Having served as Switzerland’s main data protection regulations for decades, they’re now getting an update.
The revisions to the Swiss FADP provide more practical implementation requirements and better align it with the European Union’s (EU) General Data Protection Regulation (GDPR).
In this guide, I compare new requirements companies must follow under the revised Swiss FADP and explain how the updates impact businesses and their consumers.
- Key Revisions to the Swiss FADP
- What Is Switzerland’s Federal Act on Data Protection (FADP)?
- Revised Swiss FADP vs. the Original FADP
- Who Does the Revised Swiss FADP Apply to?
- Who Does the Revised Swiss FADP Protect?
- How Does the Revised Swiss FADP Compare to the GDPR?
- How Can Termly Help With Swiss FADP Compliance?
Key Revisions to the Swiss FADP
The revisions to Switzerland’s Federal Act on Data Protection create several changes regarding its territorial scope, consumer rights, and obligations for data processing.
The revised FADP includes:
What Is Switzerland’s Federal Act on Data Protection (FADP)?
Switzerland’s Federal Act on Data Protection (FADP) is the country’s leading data privacy and protection regulation.
It protects the nation in tandem with the Ordinance to the Federal Act on Data Protection, or the Ordinance, and has been in place since 1993.
Why Was the Swiss FADP Revised?
The Federal Council of Switzerland revised the FADP to align with the GDPR.
This alignment allows Switzerland to remain an adequate country for international data transfers from the EU.
The revisions also allow the FADP to better account for our modern digital landscape, as the internet looks very different today than it did in 1993.
To that end, the revised FADP also outlines new obligations companies must follow to protect personal data.
When Do the FADP Revisions Take Effect?
The revised FADP and the revised Ordinance entered into action on September 1, 2023.
This announcement follows the Federal Parliament’s adoption of a revised version of the FADP on September 25, 2020, and the Federal Council’s adoption of the revised version of the Ordinance on August 31, 2022.
Revised Swiss FADP vs. the Original FADP
Let’s look deeper at the FADP and Ordinance revisions — currently only available in French, German, and Italian.
New Territorial Scope
Article 3 of the revised FADP explicitly provides for an extraterritorial scope.
In other words, the requirements of the law apply to entities outside of the territorial borders of Switzerland.
More specifically, the revised FADP covers any data processing that may have some effect in Switzerland, including impacting the privacy rights of the individuals under the law.
Expanded Definition of Sensitive Data
The revised Swiss FADP also updates the definition of sensitive data under the law by adding genetic and biometric data to the official category.
Broader Consumer Rights
Consumers under the revised FADP now have broader rights concerning their data privacy.
Article 25 (and what follows) of the new FADP and Article 16 of the revised Ordinance now provide individual rights that align more with the GDPR’s fairness and transparency principles.
Additionally, the revised FADP only protects the data of natural persons rather than the original protection of the data of legal persons.
Updated Obligations Regarding Foreign Controllers or Processors
Article 14 of the Revised FADP now requires foreign companies that act as controllers who process the personal data of Swiss individuals to have a representative in Switzerland if:
- The processing is regarding offering goods and services or monitoring people’s behavior in Switzerland.
- The processing is on a large scale.
- The processing is considered regular.
- The processing presents a high risk for individuals’ personality or fundamental rights.
Required Notification of Data Processing
Another change introduced by the revisions to the Swiss FADP impacts how entities notify individuals about data processing activities.
Under Article 19 of the revised FADP and 13 of the revised Ordinance, companies must inform individuals of any data processing, not only sensitive data processing.
Notification Obligations Regarding Data Breaches
Under Article 24 of the revised FADP and Article 15 of the revised Ordinance, companies must now report data breaches to the Federal Data Protection and Information Commissioner.
However, the revised FADP still has a higher threshold for breach notification than the GDPR.
For example, Swiss law requires you to notify people if the breach causes a high risk to the personality or fundamental rights of individuals.
The GDPR requires a breach notification for any risk to the rights and freedoms of individuals.
Under Article 24 of the revised Ordinance, companies must also inform individuals concerned by a security breach if:
- The FDPIC demands it.
- Such information is relevant for the individuals’ protection.
Additionally, companies must now keep specific records regarding the recording, modification, consultation, communication, and erasure of personal data.
According to the revised Article 4 of the Ordinance, such records are required:
- For any automated processing of sensitive data on a large scale.
- For high-risk profiling.
- If preventive measures aren’t enough to guarantee the protection of the data.
Data Protection Impact Assessments (DPIAs)
Under the revised Swiss FADP, companies must carry out Data Protection Impact Assessments (DPIAs) for certain data processing activities.
Specifically, under Article 22 of the FADP and Article 14 of the Ordinance, entities must perform a DPIA if the data processing is likely to result in a high risk for individuals’ personality and fundamental rights.
Updated Record Keeping Obligations
Much like the GDPR’s Article 30 Records of Processing Activities, the revised FADP Article 12 and Ordinance Article 24 also require some companies to maintain a record of their processing.
Entities with more than 250 employees or that processes personal data in a manner that poses risks to the personality of individuals must maintain a register of their processing activities.
That record needs to include all of the following details:
- Identity of the controller
- Purpose for processing
- Categories of data subjects and categories of personal data processed
- Categories of third parties
- If possible, the retention period of personal data or the criteria to determine the retention period
- If possible, a description of measures taken to guarantee the security of personal data
- If transferred internationally, the name of the country and the transfer mechanism used per Article 16
Internal Policies Regarding Processing Sensitive Data on a Large Scale
Another change introduced by the revisions to the FADP and the Ordinance impacts a company’s internal policies regarding sensitive data.
According to Article 5 of the revised Ordinance, companies must now create and maintain internal policies and procedures regarding any automated processing of:
- Sensitive data on a large scale.
- High-risk profiling.
Who Does the Revised Swiss FADP Apply to?
Any entity that processes data of individuals within Switzerland must follow the revised FADP.
If processing the data could pose an actual or potential effect in Switzerland, then that processing must follow the obligations outlined by the revised FADP.
The revisions account for any effects the processing could have on individual rights, hence the FADP’s updated scope.
Who Does the Revised Swiss FADP Protect?
The revised FADP protects the data of natural persons in Switzerland.
Natural persons refer to any living human, regardless of their citizenship status. In other words, the revised FADP protects any human in Switzerland.
The FADP used to protect legal persons, which refers to the individual’s citizenship status.
How Does the Revised Swiss FADP Compare to the GDPR?
The revised FADP has some notable differences with the GDPR.
Under the revised Swiss FADP, the processing of personal data is generally permissible and does not require a legal basis like consent.
However, under the GDPR, all data processing requires a legal basis, making this a notable difference between the two pieces of legislation.
Data Protection Officers (DPOs)
Based on Article 10 of the revised Swiss FADP and Article 23 of the revised Ordinance, entities don’t need to appoint a data protection officer (DPO).
Fines and Penalties
The revised FADP adapted penalty provisions by increasing them rather steeply — from CHF 10,000 (€9,980/$11,391) to a new maximum of CHF 250,000 (€249,460/$284,906).
However, this is still much lower than the maximum fines for violating the GDPR.
Under the GDPR, the maximum fine is €20 million (CHF 19 million, $22 million).
In the case of a company, the penalty is up to 4% of its total annual worldwide turnover of the preceding business year, or €20 million, whichever is higher.
Unlike the GDPR, fines under the revised FADP target the employee(s) responsible for the violation more so than the company itself, which is another notable difference.
Under the revised FADP, companies must report data breaches as soon as possible.
In contrast, the GDPR provides a 72-hour window.
Profiling and High-Risk Data Processing
Unlike the GDPR, processing personal data for profiling under the revised FADP doesn’t fall under the legal basis or requirement of consent.
Instead, it falls under the requirement of high-risk profiling, i.e., processing that may result in high risk for the personality and fundamental rights of the individual.
Definition of Sensitive Data
Interestingly, the revised FADP’s definition of sensitive data is broader than the GDPR’s.
The Swiss FADP includes data on administrative or criminal proceedings and sanctions and social security measures, which are not included in the GDPR definition.
How Can Termly Help With Swiss FADP Compliance?
Termly offers tools and resources vetted by our legal team and data privacy experts to help make it easier for your business to meet the requirements outlined in laws like the FADP.
The Swiss Federal Act on Data Protection revisions introduced several significant changes regarding business obligations and consumer rights, better aligning it with the GDPR.
As a reminder, here’s a summary of the changes:
- The FADP now has an explicit extraterritorial scope.
- Biometric and genetic data are now part of the category of sensitive data.
- Foreign controllers or processors must now appoint a Swiss representative.
- The FADP now only covers natural persons.
- Individuals have broader rights.
- Companies must notify individuals about any data processing.
- Companies meeting specific standards must perform and maintain a register of their processing activities.
- There are new obligations regarding the reporting and notification of a data breach.