Legislative Update: Swiss Data Protection Act took effect September 1

Posted on September 22, 2023

The new Swiss Federal Act on Data Protection, known by the acronym “nFADP,” took effect on September 1. The law was enacted by the Swiss parliament in 2020.

The law introduces new rights for Swiss citizens, but also corresponding obligations for businesses that process personal data subject to the law. The law is intended to be more closely aligned to the European Union’s General Data Protection Regulation and allows for a free flow of information between EU and Swiss companies.

Noteworthy provisions

Here are some of the more noteworthy provisions of the new law and how it contrasts with its predecessor, the Federal Data Protection Act of 1992”:

  • Scope: The new law has a narrower scope as it applies to data of natural persons, rather than legal “persons,” like corporations. The new law further clarifies that the law extends to any circumstances that have effect in Switzerland even if they were initiated abroad. Thus, any entity that processes personal data of Swiss residents or that may have an effect on Swiss territory may be subject to the Act.
  • Extended definitions: The new law expands the definition of “sensitive data” by adding genetic and biometric data that uniquely identifies a natural person. The Act also introduces and defines “profiling” and “high-risk profiling” as two distinct concepts with heightened security requirements and protections.
  • New principles: Although most of the principles of the predecessor remain unchanged, the new law introduces new principles: “data protection by design,” and “data protection by default.” These new principles require controllers to have technical and organizational measures in place appropriate to the nature and risk of processing the data.
  • Record of processing activities: Both controllers and processors are required under the new law to maintain a record of their processing activities. At a minimum, the record must contain the information enumerated in the law, unless an exception by the Federal Data Protection Commissioner has been granted to a legal entity with fewer than 250 employees and whose processing of data does not pose heightened risk to the data subjects.
  • Mandated data protection impact assessments: Controllers processing personal data that is likely to result in a heightened risk to the data subjects will be required to conduct data protection impact assessments beforehand, unless the private controller is required by law to process personal data.
  • Reporting data protection breaches: The law requires controllers to notify the Commissioner of any data security breach that is likely to result in high risk to the data subjects. The law does not have a deadline for such reporting and merely indicates that the Commissioner must be notified “as quickly as possible.” In addition, the controller must inform the data subject of a breach required for the protection of the subject or if requested by the Commissioner.
  • Violations and fines: The new law provides for fines to be levied against those who violate the Act.

Similarities to, differences from, the GDPR

 The Swiss nFADP has many similarities with the GDPR:

  • Obligations of transparency and publishing of privacy notices.
  • Adoption of administrative, technical, and security measures.
  • Conducting data protection impact assessments.
  • Entering contractual arrangements with processors.
  • Maintaining a register of processing activities.
  • Providing certain rights to data subjects.
  • Application to cross-border data transfers.

Nevertheless, the nFADP and GDPR are not identical. Some noteworthy differences include the following:

  • Explicit consent under nFADP is required only for processing of sensitive personal data, high-risk profiling by private persons, and profiling by a federal body.
  • The GDPR requires that covered entities appoint a Data Protection Officer under certain circumstances. The nFADP does not have a similar obligation. However, controllers operating outside Switzerland are required by the nFADP to appoint a representative in Switzerland if the controllers meet certain requirements enumerated in the nFADP.
  • The nFADP requires that data breaches be reported to Federal Data Protection Commissioner as soon as possible, and to data subjects under certain circumstances.

Conclusion

Controllers and Processors collecting and processing personal data of data subjects in Switzerland, or whose processing will have an impact on Swiss territory, must evaluate their processing activities to determine how their obligations have changed. After determining their compliance obligations, they should establish policies/procedures and processes to address the new obligations.