Swiss Federal Data Protection Act

The Revised Federal Data Protection Act: a comprehensive overview

    iusblog
    • 11 October 2023

    Article 13 of the Swiss Constitution of 18 April ensures the right to privacy. The primary component of the federal statutory framework for the protection of personal data is the Federal Act on Data Protection (FADP),[1] which is the primary data privacy and protection law in Switzerland. Since 1993, it has been protecting the nation with the Ordinance to the Federal Act on Data Protection (FODP).[2] The FADP and FODP govern the data processing operations of private individuals and federal agencies, whilst cantonal and municipal agencies are governed by cantonal data protection regulations and controlled by cantonal data protection commissioners.

    The updated Data Protection Act (revFADP) and its implementing Ordinance (revFODP) went into effect on September 1, 2023, following a six-year legislative process. The modification addresses technical changes, integrates Swiss data protection legislation with current international data protection requirements, including the GDPR, and enables Switzerland to maintain its status as an EU-compliant data protection country.

    New modifications introduced by the revFADP

    There are several changes implemented by the new Act on Data Protection, the most relevant ones include:

    1. The new federal law solely applies to the protection of personal data for natural people or individuals. It no longer applies to the data of legal entities (associations, foundations, trading companies, et cetera).
    2. The notion of sensitive personal data (union membership, health, political ideas, etc.) also encompasses genetic and biometric data (fingerprints, DNA, etc.) that may be used to uniquely identify an individual.
    3. A private corporation may hire a data protection counselor, whereas federal agencies are required to do so. They will have no contractual tie with the organization. Their duty is to advise, train, help create, and then implement personal data protection procedures.
    4. In the case that data processing is considered to pose a major danger to the basic and personal rights of users, the new FADP mandates an impact assessment.
    5. The obligation to disclose has been reinforced. To guarantee transparency, the data manager responsible for the private processing of data must notify the user of the gathering of all of their personal information, not only their sensitive information.
    6. All operations pertaining to data processing must now be recorded in a log. Only small and medium-sized enterprises (SMEs) with less than 250 workers are excluded, since their data processing does not pose a considerable risk of violating personal or basic rights.
    7. The Federal Data Protection and Information Commissioner (FDPIC) must be quickly notified in the case of a data security breach that is likely to pose a high danger to the data subject’s personality or fundamental rights.
    8. The new legislation introduces profiling. It relates to the processing of personal data using automated means.
    9. The new Swiss FADP sets a maximum fine of 250,000 Swiss francs for violations of the requirement to inform, notify, or report, as well as the duty of care or discretion.[3]

    Incorporated within the Swiss FADP are two additional data protection principles:

    1. Privacy by Design, also known as data protection by design, which describes the fact of taking into account, starting from the design of apps or other media, the protection of users’ data and respect for their privacy; and
    2. Privacy by Default, which stipulates that the processing of personal data must be restricted to what is necessary for the intended purpose. Therefore, companies must acquire additional permission to process other data.

    Main similarities with the GDPR

    Among the main similarities with the EU General Data Protection Regulation:

    • The definition of personal data under both legislation is essentially same. And only information pertaining to natural people is protected.
    • A corporation is required to tell users about the processing of their data via a privacy statement and only process data with the user’s consent (but the conditions under the GDPR are much stricter).
    • Akin to the right to access data under the GDPR, revFADP allows users the right to seek access to their personal information that the firm is processing within 30 days. And the revFADP’s right to object encompasses the GDPR’s objection, deletion, and restriction rights that prohibit data processing.
    • A corporation is required to maintain a record of processing actions, which must include a list of countries and third parties to whom user data is shared.
    • Both acts require a corporation to establish the necessary technological and organizational safeguards to ensure data protection.
    • Transferring user data to nations with a suitable degree of data security is required (however, data can still be transferred if sufficient safeguards have been undertaken to compensate the gap in data protection).
    • Data controllers and processors are obligated to notify data breaches, however the Swiss statute does not specify a timetable and instead uses the phrase “as soon as practicable.”

    As may be seen, the general points are rather similar. The good news is that if your organization already processes the data of European Union users, it must already comply with the GDPR. In this instance, your IT system does not require extensive enhancements.

    Main differences with the GDPR

    Among the main differences with the EU General Data Protection Regulation:

    • The GDPR specifies nine categories of sensitive personal data, and the revFADP adds two more: data on administrative or criminal processes and penalties, and data pertaining to social security measures.
    • The revFADP is founded on the idea that a private individual may treat personal data, but the GDPR grants this right to a private individual only in exceptional circumstances.
    • As a result of the aforementioned premise, the revFADP imposes a maximum penalties of CHF 250,000 on individual persons (as opposed to organizations under the GDPR). If the accountable party cannot be identified, the corporation may be penalized up to CHF 50,000. Once the law goes into effect, the viability of this strategy will be evaluated.
    • Territorial scopes of the acts differ, with the Swiss one being larger and referring to the “effects doctrine”, which in brief may be characterized as a data processing activity that has an influence in Switzerland, regardless of where it took place.
    • The GDPR demands justification and user consent for the processing of all personal data, whereas the revFADP requires informed and express user agreement for the processing of sensitive data and profiling.
    • The revised Data Protection Act does not mandate the appointment of a data protection officer; this post is voluntary and is known as a “data protection adviser.”
    • The GDPR is a supranational rule enforced throughout the EU, with independent public authorities in each member state responsible for overseeing its application. The revFADP is a federal legislation that imposes obligations on the federal government and business sector, but not cantonal governments. However, collaboration between the federal and cantonal data protection agencies is effective and well-established.

    Clearly, the distinctions are evident. Despite the fact that the GDPR served as the foundation for the revFADP, the variations between the Swiss and European systems resulted in the adoption of other elements that were distinct. After the legislation goes into effect, there will undoubtedly be a period of unrest, after which we will be able to evaluate its benefits and cons.

    Conclusion

    The updated Swiss Data Protection Act is a robust and comprehensive legal instrument that protects the privacy rights of individuals, encourages openness, and assures responsibility. With tighter requirements and hefty punishments for deliberate violations, the revFADP makes it very obvious that data privacy is a key concern in Switzerland.

    In a fast evolving technology environment, it is vital that data protection legislation remain current. The revised Data Protection Act answers this challenge by establishing a comprehensive legal framework that covers the complexity provided by evolving technologies and their influence on the privacy of personal data. By adhering to international standards, Switzerland underlines its steadfast commitment to protecting personal data and reinforces its status as a nation that places a premium on privacy.

    References

    1. https://www.fedlex.admin.ch/eli/cc/1993/1945_1945_1945/en
    2. https://www.fedlex.admin.ch/eli/oc/2022/568/fr
    3. https://www.espacedroit.ch/en/topics/devoir-de-diligence-en/
    In this article:
    ,,,
    Post written by:
    I'm Brian F. G. Fabrègue, Ph.D Candidate in Financial Law at the University of Zurich. I'm currently working as Chief Legal Officer for Retreeb, a revolutionary and ethical Swiss financial company. My legal areas of expertise are International Taxation, Financial Regulation and Corporate Law.
    Previous Article
    Next Article
    You May Also Like