The new Swiss Federal Data Protection Act 2023
The revised Swiss Federal Data Protection Act (FADP) will adapt Swiss data protection law to changing circumstances in 2023. At the same time, the revised law will be aligned with the requirements of the General Data Protection Regulation (GDPR), so that Switzerland will continue to be recognised by the EU as a third country with an adequate level of data protection and the free cross-border transfer of data remains possible in the future.
Swiss companies need to prepare now and will be required to comply with the new legislation as soon as it comes into force. With the FADP and the GDPR, data protection will become a compliance factor for Swiss companies. Failure to comply with data protection requirements will result in financial risks in the form of claims for damages from data subjects and fines from supervisory authorities. In order to avoid unlawful corporate behaviour and reduce liability risks, appropriate compliance measures must be designed and aligned with the company’s risk situation. OBSECOM GmbH supports you as a data protection consultant in Switzerland in fulfilling your compliance obligations.
When will the FADP come into force?
The Swiss Parliament adopted the FADP on 25 September 2020. In order for the new law to come into force, the Federal Council had to specify the provisions at ordinance level. The consultation period ended on 14 October 2021 and the FADP is now scheduled to enter into force on 1 September 2023.
What are the key changes that companies need to be aware of?
Art. 9 FADP – Contractual provisions for data processing by processors
Where personal data is processed by processors, companies must ensure that processors are able to ensure data security. The outsourcing of data processing to sub-processors requires the authorization of the controller. Data processing should be regulated on the basis of contractual agreements with processors.
Art. 19 FADP – New information requirements when collecting personal data
In the future, when personal data is collected, data subjects must be adequately informed about the purposes of processing, automated decision making and transfers abroad by means of a data protection notice. Where personal data is collected from third parties, data subjects must be informed of the collection within one month. Companies must identify relevant processing activities and provide appropriate privacy notices.
Art. 25 FADP – Strengthening the rights of data subjects
Companies must implement procedures to provide data subjects with information on the processing of their personal data within 30 days of request. They must also correct inaccurate personal data, delete data that is no longer needed, and disclose or transfer personal data processed by automated means upon request.
Art. 24 FADP – Notification of data breaches
In future, controllers must notify the Federal Data Protection Commissioner (FDPIC) of data breaches as soon as possible if the breach results in a high risk for the data subjects. Companies must implement procedures to identify data breaches and assess reporting obligations.
Art. 60 FADP – Fines for breach of legal obligations
Individuals may be fined up to CHF 250,000 for wilful violations of the duties of care, information, disclosure and cooperation. Fines are generally not directed against the company. Rather, the FADP provides for a direct sanction against the individual responsible (for example, CEO, CIO, or other officer).
Art. 10 FADP – Data Protection Officer
Companies can appoint a Data Protection Officer (DPO) to advise them on the implementation of and compliance with data protection regulations. The DPO is the point of contact for data subjects and supervisory authorities. If a DPO is appointed, the company may benefit from a reduction in certain reporting obligations. OBSECOM, with its Swiss branch in Préverenges (VD), will advise you as an external Data Protection Officer on the implementation of the FADP.
Which compliance requirements can have criminal consequences?
In the future, wilful disregard of the new data protection obligations will be punishable by a fine of up to CHF 250,000. Fines are not generally directed against the company. Rather, the FADP provides for direct sanctions against those responsible (for example, CEO, CIO or other functionaries). In order to avoid sanctions, the following areas, among others, should be implemented in a data protection compliant manner:
- Meet minimum data security requirements. Companies must take appropriate technical and organizational measures to protect data. The Federal Data Protection and Information Commissioner (FDPIC) may inspect relevant documents during investigations into breaches of data protection regulations.
- Outsourcing of data processing to processors must be contractually regulated. Companies must ensure that processors are able to guarantee data security.
- Personal data may be transferred abroad only if adequate data protection safeguards are in place.
- Data subjects must always be given adequate notice when personal data is collected and when automated decision making is used.
- Companies must provide information about the processing of their data to data subjects upon request.
What data protection processes should companies have in place?
As part of their compliance obligations, companies are required to establish appropriate data protection processes. These include
- Establishing procedures for identifying, assessing and reporting data breaches.
- Incorporate data protection into the design of new business processes and document it appropriately to comply with processing directories, data subject notices and disclosure obligations.
- Define responsibilities and raise awareness.
- Monitor, classify and prioritise compliance activities.
International groups already have to comply with comparable data protection requirements for subsidiaries in the EU and overseas. The revision of the FADP provides an opportunity to harmonise the data protection organisation within the group.
How can Data Protection Officers help with data protection compliance?
The appointment of a Data Protection Officer (DPO) is optional under the FADP, but has advantages for companies with complex compliance requirements. The DPO is the point of contact for data subjects and supervisory authorities. He or she works with the company’s compliance team, advises on data protection issues and ensures that data protection is considered as a requirement in all compliance activities. The DPO reviews the processing of personal data and recommends corrective actions. Where a PIA is required for high-risk data processing, the controller may refrain from consulting the FDPIC if a DPO has been involved.