What is FADP?
The Federal Act on Data Protection (FADP) aims to protect the privacy and the fundamental rights of persons when their data is processed.
The FADP came into force in 1992 - at a time when the Internet was not yet being used commercially and today's digital reality was not yet foreseeable. On 1 September 2023, the revised FADP came into effect. It includes changes aiming to better protect Swiss citizens’ personal data.
For example, companies have to justify why they collect information from their customers and to disclose with which third parties they share this information. Additionally, individuals now have the right to know how long their data will be stored and what purposes it will be used for. They can also request corrections of any inaccurate data without having to give a reason.
The new FADP compliance requirements
Any Swiss-based and international company that provides goods or services to Swiss citizens and organizations or processes sensitive data about them, such as medical records, genetic material, and political views, is subject to the new law. If a company has no physical presence in Switzerland, it is not exempt from the FADP requirements. It needs to designate a Swiss representative who acts as a point of contact for the supervisory authority and data subjects in Switzerland for all issues related to data processing.
«Data protection should not be seen as an obstacle that slows down the company's growth. The opposite is true: data protection creates trust and security on the path of the company's digital transformation.»
Revision of the FADP
The FADP was passed in 1992. However, the Swiss government realized that it needed to update the law to reflect modern security threats and to provide improved guidelines to companies for protecting sensitive information. Another goal was to harmonize the law with the EU’s General Data Protection Regulation (GDPR).
After several rounds of public comments, the revised version of the FADP was expected to take effect on 1 January 2022, but was pushed back to enter into force on 1 September 2023. The new FADP clearly aligns Swiss with EU standards. It ensures that the free movement of data with the European Union can be maintained, helping Swiss companies to remain competitive.
Five key changes to be aware of
Here are five key changes to the FADP and how they impact Swiss and international organizations:
Extended User Consent
The revised FADP focuses on end users’ awareness of the usage of their data and data collection consent. When obtaining consent from the data subject, organizations must clearly communicate the rights and options the individuals have. In addition, they must provide clear information about the collection, storage, processing, and use of the individuals’ data as well as take action as per the privacy preferences of individuals without asking for any reasons or pursuing them for reconsideration.
Easier Subject Access Requests
The new FADP makes subject access requests easier for individuals as there is no need for them to provide any information about themselves or their connection with the person who processed their personal data. Any individual can ask for details about the personal data an organization collects and stores about them at any time, namely:
What personal information an organization holds about an end user
- How they use it
- Who they share it with and
- How they collect the data
Increased Severity of SanctionsAny individual may object to the processing of their personal data if there's no legitimate interest in processing or if the person simply chooses not to share their information. Under certain circumstances, individuals are also able to restrict specific types of processing, such as automated decision-making or profiling.
The revised law expands the power of the Federal Data Protection and Information Commissioner (FDPIC) to enforce an increased severity of sanctions against companies failing to meet the new standards. However, unlike the European data privacy authorities, the FDPIC has no sanctioning powers under the new law. The offending persons are fined by the cantonal prosecution authorities. Although the FDPIC may lodge a complaint and exercise the rights of a private plaintiff in the proceedings, he/she has no right to file a criminal complaint.
In the case of infringements, private persons can be fined up to CHF 250,000 depending on severity. Punishable are wilful acts and omissions, such as violation of duties to provide information and breaches of professional secrecy, but not negligence. In principle, the responsible natural person is fined. However, the company itself can also be fined up to CHF 50,000 if the investigation to determine the actual person responsible within the company would involve a disproportionate effort.
The new FADP requires organizations to communicate a cyberattack or a security breach to users, the FDPIC, and all potentially affected stakeholders as soon as possible to avoid legal sanctions and further complications. The data controllers of an organization must take the following communication steps in case of a security incident:
- Notify the FDPIC immediately
- Explain the type of personal data breach
- Describe potential consequences of the data breach
- Explain remedy measures and mitigate risks for data subjects affected
- Notify the data subjects affected by the data breach
Privacy by Design and Default
As per the new law, organizations must take into account the latest data security and processing principles at the planning and design stage of applications, keeping the privacy of users in mind. This enables them to build security-first applications that ensure «privacy by design and default» rather than improving security and privacy features at a later stage or after a security incident.
Further important changes
- Only data of natural persons are now covered.
- The definition of «sensitive personal data» includes genetic and biometric data.
- Data Protection Impact Assessments (DPIA) must be conducted if there is a high risk to the privacy or fundamental rights of data subjects.
- Keeping a register of processing activities is mandatory. Exemptions are possible for SMEs whose data processing presents limited risk to the data subject.
GDPR vs. new FADP
While the GDPR and the FADP have many similarities (e.g. strict sanctions for violations, breach notification requirements, and a focus on data privacy and protection), there are also some key differences:
Designation of a Data Protection Officer
Not mandatory but recommended.
Mandatory according to art. 37 GDPR.
Data breach notifications
Mandatory reporting as soon as possible.
Mandatory reporting within 72 hours.
Up to CHF 250,000 against responsible private persons.
Up to EUR 20 million or 4% of the company’s worldwide annual revenue.
Adequacy is determined by the Swiss Federal Council.
EU standard contractual clauses and binding corporate rules can be applied.
Adequacy is determined by the European Commission.
Standard contractual clauses, binding corporate rules.
Records of processing activities
Includes list of export countries.
Includes all information specified in art. 30 GDPR.
Data Protection Impact Assessment
Consultation of a Data Protection Officer instead of the FDPIC is possible in case of high risk despite measures taken.
Duty to consult the supervisory authority in case of high risk despite measures taken.
Why is it so important to comply with the new FADP?
- Failure to comply can result in significant fines as well as reputational damage.
- Compliance helps organizations to build trust with their customers and to show their commitment to protecting personal data.
- Compliance helps to ensure that individuals' personal data is handled in a responsible and secure manner and that individuals have control over how their data is used.
- Compatibility with EU law: The new FADP shall ensure that the free movement of data with the European Union can be maintained, helping Swiss companies to remain competitive.
What is the first thing a company should do in view of the new FADP?
- Prioritize the protection of data.
- Perform a data protection gap analysis:
- Analyze the current situation in terms of data protection.
- Identify any potential weaknesses and risks related to data protection.
- Define a roadmap for mitigating the risks and implementing measures.
- Appoint a Data Protection Officer (DPO) who is responsible for monitoring compliance with Swiss FADP and other data protection laws, and for providing advice and guidance on data protection.
- Keep records of all processing activities (data processing register).
- Define internal practices and procedures for storing, using, transferring, and destroying data in compliance with the new law.
- Define processes for Subject Access Requests, handling of data breaches and Data Protection Impact Assessments.
- Educate all employees on the new FADP and privacy-related issues .