The provisions of the new Swiss Federal Act on Data Protection (FADP) are similar to those of the EU General Data Protection Regulation (GDPR). However, there are a few substantial differences. This article highlights the most relevant changes in the Swiss data protection legislation, compares them to the GDPR, and explains which companies outside Switzerland are affected by the new law.
Swiss data protection law
The current Swiss Federal Act on Data Protection (FADP) originally dates back to 19 June 1992. It is no surprise that the FADP has undergone a complete revision to reflect technical and legislative changes of the past, in particular those made in the GDPR, which are very important to businesses that exchange personal data with companies in the EU. The new FADP was finally passed by the Swiss parliament on 25 September 2020. The Swiss Federal Council will soon decide when the new FADP will enter into force (very likely in 2022).
Apart from the new FADP, other laws are relevant in the context of governing data protection in Switzerland, such as the Swiss Unfair Competition Act, the Swiss Telecommunications Act and the Swiss Penal Code. However, the new FADP remains the primary legislation for data protection law and contains many changes compared to the old FADP.
Most relevant changes in Swiss data protection
The new FADP will only protect the data of natural persons and will no longer cover legal entities, which is in line with the provisions of the GDPR and most national data protection laws of EU Member States.
The new FADP requires data controllers to fulfil more enhanced information duties. Accordingly, they must inform individuals at the time of collection about their identity and contact information, the purpose of processing, the identity of any other recipients (in case of disclosure to third parties), the jurisdiction where the data is transferred to, and the applicable safeguards implemented in case of cross-border transfers.
The strict information duties of the data controller are comparable to those of the GDPR. In contrast, the new FADP additionally requires data controllers to disclose even the jurisdiction where they transfer personal data.
Where decision making is based solely on automated data processing that has legal effects on the data subject, the individual must have the right to have the decision reviewed. In addition, the new FADP introduces the concept of ‘high-risk profiling’, which requires explicit consent.
These strict rules are comparable to the ones envisaged in the GDPR. However, the provisions of the GDPR require a legal justification, such as consent, before any automated decision making or profiling may take place (not just for ‘high-risk’ profiling).
The new FADP requires data controllers and processors to keep a ROPA. An exception applies for companies with less than 250 employees if their data processing activities are a ‘low risk’. Under the GDPR, it is less likely to fall under one of the exceptions, i.e., only if data processing is occasional, and no special categories of data or data relating to criminal convictions and offences are processed.
While it was not necessary to close a data processing agreement between the controller and the processor under the old FADP, it is currently not strictly required. Generally, controllers may assign data processing activities to a processor either based on an agreement or by law. Yet, a processor may not engage a sub-processor without obtaining prior consent of the controller. This is fundamentally different to the GDPR, as the new FADP does not prescribe any minimum content requirements for a data processing agreement.
The new FADP obliges controllers to perform a DPIA if it appears that an envisaged data processing activity is likely to pose a high risk to a data subject’s fundamental rights. For instance, a data controller must conduct a DPIA when processing sensitive personal data. The obligations regarding DPIAs are similar to those indicated in the GDPR.
The FDPIC, the Swiss data protection authority, has increased duties and competencies under the new FADP. While it can issue good practice recommendations and render binding administrative decisions, it cannot impose any fines, as compared to data protection authorities within the EU/EEA.
In terms of sanctions, the new FADP foresees an expansion of the catalogue of penal provisions for individuals. Under some circumstances, fines of up to CHF 250,000 can be incurred by the person responsible for data processing within a company. Examples are the failure to comply with orders and duties related to information, disclosure or cooperation, or a breach of professional secrecy. In some cases, the prosecutor may decide to hold a business liable for the payment of a fine, if the fine does not exceed CHF 50,000 and if the breach is committed within a company.
The approach to impose fines also against individuals within a company is different from the GDPR. The latter primarily envisages administrative penalties to be levied against an organisation, which can be as high as EUR 20 million or 4% of the worldwide annual turnover of the legal entity and depending on the infringement.
Controllers who are not based in Switzerland, but who process the personal data of Swiss individuals, must designate a Swiss representative if one of the three situations apply.
- The processing is related to the offering of goods and services in Switzerland or the monitoring of their behaviour.
- The processing is extensive and takes place on a regular basis.
- The processing is likely to result in a high risk to the individual’s privacy.
The new obligations are comparable to the duty to designate an EU representative. According to the GDPR, it suffices to require the appointment of an EU representative, if the processing of EU citizens’ data takes place in the context of offering goods or services to them or monitoring their behaviour. That rule applies unless the processing is limited to the occasional, small-scale processing of non-sensitive personal data.
Main takeaways of the new Swiss data protection legislation
The changes to the new FADP make it more similar to the provisions of the GDPR. As the main takeaway, the new FADP strengthens individual rights and extends process rules. For instance, the new FADP requires that individuals expressly consent to the processing of personal data in case of ‘high-risk’ profiling by a private person or profiling by a public organ. As another example, with the new FADP, all genetic data is considered to belong to the ‘special category’ of data which are subject to a particular level of protection.
In the context of cross-border data transfers, the regime remains mostly unaffected. The Federal Council (instead of the FDPIC as under the old FADP) decides whether or not a jurisdiction provides an adequate level of data protection. Cross-border disclosure to any jurisdiction with a favourable adequacy decision is then allowed. In terms of data transfers to the U.S., the situation is similar to one of the EU. The Swiss-U.S. Privacy Shield is no longer a sufficient legal basis for transfers to the U.S. Instead, Swiss data controllers can base transfers to other countries on pre-approved standard contractual clauses (SCC) or binding corporate rules (BCR).
Relevance of the Swiss FADP for businesses in and outside Switzerland
Controllers and processors based in Switzerland or those involved in data transfers to and from Switzerland should consider these following points to make sure data exchanges remain lawful:
- Ensure that privacy policies and notices for compliance taking into account the extended information duties.
- Establish processes and practices to handle requests by individuals exercising their rights and make sure you respond and promptly notify data breaches.
- Keep and update records of processing activities (ROPA), as required by the new FADP.
- If necessary, review and amend data processing agreements between controllers and processors.
- Assess whether a representative in Switzerland is necessary.
Focus on your business
We take care of your data protection compliance!