How Companies Remain Compliant with the Revised Swiss Federal Act on Data Protection
Switzerland’s revised Swiss Federal Act on Data Protection (FADP) is set to adopt a number of requirements from Europe’s General Data Protection Regulation (GDPR). However, Swiss companies already compliant with GDPR will see only a few smaller changes under the revised FADP.
Unlike GDPR, Swiss law continues to allow data processing under the principle that the collection and processing of data does not require specific justification but is generally permitted if certain principles are observed. GDPR requires a justification for each instance of processing, such as consent, performance of a contract, legitimate interest of the data processor or a statutory provision.
If personal data is processed in violation of the legal regulations or against the will of the data subject, this constitutes a violation of privacy rights.
In case of privacy violation, the responsible (natural) person may be fined up to CHF 250,000.
Going forward, FADP will be in line with GDPR in that only natural persons are protected, while legal entities are excluded.
There will be no obligation to appoint a data protection officer under the new law. But we recommend that companies ensure internal governance and oversight of data protection regulations are clearly defined.
Checklist for implementation
The following checklist will help Swiss companies to implement the new law:
Information duties: In line with GDPR, FADP will extend the obligation to provide information when collecting personal data.
Keeping a record of data processing activities: Data processors will have to record data processing activities in equivalence to the existing GDPR requirement. However, exceptions will apply to small businesses with low risk of data protection violations.
“DPIA”: Data processors will be required to conduct a so-called Data Processing Impact Assessment if particularly sensitive data are processed in high volumes. This includes the description of the planned processing, an assessment of the risks as well as the countermeasures taken.
Reporting of data security breaches: Security breaches must be notified to the Federal Data Protection and Public Information Officer (FDPIC) in Berne.
Right of access: The existing right of access will be adapted slightly, and data subjects will have a right to data portability. Companies should adjust their process for responding to requests for information accordingly.
Adjustments to the general terms and conditions and privacy policies: Data processors should review and update their existing general terms of business and privacy policies where necessary.