Switzerland’s Federal Act on Data Protection (FADP) and the Ordinance to the Federal Act on Data Protection (the Ordinance) were revised in 2023 to better align with the General Data Protection Regulation.
In this guide, I describe the requirements companies must follow under the revised Swiss FADP and explain how these updates impact both businesses and consumers.
- Key Revisions to the Swiss FADP
- What Is Switzerland’s Federal Act on Data Protection (FADP)?
- Revised Swiss FADP vs. the Original FADP
- Who Does the Revised Swiss FADP Apply to?
- Who Does the Revised Swiss FADP Protect?
- How Does the Revised Swiss FADP Compare to the GDPR?
- How Can Termly Help With Swiss FADP Compliance?
- Summary
Key Revisions to the Swiss FADP
The revisions to Switzerland’s Federal Act on Data Protection create several changes regarding its territorial scope, consumer rights, and obligations for data processing.
The revised FADP includes:
- An explicit extraterritorial scope.
- An expansion of sensitive data to include genetic and biometric information.
- A requirement for foreign data controllers or processors to appoint a Swiss representative.
- Coverage of natural persons as opposed to legal persons.
- Broader rights for individuals.
- A requirement for companies to notify individuals about any data processing.
- A requirement for some companies to create a register of their processing activities.
- New obligations surrounding the reporting and notification of a data breach.
What Is Switzerland’s Federal Act on Data Protection (FADP)?
Switzerland’s Federal Act on Data Protection (FADP) is the country’s leading data privacy and protection regulation.
It protects the nation in tandem with the Ordinance to the Federal Act on Data Protection, or the Ordinance, and has been in place since 1993.
Why Was the Swiss FADP Revised?
The Federal Council of Switzerland revised the FADP to better align it with the GDPR, the privacy law protecting consumers in the European Union (EU)/European Economic Area (EEA).
Aligning the Swiss FADP with the GDPR allows Switzerland to remain an adequate country for international data transfers from the EU.
The revisions also help to ensure the FADP better accounts for our modern digital landscape, because the internet looks very different today than it did in 1993 when the law was created.
To that end, the revised FADP outlines new obligations companies must follow to protect data.
When Did the FADP Revisions Take Effect?
The revised FADP and the revised Ordinance entered into action on September 1, 2023.
This announcement followed the Federal Parliament’s adoption of a revised version of the FADP on September 25, 2020, and the Federal Council’s adoption of the revised version of the Ordinance on August 31, 2022.
Revised Swiss FADP vs. the Original FADP
The revised FADP differs from the older version of the law in scope, definitions, rights, and obligations for businesses.
Let’s look deeper at the FADP and Ordinance revisions — currently only available in French, German, and Italian.
New Territorial Scope
Article 3 of the revised FADP explicitly provides for an extraterritorial scope.
In other words, the requirements of the law apply to entities outside of the territorial borders of Switzerland.
More specifically, the revised FADP covers any data processing that may have some effect in Switzerland, including impacting the privacy rights of the individuals under the law.
Expanded Definition of Sensitive Data
The revised Swiss FADP also updates the definition of sensitive data under the law by adding genetic and biometric data to the official category.
Broader Consumer Rights
Consumers under the revised FADP now have broader rights concerning their data privacy.
Article 25 (and what follows) of the new FADP and Article 16 of the revised Ordinance now provide individual rights that align more with the GDPR’s fairness and transparency principles.
Additionally, the revised FADP only protects the data of natural persons rather than the original protection of the data of legal persons.
Updated Obligations Regarding Foreign Controllers or Processors
Article 14 of the Revised FADP now requires foreign companies that act as controllers who process the personal data of Swiss individuals to have a representative in Switzerland if:
- The processing is regarding offering goods and services or monitoring people’s behavior in Switzerland.
- The processing is on a large scale.
- The processing is considered regular.
- The processing presents a high risk for individuals’ personality or fundamental rights.
Required Notification of Data Processing
Another change introduced by the revisions to the Swiss FADP impacts how entities notify individuals about data processing activities.
Under Article 19 of the revised FADP and 13 of the revised Ordinance, companies must inform individuals of any data processing, not only sensitive data processing.
Notification Obligations Regarding Data Breaches
Under Article 24 of the revised FADP and Article 15 of the revised Ordinance, companies must now report data breaches to the Federal Data Protection and Information Commissioner.
However, the revised FADP still has a higher threshold for breach notification than the GDPR.
For example, Swiss law requires you to notify people if the breach causes a high risk to the personality or fundamental rights of individuals.
The GDPR requires a breach notification for any risk to the rights and freedoms of individuals.
Under Article 24 of the revised Ordinance, companies must also inform individuals concerned by a security breach if:
- The FDPIC demands it.
- Such information is relevant for the individuals’ protection.
Additionally, companies must now keep specific records regarding the recording, modification, consultation, communication, and erasure of personal data.
According to the revised Article 4 of the Ordinance, such records are required:
- For any automated processing of sensitive data on a large scale.
- For high-risk profiling.
- If preventive measures aren’t enough to guarantee the protection of the data.
Data Protection Impact Assessments (DPIAs)
Under the revised Swiss FADP, companies must carry out Data Protection Impact Assessments (DPIAs) for certain data processing activities.
Specifically, under Article 22 of the FADP and Article 14 of the Ordinance, entities must perform a DPIA if the data processing is likely to result in a high risk for individuals’ personality and fundamental rights.
Updated Record Keeping Obligations
Much like the GDPR’s Article 30 Records of Processing Activities, the revised FADP Article 12 and Ordinance Article 24 also require some companies to maintain a record of their processing.
Entities with more than 250 employees or that processes personal data in a manner that poses risks to the personality of individuals must maintain a register of their processing activities.
That record needs to include all of the following details:
- Identity of the controller
- Purpose for processing
- Categories of data subjects and categories of personal data processed
- Categories of third parties
- If possible, the retention period of data or the criteria to determine the retention period
- If possible, a description of measures taken to guarantee the security of personal data
- If transferred internationally, the name of the country and the transfer mechanism used
Internal Policies Regarding Processing Sensitive Data on a Large Scale
Another change introduced by the revisions to the FADP and the Ordinance impacts a company’s internal policies regarding sensitive data.
According to Article 5 of the revised Ordinance, companies must now create and maintain internal policies and procedures regarding any automated processing of:
- Sensitive data on a large scale.
- High-risk profiling.
Who Does the Revised Swiss FADP Apply to?
Any entity that processes data of individuals within Switzerland must follow the revised FADP.
If processing the data could pose an actual or potential effect in Switzerland, then that processing must follow the obligations outlined by the revised FADP.
The revisions account for any effects the processing could have on individual rights, hence the FADP’s updated scope.
Who Does the Revised Swiss FADP Protect?
The revised FADP protects the data of natural persons in Switzerland, which essentially refers to any living human, regardless of their citizenship status.
The revised FADP protects any human in Switzerland.
This represents a big change, because the old FADP used to protect legal persons, meaning it used to rely on citizenship status.
How Does the Revised Swiss FADP Compare to the GDPR?
The revised FADP has some notable differences with the GDPR.
Legal Basis
Under the revised Swiss FADP, the processing of personal data is generally permissible and does not require a legal basis like consent.
However, under the GDPR, all data processing requires a legal basis, making this a notable difference between the two pieces of legislation.
Data Protection Officers (DPOs)
Based on Article 10 of the revised Swiss FADP and Article 23 of the revised Ordinance, entities don’t need to appoint a data protection officer (DPO).
However, the GDPR outlines several reasons why a data controller and processor might need to appoint one, as explained in Article 37.
Fines and Penalties
The revised FADP adapted penalty provisions by increasing them rather steeply — from CHF 10,000 (€9,980/$11,391) to a new maximum of CHF 250,000 (€249,460/$284,906).
However, this is still much lower than the maximum fines for violating the GDPR.
Under the GDPR, the maximum fine is €20 million (CHF 19 million, $22 million).
In the case of a company, the penalty is up to 4% of its total annual worldwide turnover of the preceding business year, or €20 million, whichever is higher.
Unlike the GDPR, fines under the revised FADP target the employee(s) responsible for the violation more so than the company itself, which is another notable difference.
Data Breaches
Under the revised FADP, companies must report data breaches as soon as possible.
In contrast, the GDPR provides a 72-hour window.
Profiling and High-Risk Data Processing
Unlike the GDPR, processing personal data for profiling under the revised FADP doesn’t fall under the legal basis or requirement of consent.
Instead, it falls under the requirement of high-risk profiling, i.e., processing that may result in high risk for the personality and fundamental rights of the individual.
Definition of Sensitive Data
Interestingly, the revised FADP’s definition of sensitive data is broader than the GDPR’s.
The Swiss FADP includes data on administrative or criminal proceedings and sanctions and social security measures, which are not included in the GDPR definition.
How Can Termly Help With Swiss FADP Compliance?
Termly offers tools and resources vetted by our legal team and data privacy experts to help make it easier for your business to meet the requirements outlined in laws like the FADP.
Our Privacy Policy Generator asks you simple questions about your business, its data processing activities, and the legal scopes you fall under, including the revised Swiss FADP and the GDPR.
It then makes a unique privacy policy based on your answers that you can easily publish on your website or app.
Summary
The Swiss Federal Act on Data Protection revisions introduced several significant changes regarding business obligations and consumer rights, better aligning it with the GDPR.
The law now has an explicit extraterritorial scope, protects all natural persons in the region, and includes biometric and genetic data as part of it’s definition of sensitive data.
It also introduced requirements for foreign controllers or processors to appoint a Swiss representative and gave protected individuals broader rights over their personal data.
You can easily update your privacy policy to meet the standards outlined by the revised Swiss FADP using Termly’s Privacy Policy Generator.