5 minute read 28 Feb 2023
server room

A new Era for Data Protection in Switzerland – Are you ready?

By Konrad Meier

Senior Manager, AI Law Leader in Financial Services | EY Switzerland

Solution-oriented financial services lawyer with an entrepreneurial mindset.

5 minute read 28 Feb 2023

Switzerland enters a new era of data protection as the revised Federal Data Protection Act (revFADP) comes into force on September 1, 2023.

In brief
  • The Swiss revFADP modernizes Swiss data protection law and essentially adapts the European GDPR standards with a “Swiss finish” in certain areas. The implementing provisions of the Ordinance to the FADP and the Ordinance on Data Protection Certification will enter into force  together with the revised law on September 1, 2023.

The revFADP enters into force on September 1, 2023 and substantially revises the Swiss data protection law of 1992. The revised law strengthens the rights of consumers regarding their data and aligns Swiss data protection law with the EU GDPR. There are two corresponding ordinances coming into force together with the revFADP: the implementing provisions of the Ordinance to the Federal Data Protection Act and the revised Ordinance on Data Protection Certification.

The Swiss Federal Council highlighted the “risk-based” approach that guides the revision: i.e., businesses should assess risks for data subjects throughout the data lifecycle and mitigate them accordingly. For companies already compliant with the GDPR, it will be easier to implement the revised act, nonetheless the revFADP comes with a “Swiss finish” in certain areas.

The scope of application now coincides with the GDPR: the law applies to the processing of personal data of natural persons. Data of legal entities are no longer included. The definition of sensitive data has been extended to include genetic and biometric data, the processing of which now also requires explicit consent.

Newly introduced were the principles of privacy by design, data protection through technology design, e.g. through the use of privacy preserving synthetic data or other privacy enhancing technologies, and the principle of privacy by default, that means to only process data necessary to serve a specific purpose. Companies need to review their applications and services to make adjustments where necessary. In the light of potential data subject information requests, it is advisable to structure customer data in ways that allow a company to comply, e.g. by providing copies of personal data, without having to redact personal data of other customers.

Under the revFADP private businesses can designate a data protection advisor (DPA). This can come with an advantage: where businesses choose to do so, and where the DPA is sufficiently independent, businesses may solely rely on internal advice without having to consult the Federal Data Protection and Information Commissioner (FDPIC) in some cases, e.g., when conducting a Data Protection Impact Assessment (DPIA). Although optional, companies should consider the possibility of appointing a DPA for their organization and weigh the pros and cons. Companies should then amend internal policies to reflect the respective roles and responsibilities of a DPA.

The revFADP now newly requires all data controllers and data processors to keep a records of processing activities (ROPA). While businesses of fewer than 250 employees with low-risk processing activities are exempted, all others must maintain and regularly review their ROPA. The controller's ROPA must among other things include the purpose of processing, the categories of data processed but also storage period or the criteria to determine this period. A well-organized and up to date ROPA can serve as the center piece of an organization's data strategy that supports achieving compliance with various other privacy requirements (e.g., the provision of transparent privacy notices towards consumers).

According to the revFADP, a DPIA must be conducted whenever the intended data processing may lead to a high risk for the data subject’s personality or fundamental rights; in such case the controller must conduct a DPIA before beginning with the processing. If a DPIA reveals that the processing results in a high risk, despite safeguarding measures being taken, the controller must obtain an opinion from the FDPIC. While the FDPIC’s opinions do not need to be published, they are subject to the Freedom of Information Act and thus may partially become public knowledge. However, as already mentioned, this consultation may be dispensed with if the organization has appointed a DPA.

Further, data breaches must now be reported to the competent supervisory authorities. Accordingly, all data breaches must be documented, and it should be further assessed whether the breach results in a high risk for data subjects. If that is the case, the controller must report the breach to the FDPIC as soon as possible. Compared to the GDPR, this is a lowered threshold, as simple risks must be reported too, and the breach must be notified within 72 hours under GDPR. In light of the revFADP, it is recommended to update internal data breach incident management policies and procedures to reflect the additional requirements.

Under the revFADP profiling is now explicitly regulated. Profiling is defined as any form of automated processing of personal data to assess personal aspects about a natural person. When involving a high risk, or, if done by a federal body, consent must be given explicitly. Data subjects may be informed about (high risk) profiling in privacy notices in order to ensure transparency. A separate communication or FAQs on a website can further increase trust.

The revFADP fines responsible private persons up to CHF 250,000 for willful acts or omissions violating the act. Breaching the duty to provide information as well as violations of professional confidentiality are fined upon complaint. Failure to comply with the FDPIC’s decisions are prosecuted ex officio.

What does the revFADP mean for cross-border data transfers? Same as under the GDPR, data may only be transferred abroad when an adequate level of data protection is guaranteed. The Swiss Federal Council publishes a periodically reviewed list of countries guaranteeing an adequate level of data protection. If a country is not placed on that list, data can still be transferred if adequate protection is guaranteed by other means, such as standard contractual clauses. Where data is transferred abroad, a list of these countries should be added to the privacy notice. It is advisable to review data processing agreements with external suppliers in order to determine whether the data processing agreements reflect the updated requirements. 

Privacy efforts remain a top priority on the agenda in 2023 – the regulatory landscape is further evolving, and customer expectations too are shifting. While new business models and technologies are emerging - we are ready to support you. Just get in touch with us.

Summary

On September 1, 2023 the revFADP enters into force. The revFADP aligns Swiss data protection law with the European GDPR and thus enables to maintain a free flow of data between the EU and Switzerland. While essentially equivalent in most respects, in part the revFADP also deviates from the GDPR and goes a step further in regulating data protection.

Acknowledgement:

Many thanks to Stella Galehr for her valuable contribution to this article.

About this article

By Konrad Meier

Senior Manager, AI Law Leader in Financial Services | EY Switzerland

Solution-oriented financial services lawyer with an entrepreneurial mindset.