Compliance requirements under the revised Federal Data Protection Act (FADP).
Switzerland has modernized its Federal Data Protection Act and adapted data protection to changing circumstances. At the same time, the FADP has been adapted to the requirements of the General Data Protection Regulation (GDPR), so that Switzerland will continue to be recognized by the EU as a third country with an adequate level of data protection and the free cross-border transfer of data will remain possible in the future. As the revised FADP comes into effect, companies will need to comply with the new legislation.
With the FADP and the GDPR, data protection will become a compliance factor. Failure to comply with data protection requirements will result in financial risks in the form of claims for damages from data subjects and fines from supervisory authorities. In order to avoid unlawful corporate behaviour and reduce liability risks, appropriate compliance measures must be designed and aligned with the company’s risk situation.
Overview of compliance requirements:
The key new data protection obligations of the FADP at a glance:
- The minimum data protection requirements of the Data Protection Ordinance must be complied with. Companies must take appropriate technical and organisational measures to protect personal data. The Federal Data Protection and Information Commissioner (FDPIC) may inspect relevant documents as evidence of compliance when investigating breaches of data protection regulations.
- When data processing is outsourced to data processors, a data processing agreement must be in place before data is transferred. Controllers must ensure that data processors are able to guarantee data security.
- Personal data may be transferred abroad only if adequate data protection safeguards are in place.
- Data subjects must always be given adequate information when personal data is collected and when automated decision making is used.
- Companies must provide data subjects with information about the processing of their data. This information must be provided within 30 days.
- Maintain a register of processing activities, documenting the purposes of each data processing operation, retention periods, data transfers abroad and data recipients (for example, data processors). The register must be made available to the FDPIC upon request.
- Preparation of privacy impact assessments where the processing of personal data may result in high risks to data subjects.
- Obligation to report data breaches to the FDPIC if they result in a high risk to the data subject. A notification should include information on the nature of the breach, its consequences and the actions taken or planned. In addition, data subjects must be informed if this is necessary for their protection or if the FDPIC requests it.
As part of their compliance obligations, companies are required to develop appropriate data protection processes. This includes:
- Establish procedures for identifying, assessing and reporting data breaches.
- Build privacy into the design of new business processes and document it appropriately to comply with processing directories, data subject notices, and disclosure requirements.
- Define responsibilities and raise awareness.
- Monitor, classify and prioritise compliance activities.
Groups with an international focus need to comply with comparable data protection requirements for subsidiaries within the EU and overseas. The data protection organisation within the group should be harmonised as far as possible.
Data Protection Officers help ensure compliance
The appointment of a Data Protection Officer (DPO) is optional under the FADP, but has advantages for companies with complex compliance requirements. The DPO is the point of contact for data subjects and supervisory authorities. He or she works with the company’s compliance team, advises on data protection issues and ensures that data protection is considered as a requirement in all compliance measures. He or she reviews the processing of personal data and recommends corrective actions. If a PIA is to be carried out for high-risk data processing, the controller may refrain from consulting the FDPIC if a data protection advisor has been involved.