctions are primarily imposed on the person responsible (according to the message, this is the head of the company) and not on the employees who carry out the work. Sanctions are imposed for the following offenses if they are committed intentionally or through gross negligence:

1. breach of the data protection notice obligation: in particular, failure to name the country abroad to which the personal data are exported
2. breach of the right to information
3. breach of the obligation to guarantee sufficient data security
4. breach of the obligation to implement data processing contracts on the relationship between the responsible party and the commissioned party in accordance with the nFADP, and 
5. breach of the obligation to notify the FDPIC in case of data exports 

Which industries are particularly affected by the nFADP?

Every company must prepare for the nFADP – Industries that process sensitive data and data-intensive industries are more affected – Companies that operate in B2B and are not regulated have the most catching up to do

Cornelia Stengel:

Every company, regardless of industry, must comply with the new law. However, it can be said that the greater the amount of personal data processed by a company and/or the more sensitive the personal data, the higher the requirements for data protection compliance.

Roland Mathys:

In addition to industries that process sensitive data, such as healthcare, companies in data-intensive industries are more affected, such as hyperscalers and large platforms. In general, I believe that SMEs are more affected than large companies because they have done much less so far (e.g., GDPR) and do not have the same resources. 

Clara-Ann Gordon:

In my experience, companies that operate in B2B and are not regulated have the most catching up to do and therefore need to put more effort into nFADP compliance now. 

What about the industries in which you serve clients? 

In regulated areas industry-specific requirements must be complied with in addition to the nFADP – In banking, for example, banking secrecy applies – Also professions with secrecy protection (e.g., medical doctors and lawyers) are subject to additional regulations

Clara-Ann Gordon:

Together with my team I serve clients in various regulated sectors, such as banking and insurance, as well as the healthcare/pharmaceutical, telecom and energy sectors. There, in addition to the provisions of the nFADP, industry-specific requirements must be complied with.

Cornelia Stengel:

In the banking industry, this includes banking secrecy in particular, and insurance companies often also process highly sensitive personal data that needs to be protected. Plus, there are the supervisory framework conditions of financial market regulation and of (supervisory) authorities.  

Alexander Hofmann:

We are also active in industries that are regulated beyond the general data protection law with regard to the information processed, e.g., professions with secrecy protection that are subject to banking, medical, legal, or official secrecy. We also advise IT companies (IT hosting, public cloud, SaaS) that store, process, or secure data from third parties on a large scale on all issues of data and information law. 

How does the revised data protection law affect certain functions within a company?

Data protection deserves management attention

Alexander Hofmann:

In principle, data privacy and data security deserve the attention of the management. Therefore, they should give the topic top priority and assume responsibility for it.  

More specifically, who in the company should assume what additional responsibility?

Companies have to define new responsibilities, e.g., in corporate communications, IT, purchasing, and the legal department – The additional responsibilities are required due to, for example, new concepts such as privacy by design, and can touch upon criminal law

Alexander Hofmann:

In order to implement and continuously monitor the new obligations, a company has to define new responsibilities in various areas:  

• in corporate communications for the maintenance of the data privacy statement, website support, or marketing communications  
• in IT for ensuring data security or controlling data flows when using externally hosted systems  
• in purchasing for contracts with service providers or foreign transfers, and
• in the legal department for the examination of inquiries from individuals or the reporting of data protection violations   

Clara-Ann Gordon:

With our clients, we see that they are either completely reorganizing their responsibilities or organizing them in more detail due to the introduction of personal fines.  

Roland Mathys:

Numerous new instruments and concepts of the FADP, such as privacy by design/default and Data Protection Impact Assessments, ensure that the departments have to assume more responsibility. This responsibility can touch upon criminal law, as numerous other violations can be sanctioned under the nFADP. Unlike the GDPR, these are not administrative sanctions against the company, but penal sanctions against the persons acting on behalf of the company (e.g., data protection officer, compliance officer, CISO). 

Do companies now need to introduce new roles?

The formal nomination of a data protection officer would be economical for very few companies – There is a tendency to roll out data protection company-wide beyond Legal/Compliance – Outsourcing to a law firm or a specialized service such as DPOaaS is also an option

Cornelia Stengel: 

Let's take the Compliance and IT team as an example: For it to respond in a legally compliant manner to data subject inquiries (e.g., a person's request for information or deletion) or to a data security breach («data mishaps») in which personal data is lost, stolen or, destroyed, for example, clear internal processes and responsibilities should be defined – including the necessary resources. The same applies to IT security to prevent cyberattacks, data theft, and other data loss.

Alexander Hofmann:

The formal nomination of a so-called data protection advisor or data protection officer (commonly «DPO») would be economical for very few companies. Nevertheless, I expect that many establish a responsible role internally for the topic of data protection and security. This role may be located in IT or, in the case of larger companies with their own legal or compliance departments, there as well. Many companies will also outsource these tasks, either to a law firm or a specialized service (DPO-as-a-Service).

Roland Mathys:

Among the companies we advise, I notice a tendency not only to assign data privacy to Legal/Compliance, but to roll it out company-wide, e.g., through «privacy champions» in the individual departments. Plus, internal data protection officers are increasingly being appointed. 

Why is compliance with the new regulations important for a company's competitiveness? 

If a company doesn’t take data protection seriously, it risks loss of trust and reputational damage – This is also possible if data processing that is carried out correctly is perceived as ethically reprehensible – Clients and investors will pay more attention to data protection 

Roland Mathys: 

Today, data protection compliance is a seal of quality with which companies differentiate themselves. This can be seen, among other things, in the increasing importance of certifications such as ISO 27001 or the Digital Trust Label of the Swiss Digital Initiative. In Switzerland, if a company doesn’t take data protection seriously, it doesn’t primarily risk financial losses under the new law, but rather loss of trust and reputational damage, which is much more severe (e.g., meineimpfungen.ch).

Cornelia Stengel:

Even data processing that is carried out correctly and legally according to the nFADP can be perceived as negative by the persons concerned, for example, as ethically reprehensible, and can cause major reputational damage. In this context, we often speak of «perceived» data protection.  

Alexander Hofmann:

Private or corporate clients in more data-intensive areas or areas with sensitive personal data (e.g., healthcare) certainly need to keep a closer eye on compliance with data protection regulations.  

I also assume that investors in corporate financing and acquisitions (especially start-ups) pay more attention in their due diligence to how robust the business model is in terms of data protection. I am thinking, for example, of privacy by design in digital services, the company's general data protection compliance, and the data security architecture of technical solutions. 

What is the most important action companies should take in view of the new law?

A data processing register provides an overview of the processed data – Such a register is also valuable for SMEs – A 5-step action plan to prepare for the nFADP

Roland Mathys:

Gain an overview of which data is actually being processed in the company, ideally with a so-called data processing register. This lays the foundation for all further steps, such as gap analyses, prioritizations, and finally specific recommendations for action to close the gaps.

Alexander Hofmann:

A data processing register is also very valuable for SMEs, although it is not required to maintain one under art. 12 nFADP due to the so-called SME exemption. A helpful guide in seven steps for SMEs is available at https://dp-services.ch/umsetzung/.    

Cornelia Stengel:

For a company of any size that wants to take a pragmatic approach, an action plan with the following key points can be recommended:  

1. Create the mentioned data processing register. The larger the amount of personal data processed by a company and/or the more sensitive the personal data, the higher the data protection compliance requirements are.  
2. Raise awareness and sensitivity of all employees in connection with data processing.  
3. Create a data privacy statement or update the existing one in order to comply with the new transparency and information obligations.  
4. Ensure that the security of your IT systems and software applications meets the requirements of the new law.  
5. Review your contracts with clients, suppliers, and service providers as well as employees and amend them if necessary. 

What happens if a company is not ready on 1 September 2023?

A company that is not ready on 1 September risks violating the new FADP, including fines of up to CHF 250'000 – The fines are directed against the responsible natural person

Roland Mathys:

The new law entered into force on 1 September without a grace period. A company therefore risks violating the new FADP as of 1 September, which also includes breaches sanctioned with a fine of up to CHF 250’000. The FDPIC has informally stated that they will not file criminal charges immediately on day one, but will first provide clarification and advice. However, it is particularly unpleasant for a company if, for example, it becomes the victim of a cyber incident shortly after 1 September and it turns out during the processing and notification of the FDPIC that there are major deficiencies in data protection.

Cornelia Stengel:

Contrary to the EU GDPR, the sanctions in the form of fines of up to CHF 250’000 under the nFADP are not directed against the offending company, but against the natural person (e.g., data protection officer, managing director, board member) who is responsible for compliance with data protection. Intent, even if conditional, is punished.  

What legal consequences does a company risk if it does not comply with the provisions of the nFADP?

Civil law consequences if persons affected by a data breach file claims – Administrative consequences in the form of rulings issued by the FDPIC – Criminal sanctions, e.g., if false or incomplete information is provided

Clara-Ann Gordon:

In addition to the legal fine, administrative and civil proceedings are possible, e.g., a lawsuit by an affected person against the company.  

Roland Mathys:

A company risks civil law consequences if the persons affected by a data breach file claims (e.g., for correction, deletion, and compensation). Furthermore, the FDPIC can take administrative action and issue rulings, non-compliance with which can be sanctioned. Finally, individual offenses are subject to criminal sanctions, such as the provision of false or incomplete information, an inadequate data protection statement, and the violation of minimum data security requirements.

How high is the reputational risk?

Adequate data security helps prevent reputational damage – If this nevertheless happens as a result of a data breach, it often hits companies harder than the immediate legal consequences

Roland Mathys:

If data breaches become public, which will be the case more often with the new law (e.g., because of the obligation to report data security breaches), there is a risk of loss of trust and reputational damage that may be difficult to recover from. This often hits a company harder than the immediate legal consequences.

Alexander Hofmann:

The best way to prevent reputational damage is to ensure adequate data security. In my view, this is by far the most important measure. Every company should be aware of this by now: Data security should be taken very seriously. This does not in itself require a law that obliges you to do so.  

What do companies need to keep on the radar with regard to the nFADP?

The legal experts made it very clear: Compliance with the new regulations should not be underestimated. Today, data protection compliance is a seal of quality with which companies differentiate themselves. Those who do not take the issue seriously risk not only financial losses but also a loss of trust and reputational damage. Especially critical: if a company becomes the victim of a cyber incident shortly after 1 September and data protection deficiencies are revealed when the incident is dealt with.