FADP Switzerland Guide: How to Properly Comply?
If your business operates on a global scale, navigating the intricacies of data protection laws is critical. Oftentimes, the landscape gets even more complex when operating in countries outside the European Union that don’t follow the General Data Protection Regulation (GDPR).
One such country is Switzerland, with its Federal Act on Data Protection. In this comprehensive guide, we’ll cover this important data protection law, including what it is, its principles, scope, and data subject rights it provides, with an included checklist for complying with FADP.
Keep reading to learn more about FADP Switzerland and how your business can stay compliant with it.
- Switzerland introduced the Federal Act on Data Protection on 25th Sep. 2020 and made it official on 1st Sep. 2023.
- The law applies to any private person or federal body that processes the personal data of natural persons in Switzerland.
- FADP Switzerland provides the data subjects with the rights to information and data portability.
What is FADP Switzerland?
FADP Switzerland, or Federal Act on Data Protection, is a data privacy law designed to safeguard the privacy rights of individuals in Switzerland when businesses process their personal data.
The law was enacted before the commercial use of the Internet, having been initially enacted in 1992, but has since seen numerous revisions and updates. The latest revised FADP was approved by the Federal Assembly of Switzerland in September 2020 and went into full effect on September 1st, 2023.
The updated 2023 version of FADP, or the New Federal Act on Data Protection (nFADP), doesn’t bring only cosmetic changes though. For instance, companies are now required to disclose any third parties, such as vendors, to whom they are disclosing and sharing data. Additionally, they also need to justify collecting personal data from their customers and more.
Finally, although Switzerland is a non-EU country, alignment with the EU’s GDPR is vital in terms of harmonizing Swiss law with the EU standards and regulations and ensuring uninterrupted data exchange between the Swiss Confederation and the European Union.
The Federal Data Protection and Information Commissioner (FDPIC) enforces FADP and is responsible for handling complaints and giving out fines.
Scope of the FADP Switzerland
FADP Switzerland applies to the processing of Swiss citizens' personal data by private and federal bodies, including entities that are not in Switzerland.
It does not apply to:
- Personal data processed for personal use by a natural person
- Personal data processed by the Federal Assembly (FA) and parliamentary committees
- Personal data processed by institutional beneficiaries under the Host State Act
Art. 2, paragraph 1 of the Host State Act (HSA) states the Confederation may grant privileges, immunities, and facilities to the following institutions:
- Intergovernmental organizations
- International institutions
- Quasi-governmental international organizations
- Diplomatic missions
- Consular posts
- Permanent missions or other representations to intergovernmental organizations
- Special missions
- International conferences
- Secretariats or other bodies established under an international treaty
- Independent commissions
- International courts
- Arbitration tribunals
- Other international bodies
The nFADP also includes some new main provisions compared to the older version of the law.
Rights Provided Under FADP Switzerland
Consumers are also entitled to the following rights under FADP Switzerland:
Right to Information
Consumers have the right to request from the controller the information on whether it is processing any personal data relating to them, including:
- The identity and contact details of the controller
- The processed personal data
- The purpose of processing
- The retention period for the personal data (or the criteria for determining the period when this isn’t possible)
- The available information regarding the source of the personal data (if not collected from the individual)
- If automated individual decision is used and the logic for the decision
- Third-party recipients to which the controller shared the data with
The controller can withhold the information or delay to provide it when:
- A law allows it (for trade and professional secrets)
- To safeguard third-party interests
- The request is unjustified and does not serve the purpose of data protection (this applies to both if the controller is a private person and a federal body)
- The controller has interests that override the data subject’s right to information
- The controller does not intend to share or disclose the data to any third parties
- The controller is a federal body, and the information could compromise an investigation, judicial, or administrative proceeding.
Right to Data Portability
Under FADP, individuals also have the right to data portability. This right allows them to have their personal data processed by a controller delivered in an electronic format if it is processed with the data subject’s consent or the controller is using automated data processing.
FADP Switzerland Checklist for Compliance
If you have customers in Switzerland, this FADP compliance checklist will be useful to follow:
Data Protection by Design and Data Protection by Default
The controller must ensure that data processing is done according to the principles in Art. 6 of the Swiss law.
Data processing must be lawful, done in good faith and proportionate, and for a specific purpose.
The controller must also provide appropriate technical and organizational measures for data processing and ensure data minimization.
Ensure Appropriate User Consent
Before collecting customers’ personal data, the controller must obtain appropriate user consent, similar to GDPR’s consent rules. This consent has to be freely given, explicit (meaning not implied), specific (clearly stating how the data will be used and for what purpose), and unambiguous (and not implied).
Users should also be able to easily manage consent and withdraw previously given consent at any time, so companies need to provide an easy way for them to do this.
Conduct DPIAs for Sensitive Data
If an organization processes sensitive data, it should periodically conduct a Data Protection Impact Assessment (DPIA). In particular, such an assessment should be done when data processing could result in a high risk to the data subject’s personal and/or fundamental rights.
This includes instances of using large amounts of sensitive data, using new technologies for collecting or processing data, systematic and excessive profiling, and so on.
A DPIA is a method for identifying and evaluating potential risks involved in processing personal data and can help minimize those risks. It should done when data processing poses a “high risk” to the data subject’s rights and freedoms.
Usually, a DPIA is carried out by a DPO.
Ensure Adequate Security Measures
One of the key reasons for updating the existing data protection law in Switzerland was to better address the modern security threats on the Internet.
As such, organizations that process the personal data of their customers need to ensure that adequate security measures are in place to safeguard the data from cyberattacks and data breaches and that such instances are reduced.
This includes keeping an eye on the latest cybersecurity threats and data security principles, integrating security measures into every process, and minimizing data companies collect to provide privacy-first data processing.
Respond to DSARs Promptly
Companies must be transparent as to how they handle their customers’ personal data. This is where Data Subject Access Requests (DSAR) play an important role.
DSARs allow users to exercise their rights. This means they get to learn what information a business is holding on them, request changes to their data, and request their data gets deleted or transferred on demand.
One of the biggest obligations of a company to stay compliant is to promptly respond to these requests. This is why effective DSAR management is vital.
Notify Commissioner When a Data Breach Occurs
If a data breach occurs and it is likely to lead to a high risk to the user’s personal and fundamental rights, the company must promptly notify the FDPIC Commissioner about the breach.
The notification should describe the nature of the breach, categories of personal data and data subjects affected, their numbers, the possible effect of a data breach, the name and contact information of the DPO, and measures the company will take to address the breach.
While there is no specific deadline for notifying the Commissioner about the data breach, unlike with the GDPR data breach notification (where it is up to 72 hours from the moment the breach is discovered), this needs to be done as quickly as reasonably possible.
Penalties for Non-Compliance
For violating the FADP, the private person acting as a controller shall receive a fine of up to 250,000 francs ($300,000), who:
- Fails to provide information when collecting personal data (Art. 19)
- Fails to provide information about decisions made solely based on automated data processing (Art. 21)
- Does not provide information as stipulated under Art. 25-27, Right to information
- Does not provide the information requested by the FDPIC investigation (Art. 49)
- Discloses subject’s personal data abroad
- Assigns data processing to a processor without adhering to Art. 9 Processing by Processors
- Does not meet the minimum data security requirements stipulated by Art. 8 Data Security
On top of these, an additional fine of 50,000 francs ($60,000) can be issued if finding the responsible individuals poses a challenge. Criminal liability can also be an option depending on the severity of the violation.
FADP Switzerland is yet another data protection law that need to keep an eye on. If you have customers in Switzerland that you have personal data on, complying with the Federal Act on Data Protection is mandatory.
We hope this comprehensive guide will help your business stay compliant with this Swiss law. But, you may be wondering what the next steps are for your business. Well, what we recommend is to get a consultation to find out what your specific business needs are and to hand the compliance work over to professionals like Captain Compliance.
What is the FADP in Switzerland?
The Federal Act on Data Protection or FADP is a data privacy law that aims to regulate how businesses process Swiss citizens' personal data.
The law was introduced in the Federal Assembly (the parliament of Switzerland) on 25th September 2020 and made into an official law on 1st September last year (2023).
What is the FADP?
FADP or Federal Act on Data Protection, is a data protection law that is official in Switzerland as of 1st September 2023. The purpose of this regulation is to allow Swiss citizens better control over their personal data being processed by companies.
FADP Switzerland leans heavily on the EU’s GDPR, including data subject rights. Learn what are GDPR data subject rights in this comprehensive guide.
What is the new data protection law in Switzerland 2023?
As of 1st September 2023, the Swiss Confederation has made the Federal Act on Data Protection (FADP) official. FADP Switzerland aims to give Swiss citizens more control over how their personal data is being processed by businesses.
What is the difference between GDPR and FADP?
While the Swiss data protection law bears many similarities with the EU’s GDPR, there are still a few differences.
Here are the major differences between the Swiss and the EU’s data protection laws:
Does Switzerland follow GDPR?
Switzerland has its own data protection law, the Federal Act on Data Protection (FADP), which was introduced on 25th September 2020 and made official on 1 September 2023. The law applies to any business that collects, stores, utilizes, or discloses personal data of Swiss citizens, whether the data processing is done in Switzerland or another country.
However, Swiss companies that process data of EU citizens still have to comply with the GDPR.