The updated Swiss Federal Act on Data Protection (FADP): The key points at one glance
This is how the legal updates in Swiss data protection affect companies.
Due to rapid technological developments in recent years, the current Data Protection Act was no longer up to date. On September 25, 2020, the revised Swiss Federal Act on Data Protection (revFADP) was therefore passed by the parliament and has been in force since September 1, 2023.
Revision of the Data Protection Act in Switzerland (revFADP)
The requirements of the EU GDPR (EU General Data Protection Regulation) form the basis for the revision of the Swiss Data Protection Act. However, the Swiss law is not a 1:1 implementation of the GDPR, but mostly implements the data protection rule in a less formalistic and specific manner. Another difference is that the revision provides in part for much stricter sanctions, as well as extended information obligations and the requirement to create a processing directory.
The updated Swiss data protection law is intended to guarantee the protection of the personal and fundamental rights of natural people in Switzerland, as well as to protect their data when it is processed by private individuals or the state. On the other hand, data of legal entities is no longer protected by the new rules. The amendment is intended to ensure greater transparency and strengthen the right of self-determination over personal data. In addition, data processors should be made aware of risks in a preventive manner and thus be able to act more responsibly.
For companies, the revision means new obligations, especially with regard to the collection, loss or misuse of personal data.
The FADP revisions at a glance
Area of application: impact principle, representation and no data of legal persons
In the FADP, the geographical scope is now explicitly determined according to the so-called impact principle. This means that the law will also apply to companies based abroad if they process personal data and this data processing has an impact in Switzerland. However, the previous principles will remain in place for civil and criminal enforcement.
In addition, companies without a registered office in Switzerland may now be required to designate a representative in Switzerland if they process the personal data of individuals in Switzerland. This obligation is triggered if the data processing is related to the offering of goods or services (so-called targeting) or the behavioral monitoring of these persons. In addition, the processing must be extensive and regular and involve a high risk to the personality of the persons concerned.
In the future, the revFADP will no longer apply to data of legal entities. Fortunately, this Swiss peculiarity has thus been abolished. However, the effects in practice should not be overestimated, since B2B transactions, for example, also regularly involve the processing of data from natural persons (e.g. contact persons).
New personal data requiring special protection
The definition of personal data requiring special protection has been expanded compared to the current FADP and will in future also include data on ethnicity, genetic data and biometric data that uniquely identifies a natural person. Furthermore, the category of “personality profiles”, for which the same strict requirements apply as for particularly sensitive personal data, will not be included in the revFADP (but see the regulation on profiling below).
Regulation of profiling
The revised Data Protection Act now contains a legal definition of profiling that corresponds to the EU GDPR and was not included in the previous FADP. According to this definition, profiling is “any form of automated processing of personal data which consists of using such data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location”.
In the preliminary draft, the Federal Council had originally proposed that profiling should in future always be permitted only with a justification, such as the consent of the data subjects. Certain statements in Parliament implied a similar understanding, although this Federal Council proposal did not find its way into the law. Thus, profiling would have to be permissible without consent also in the future. This also applies to so-called “high-risk profiling”, even though the debates in Parliament have led to some uncertainty and the issue is still likely to lead to discussions in the literature and case law. In our assessment, however, it can be assumed that Parliament did not want to deviate from the established basic concept of Swiss data protection law with regard to profiling (with high risk) either.
For private controllers, consent or other justification for profiling (with high risk) will thus only be required in the case of data processing that violates personal privacy. However, depending on the type and scope of profiling, this may be the case relatively quickly and thus consent or another justification ground may be required. Since there is often great uncertainty with regard to the justification of the overriding interest, it will not be uncommon to recommend obtaining consent in the future. If “high-risk profiling” must be assumed, then only explicit consent will suffice as a (possibly required) justification.
High-risk profiling was one of the main points of contention that almost caused the FADP revision to fail. The existence of high-risk profiling, in addition to the express nature of consent, is also relevant for the justification ground of creditworthiness checks (see below). The revised FADP defines high-risk profiling as follows:
“Profiling that entails a high risk to the personality or fundamental rights of the data subject by leading to a combination of data that allows an assessment of essential aspects of the personality of a natural person”.
Extended obligation to provide information
The obligation to provide information is greatly expanded compared to the previous law. Regrettably, however, the revFADP does not contain an exhaustive list of all mandatory information that must be provided to the data subject during procurement. It must therefore be examined on a case-by-case basis which information is required, whereby an orientation towards the catalog of the EU GDPR could be considered.
In any case, the following mandatory information must be provided as a minimum:
- The identity and contact details of the person responsible
- The purposes of the processing
- Iin the case of disclosure of data, the recipients or categories of recipients
- In the event of data being disclosed abroad, additionally the state or international body and, if applicable, the guarantee of appropriate data protection or the exception if no such guarantees exist
- In the case of indirect data collection (i.e., data not collected from the data subject himself), additionally the categories of personal data processed
- The execution of automated individual decisions, i.e., a decision that is based exclusively on automated processing and that involves a legal consequence for the affected person or significantly affects the person
Expansion of data subject rights
In addition to the obligation to provide information, the rights of data subjects are also further expanded in the revFADP. Similar to the GDPR, the data subject will now have a right to data disclosure and data transfer. Data subjects will be able to demand that the data they disclose be issued in a common electronic format or transferred to other providers. However, this right does not apply unconditionally. In particular, due to the legal requirements of the “common electronic format” and “proportionality,” it will have to be seen how often this right can actually be invoked by data subjects in the event of a dispute.
In addition, the data subject has a right of objection in the case of automated individual decisions (see obligation to provide information, above), according to which he or she may state his or her position on this and demand that the automated individual decision be reviewed by a natural person.
Rules for intra-group transfer of personal data – group privilege?
The future regulation of the transfer of personal data within a group of companies and thus the question of whether a so-called group privilege should be introduced was also the subject of discussion. Ultimately, however, such a group privilege only found its way into the new law in a very limited form. Although exceptions to the duty to inform and the right to information apply to the exchange of data within the group under the revFADP, an internal group transfer may still violate personal rights in the future and in this case may only be permissible if there is a justification. In this context, the special justification reason for intra-group processing only applies if the data in question and the way in which it is processed are relevant and necessary “for economic competition”. Intra-group processing must therefore always be carefully examined on a case-by-case basis to determine whether it is lawful.
Justification reason of the credit check
For the performance of a credit check, Art. 30 para. 2 lit. c revFADP sets out special, stricter conditions for the assumption of an overriding interest. Accordingly, a credit check is justified if:
- No particularly sensitive personal data is processed and no high-risk profiling is involved
- The data is only disclosed to third parties if they require it for the conclusion or performance of a contract with the data subject
- The data is not older than ten years
- The data subject is of legal age
Directory of all data processing
In the future – as under the GDPR – a directory of all data processing activities will also have to be kept under Swiss law (“directory of processing activities”). For most companies, keeping a data processing directory will presumably lead to the greatest effort during implementation, if appropriate measures for GDPR compliance have not already been taken. The great effort results from the fact that all data processing activities of the entire company must be recorded and precise details must be provided and continuously updated. The minimum content of this processing directory is prescribed by law for both the controller and the order processor.
The processing directory of the data controller must contain the following minimum information:
- The identity of the person responsible
- The purpose of the processing
- A description of the categories of data subjects and the categories of personal data processed
- The categories of recipients
- “If possible” the retention period of the personal data or the criteria for determining this period
- “If possible” a general description of the measures taken to ensure data security (appropriate technical and organizational measures to prevent breaches of data security)
- If the data is disclosed abroad, the indication of the state as well as the guarantees by which appropriate data protection is ensured
Other new obligations of the responsible person
Various other obligations associated with the processing of personal data have also been newly included:
- Data Breach Notification: Data breaches (e.g., data loss) that are likely to result in a high risk to the personality or fundamental rights of the data subject must be reported immediately to the FDPIC (Federal Data Protection and Information Commissioner) and, if applicable, to the data subject.
- Data protection impact analysis: If an intended data processing entails a high risk of violation of the personality or fundamental rights of a data subject, the controller is obliged to analyze the risks of such processing in a data protection impact assessment. The revFADP assumes that a high risk must be considered in particular when new technologies are used and extensive processing of personal data requiring special protection is carried out, or when extensive public areas are systematically monitored.
- Privacy-by-design and privacy-by-default: As in the GDPR, the principles of “data protection by design” and “data protection by default settings” are also explicitly enshrined in the revFADP. When processing personal data, appropriate technical and organizational measures must be taken “from the planning stage” that ensure the implementation of data protection principles (e.g., data minimization) in these systems (privacy-by-design). The default settings, for example for apps or websites, must also be designed in such a way “that the processing of personal data is limited to the minimum necessary for the intended purpose” (privacy-by-default).
Tightening of sanctions and expansion of the powers of the FDPIC
The revFADP provides for criminal sanctions in the form of a fine of up to CHF 250’000. In addition, the FDPIC can open an administrative investigation procedure and issue orders. Even if the FDPIC him or herself cannot order sanctions, failure to comply with an order of the FDPIC (e.g., the further processing of data despite a prohibition) is also subject to criminal sanctions of the same amount. The cantonal prosecution authorities will be responsible for enforcing the criminal sanctions. Finally, civil law actions for removal, injunction or damages are still possible.
In the legislative process, it was expressed that the criminal sanctions are mainly aimed at management persons and not at the executing employees. At the same time, however, it was not entirely ruled out that there may also be cases in which the sanction could be imposed on employees without a management function. Finally, in cases of infringements where a fine of CHF 50’000 is the maximum that can be imposed and the effort to identify the offending person within the business operations would be disproportionate, the company may be ordered to pay the fine instead of the natural person.
A detailed overview of the innovations compared to the EU GDPR can be found in this article by PwC Switzerland.
Key points for the obligation to provide information
According to Article 19 (“Obligation to provide information when obtaining personal data”), the responsible person is obliged to provide data subjects with adequate information about the obtaining of personal data. In addition, the data subject must be provided with all relevant information so that he or she can assert his or her rights under this Act and transparent data processing is ensured.
If the data is not procured from the data subject, the responsible person must inform the data subject of the categories of personal data processed by the time of disclosure or no later than one month after receipt of the data.
If the personal data is disclosed abroad, the responsible person must also inform the data subject of the state or international body.
The duty to inform may have implications for the whistleblowing process.
Welche Anpassungen sind notwendig, damit Ihr Whistleblowing-Prozess nDSG- & DSGVO-konform ist?
Create transparency and trust among your employees through clear communication about the processing of whistleblower and accused data. This will ensure that you continue to receive valuable information. Moreover, it is necessary to establish a fast and effective process flow for reporting data breaches. A digital whistleblower system enables the process flow for reports such as data breaches to be anonymous and protects the data of whistleblowers in the best possible way.
We recommend implementing the following measurements:
- Implement a digital whistleblower system: This is the only way to guarantee 100% anonymity of a whistleblower and still have the possibility of a continued anonymous dialog (two-way communication)
- If you have already implemented a digital whistleblowing system: Add a disclaimer to the reporting process. This must clearly draw attention to the obligation to disclose the identity of the whistleblower to the accused if the whistleblower decides to make a non-anonymous report. In this case, consent to the processing of personal data must be explicitly obtained. In addition, the whistleblower should be informed that this consent can be effectively revoked within 30 days. In order not to miss the 30-day deadline for informing the accused, it is also advisable to set up automatic reminders for the processing persons.
Other To Do’s for Swiss companies
Every company should prepare for the new law by gathering an overview of how personal data is processed and by conducting a risk assessment within the company. Swiss companies that process large volumes of personal data or data requiring special protection must organize their internal processes in such a way that it is clear who has access to which data and limit this access to the extent necessary. Existing data protection declarations and existing contracts with order processors should also be reviewed, adapted and a directory of processing activities drawn up.
Further tips for implementation:
- Create a data protection policy: A clear and understandable data protection policy helps to create transparency and promote trust among customers and business partners.
- Carry out a data protection audit: A regular audit helps to identify and rectify weaknesses in data processing.
- Use of data protection management tools: These tools assist in the management and documentation of data processing activities.
- Seek legal advice: Consult a specialist data protection lawyer to ensure that all legal requirements are met.
The latest revision of the Swiss Data Protection Act tightens the rules and ensures greater clarity in the handling of personal data for affected companies. With the harmonization with the GDPR and the recognition of rapid technological progress, Switzerland is well positioned for the coming years in terms of data protection and security. The effort involved in documenting data protection incidents and proactive risk assessments should not be underestimated. The use of a data protection management tool offers companies numerous advantages in the correct handling of and compliance with data protection laws (Swiss Data Protection Act, EU GDPR or the EU AI Act). With an intuitive solution like the EQS Privacy COCKPIT, you can comply with all data protection regulations, reduce costs and manual processes, manage your data protection compliance in one central location and benefit from a user-friendly platform that adapts flexibly to your needs.
Utilising an integrated compliance solution offers a fundamental advantage in obtaining in-depth insights.