Blog

Swiss Federal Act on Data Protection 2023 in a nutshell

5 min read

To cope with the increasing need for data and information security, the Swiss Federal Council has announced a revised version of the Federal Act on Data Protection as per 1 September 2023. Here’s everything you need to know about the new law.

The Federal Act on Data Protection (new FADP) is the new data protection law that will replace the current one adopted in 1992. This first FADP came into force at a time when the Internet was not yet being used commercially and today's digital reality was not yet foreseeable. The new FADP will come into effect as per 1 September 2023 and will include changes aiming to better protect Swiss citizens’ personal data.

For example, companies have to justify why they collect information from their customers and to disclose with which third parties they share this information. Additionally, individuals will have the right to know how long their data will be stored and what purposes it will be used for. They can also request corrections of any inaccurate data without having to give a reason.

The new FADP compliance requirements

Once in force, any Swiss-based and international company that provides goods or services to Swiss citizens and organizations or processes sensitive data about them, such as medical records, genetic material, and political views, will be subject to the new law. If a company has no physical presence in Switzerland, it is not exempt from the FADP requirements. It will need to designate a Swiss representative who acts as a point of contact for the supervisory authority and data subjects in Switzerland for all issues related to data processing.

Revision of the FADP

The FADP passed in 1992 and is still in effect today. However, the Swiss government realized that it needed to update the law to reflect modern security threats and to provide improved guidelines to companies for protecting sensitive information. Another goal was to harmonize the law with the EU’s General Data Protection Regulation (GDPR).

After several rounds of public comments, the revised version of the FADP was expected to take effect on 1 January 2022, but has been pushed back to enter into force on 1 September 2023. The new FADP clearly aligns Swiss with EU standards. It ensures that the free movement of data with the European Union can be maintained, helping Swiss companies to remain competitive.

Five key changes to be aware of

Here are five key changes to the FADP and how they will impact Swiss and international organizations:

1. Extended User Consent

The revised FADP focuses on end users’ awareness of the usage of their data and data collection consent. When obtaining consent from the data subject, organizations must clearly communicate the rights and options the individuals have. In addition, they must provide clear information about the collection, storage, processing, and use of the individuals’ data as well as take action as per the privacy preferences of individuals without asking for any reasons or pursuing them for reconsideration.

2. Easier Subject Access Requests

The new FADP makes subject access requests easier for individuals as there is no need for them to provide any information about themselves or their connection with the person who processed their personal data. Any individual can ask for details about the personal data an organization collects and stores about them at any time, namely:

  • What personal information an organization holds about an end user
  • How they use it
  • Who they share it with and
  • How they collect the data

Any individual may object to the processing of their personal data if there's no legitimate interest in processing or if the person simply chooses not to share their information. Under certain circumstances, individuals are also able to restrict specific types of processing, such as automated decision-making or profiling.

3. Increased Severity of Sanctions

The revised law expands the power of the Federal Data Protection and Information Commissioner (FDPIC) to enforce an increased severity of sanctions against companies failing to meet the new standards. However, unlike the European data protection authorities, the FDPIC has no sanctioning powers under the new law. The offending persons are fined by the cantonal prosecution authorities. Although the FDPIC may lodge a complaint and exercise the rights of a private plaintiff in the proceedings, he/she has no right to file a criminal complaint.

In the case of infringements, private persons can be fined up to CHF 250,000 depending on severity. Punishable are wilful acts and omissions, such as violation of duties to provide information and breaches of professional secrecy, but not negligence. In principle, the responsible natural person is fined. However, the company itself can also be fined up to CHF 50,000 if the investigation to determine the actual person responsible within the company would involve a disproportionate effort.

4. Breach Notifications

The new FADP requires organizations to communicate a cyberattack or a security breach to users, the FDPIC, and all potentially affected stakeholders as soon as possible to avoid legal sanctions and further complications. The data controllers of an organization must take the following communication steps in case of a security incident:

  1. Notify the FDPIC immediately
  2. Explain the type of personal data breach
  3. Describe potential consequences of the data breach
  4. Explain remedy measures and mitigate risks for data subjects affected
  5. Notify the data subjects affected by the data breach

5. Privacy by Design and Default

As per the new law, organizations must take into account the latest data security and processing principles at the planning and design stage of applications, keeping the privacy of users in mind. This will enable them to build security-first applications rather than improving security and privacy features at a later stage or after a security incident.

Further important changes

  • Only data of natural persons are now covered.
  • The definition of «sensitive personal data» includes genetic and biometric data.
  • Data Protection Impact Assessments (DPIA) must be conducted if there is a high risk to the privacy or fundamental rights of data subjects.
  • Keeping a register of processing activities is mandatory. Exemptions are possible for SMEs whose data processing presents limited risk to the data subject.

GDPR vs. new FADP

While the GDPR and the FADP have many similarities (e.g. strict sanctions for violations, breach notification requirements, and a focus on data privacy and protection), there are also some key differences:

Topic

New FADP

GDPR

Designation of a Data Protection Officer

Not mandatory but recommended.

Mandatory according to art. 37 GDPR.

Data breach notifications

Mandatory reporting as soon as possible.

Mandatory reporting within 72 hours.

Sanctions

Up to CHF 250,000 against responsible private persons.

Up to EUR 20 million or 4% of the company’s worldwide annual revenue.

Information duties

List of the minimum content of a privacy policy is shorter. But all countries to which personal data are transferred must be specified.

Art. 13 GDPR defines the minimum content of a privacy policy.

Data exports

Adequacy is determined by the Swiss Federal Council.

EU standard contractual clauses and binding corporate rules can be applied.

Adequacy is determined by the European Commission.

Standard contractual clauses, binding corporate rules.

Records of processing activities

Includes list of export countries.

Includes all information specified in art. 30 GDPR.

Data Protection Impact Assessment

Consultation of a Data Protection Officer instead of the FDPIC is possible in case of high risk despite measures taken.

Duty to consult the supervisory authority in case of high risk despite measures taken.

 

 

 

FADP Compliance Tips

Here are a few recommendations on which aspects to focus before applying for compliance or to ensure continued compliance:

  • Prioritize the protection of data.
  • Communicate with those whose data you collect in a clear and understandable manner.
  • Define internal practices and procedures for storing, using, transferring, and destroying data in compliance with the new law.
  • Find out if your company will be subject to supervision by the FDPIC.
  • Educate all employees on the new FADP and privacy-related issues.
  • Report any suspected violations to the FDPIC. If you are unsure what steps to take, speak to an attorney who specializes in data privacy. It is essential to stay compliant before 2023.
  • Increase transparency, giving users higher control over the use of their data.

Are you interested in more information?

Read more here

Published November 16, 2022

Written by

Picture of Yasin Küçükkaya
Yasin Küçükkaya

Data Protection Officer