A new Era for Data Protection in Switzerland – Are you ready?

Switzerland enters a new era of data protection as the revised Federal Data Protection Act (revFADP) comes into force on September 1, 2023.

The revFADP enters into force on September 1, 2023 and substantially revises the Swiss data protection law of 1992. The revised law strengthens the rights of consumers regarding their data and aligns Swiss data protection law with the EU GDPR. There are two corresponding ordinances coming into force together with the revFADP: the implementing provisions of the Ordinance to the Federal Data Protection Act and the revised Ordinance on Data Protection Certification.

The Swiss Federal Council highlighted the “risk-based” approach that guides the revision: i.e., businesses should assess risks for data subjects throughout the data lifecycle and mitigate them accordingly. For companies already compliant with the GDPR, it will be easier to implement the revised act, nonetheless the revFADP comes with a “Swiss finish” in certain areas.

The scope of application now coincides with the GDPR: the law applies to the processing of personal data of natural persons. Data of legal entities are no longer included. The definition of sensitive data has been extended to include genetic and biometric data, the processing of which now also requires explicit consent.

Newly introduced were the principles of privacy by design, data protection through technology design, e.g. through the use of privacy preserving synthetic data or other privacy enhancing technologies, and the principle of privacy by default, that means to only process data necessary to serve a specific purpose. Companies need to review their applications and services to make adjustments where necessary. In the light of potential data subject information requests, it is advisable to structure customer data in ways that allow a company to comply, e.g. by providing copies of personal data, without having to redact personal data of other customers.

According to the revFADP, a DPIA must be conducted whenever the intended data processing may lead to a high risk for the data subject’s personality or fundamental rights; in such case the controller must conduct a DPIA before beginning with the processing. If a DPIA reveals that the processing results in a high risk, despite safeguarding measures being taken, the controller must obtain an opinion from the FDPIC. While the FDPIC’s opinions do not need to be published, they are subject to the Freedom of Information Act and thus may partially become public knowledge. However, as already mentioned, this consultation may be dispensed with if the organization has appointed a DPA.

Further, data breaches must now be reported to the competent supervisory authorities. Accordingly, all data breaches must be documented, and it should be further assessed whether the breach results in a high risk for data subjects. If that is the case, the controller must report the breach to the FDPIC as soon as possible. Compared to the GDPR, this is a lowered threshold, as simple risks must be reported too, and the breach must be notified within 72 hours under GDPR. In light of the revFADP, it is recommended to update internal data breach incident management policies and procedures to reflect the additional requirements.

Under the revFADP profiling is now explicitly regulated. Profiling is defined as any form of automated processing of personal data to assess personal aspects about a natural person. When involving a high risk, or, if done by a federal body, consent must be given explicitly. Data subjects may be informed about (high risk) profiling in privacy notices in order to ensure transparency. A separate communication or FAQs on a website can further increase trust.

The revFADP fines responsible private persons up to CHF 250,000 for willful acts or omissions violating the act. Breaching the duty to provide information as well as violations of professional confidentiality are fined upon complaint. Failure to comply with the FDPIC’s decisions are prosecuted ex officio.

What does the revFADP mean for cross-border data transfers? Same as under the GDPR, data may only be transferred abroad when an adequate level of data protection is guaranteed. The Swiss Federal Council publishes a periodically reviewed list of countries guaranteeing an adequate level of data protection. If a country is not placed on that list, data can still be transferred if adequate protection is guaranteed by other means, such as standard contractual clauses. Where data is transferred abroad, a list of these countries should be added to the privacy notice. It is advisable to review data processing agreements with external suppliers in order to determine whether the data processing agreements reflect the updated requirements. 

Privacy efforts remain a top priority on the agenda in 2023 – the regulatory landscape is further evolving, and customer expectations too are shifting. While new business models and technologies are emerging - we are ready to support you. Just get in touch with us.