Read more about the revised FADP on our blog
The revised Swiss Data Protection Act (FADP)
With the revised FADP, the Swiss data protection law has been adapted to changing circumstances in 2023. At the same time, the revised law has been aligned with the requirements of the General Data Protection Regulation (GDPR), so that Switzerland will continue to be recognised by the EU as a third country with an adequate level of data protection and the free cross-border transfer of data will remain possible in the future.
Swiss companies must prepare to comply with the new legislation. With the FADP and the GDPR, data protection has become a compliance factor for Swiss companies. Failure to comply with data protection requirements leads to financial risks in the form of claims for damages from data subjects and fines from supervisory authorities. In order to avoid unlawful corporate behaviour and reduce liability risks, appropriate compliance measures must be designed and aligned with the company’s risk situation. OBSECOM supports you as Data Protection Officer in Switzerland in fulfilling your compliance obligations.
What are the key changes that companies need to be aware of?
Art. 9 FADP – Contractual rules for data processing by processors
When personal data is processed by data processors, companies must ensure that the processors are able to ensure data security. The outsourcing of data processing to sub-processors requires the authorization of the controller. Data processing should be regulated on the basis of contractual agreements with processors.
Art. 19 et seq. FADP – New information requirements when collecting personal data
When personal data is collected, data subjects must be adequately informed about the purposes of the processing, automated decisions and transfers abroad by means of a privacy policy. Where personal data is collected from third parties, data subjects must be informed of the data collection within one month. Companies must identify relevant processing activities and provide appropriate privacy notices.
Art. 25 et seq. FADP – Strengthening the rights of data subjects
Companies should establish procedures to provide individuals with information about the processing of their personal data within 30 days of their request. In addition, inaccurate personal data must be corrected where necessary, data that is no longer needed must be deleted, and copies of processed personal data must be provided upon request.
Art. 24 FADP – Notification of data breaches
In the future, data controllers will be required to notify the Federal Data Protection and Information Commissioner (FDPIC) of data breaches as soon as possible if the breach results in a high risk to data subjects. Companies should implement processes to identify data breaches and assess their reporting obligations.
Art. 60 et seq. FADP – Fines for breach of legal obligations
Individuals may be fined up to CHF 250,000 for wilful violations of the duties of care, information, disclosure and cooperation requirements. Fines are generally not directed against the company. Rather, the FADP provides for direct sanctions against those responsible (for example, CEO, CIO, or other management personnel).
Art. 10 FADP –Data Protection Officer
Companies can appoint a Data Protection Officer to advise them on implementing and complying with data protection regulations. The Data Protection Officer is the point of contact for data subjects and data protection authorities. Once a Data Protection Officer has been appointed, the company may benefit from a reduction in certain reporting obligations. OBSECOM with its Swiss branch in Préverenges (VD) will advise you as an external Data Protection Officer on the implementation of the FADP.
What compliance requirements may have criminal consequences?
Failure to comply with the new data protection requirements may result in a fine of up to CHF 250,000. Fines are not generally directed against the company. Rather, the FADP provides for direct sanctions against those responsible (e.g., CEO, CIO, or other functionaries). To avoid sanctions, the following areas, among others, should be implemented in a data protection compliant manner:
- Meet minimum data security requirements. Companies must take appropriate technical and organizational measures to protect data. The Federal Data Protection and Information Commissioner (FDPIC) may inspect relevant documents during investigations into breaches of data protection regulations.
- The outsourcing of data processing to processors must be contractually regulated. Companies must ensure that contract processors are able to guarantee data security.
- Personal data may be transferred abroad only if adequate data protection safeguards are in place.
- Data subjects must always be given adequate notice when personal data is collected and when automated decision making is used.
- Companies must provide information about the processing of their data at the request of data subjects.
What data protection processes should companies have in place?
As part of their compliance obligations, companies are required to establish appropriate data protection processes. These include
- Establish procedures to identify, assess and report data breaches.
- Build privacy into the design of new business processes and document it appropriately to comply with processing directories, notices to data subjects, and disclosure requirements.
- Define responsibilities and raise awareness.
- Monitor, classify and prioritise compliance activities.
How can a Data Protection Officer help with data protection compliance?
The appointment of a Data Protection Officer is optional under the FADP, but has advantages for companies with complex compliance requirements. The Data Protection Officer is the point of contact for data subjects and data protection authorities. He or she works with the company’s compliance team, advises on data protection issues, and ensures that data protection is considered as a requirement in all compliance activities. The Data Protection Officer reviews the processing of personal data and recommends corrective actions. Where a PIA is required for high-risk processing, the controller may refrain from consulting the FDPIC if a Data Protection Officer has been involved.