On 1 September 2023, Switzerland’s revised Federal Act on Data Protection (FADP) came into force together with its implementing provisions, the Data Protection Ordinance (DPO). What do the changes mean for companies and organizations from the EU? Who falls under the scope of the revised law? What differences are there compared to the GDPR?
By the revision, the new Data Protection Act has been aligned with the GDPR in many points. Terms and processes such as “controller”, “processor”, “profiling”, and “data protection impact assessment” have also been introduced and the “duty to provide information” when collecting personal data has been extended in a comparable way to the GDPR. Those who are GDPR-compliant therefore also largely fulfil the requirements of the FADP. However, a few points in which the FADP goes beyond the regulatory content of the GDPR must be considered.
Who falls under the scope of the FADP?
The FADP applies to „circumstances that have an effect in Switzerland, even if they were initiated abroad”i . The so-called effect principle appliesii . It is not only the location of the data processing that is decisive, but whether the data processing has an effect in Switzerland, e.g., by operating servers in Switzerland, publishing information and images about persons from Switzerlandiii, et cetera.
A company or organization that is based in the EU and processes data from natural persons in Switzerland must check whether the data processing in Switzerland is or can be “noticeable” in a relevant way. If this is the case, the FADP applies.
In terms of material scope, the FADP also applies to purely manual processing that is not part or intended to be part of a filing system. In this point the FADP goes further than the GDPR. However, this should be of little relevance in the age of digitalisation. Similar to the GDPR the FDPA does not apply on „processing by a natural person exclusively for personal use“.iv
The FADP applies to the processing of personal data of natural persons only. The previous protection of data of legal entities has been removed with the revision.
Do you need a representative in Switzerland?
Similar to the GDPR, the new FADP requires certain foreign controllers to appoint a representative in Switzerland. In practice, however, the provision will mainly be relevant for large players such as Facebook, Google & Co. Companies from the EU processing personal data of individuals in Switzerland must designate a representative in Switzerland if „the processing is in connection with the offer of goods and services or the monitoring of the behaviour of persons in Switzerland and the processing is on large scale, carried out regularly and poses a high risk to the personality of the data subjects“.v
Many companies will not consider the requirements to be fulfilled. In particular the high risk to the personality will not be given, just as in the data protection impact assessments processings are regularly adapted until there is no longer a high risk.vi
What other differences are to be consider?
Different from the GDPR, the FADP, in principle, does not require neither consent nor any other justification for the processing of personal data – including sensitive personal data – provided compliance with the principles of data processingvii, no objection is raised to the processing and no sensitive personal data is disclosed to third parties.
Sensitive personal data
The definition of „sensitive personal data“ under the FADP goes further. On the one hand, the terms “private sphere” (German: Intimsphäre) and “administrative and criminal proceedings or sanctions” are broader than their counterparts under the GDPR.viii In addition “data on social assistance measures” are considered as sensitive data.
Processing by processors
Data processing by processors must also be assigned by contract. Unlike the GDPR, there is no legally prescribed form under the FADP. For reasons of proof, however, a written document has also become widely accepted in Swiss practice. In particular, it should be noted that prior approval from the controller it required to allow the processor to assign the data processing to third parties. In case of a general approval the controller must be granted a „right of veto“.ix In this respect „data processing agreements“ must be adapted.
Data protection officer
Unlike under the GDPR, the appointment of a data protection officerx is voluntary under the FADP. The „only“ advantage having a data protection officer: The obligation to consult the FDPICxi in the case of a high-risk data protection impact assessment no longer applies.xii
Documentation and reporting obligations
As in the GDPR, the FADP also includes various documentation and reporting obligations. Beside the „notification of data breaches“, the „data protection impact assessment“ and the „record of processing activities“, the FADP knows an additional instrument: the „regulations on automated processing“ (German: Bearbeitungsreglement). The latter must be issued for automated processing if a large volume of sensitive personal data is processed or high-risk profiling is carried out.xiii
Under FADP, a „record of processing activities“ only has to be kept if 250 or more employees are employed or the same requirements that make it mandatory to keep a „regulations on automated processing“ are met. xiv
Duty to provide information
Under the previous Swiss Data Protection Act, information only had to be provided on the processing of sensitive personal data. As part of the revision, the information obligations were extended to all personal data processing. Different from the GDPR, the FADP contains fewer requirements as to what information must be provided. In one respect, however, the FADP goes further than the GDPR: If the personal data is disclosed abroad, the State must be named. This applies regardless of whether the State has an adequate level of data protection or not.xv In the absence of an adequate level of data protection, information on the guarantees or the application of an exception must as well be provided.
– Countries to which data is transferred: These must be named
– Sensitive personal data: Do those correspond to the extended definition of the FADP?
– Supervisory authority: The Federal Data Protection and Information Commissioner (FDPIC) must be named
Finally, the criminal provisions should also be mentioned. With fines not exceeding CHF 250,000, they are much lower than under the GDPR. Different than under GDPR, fines are primarily imposed on the natural person responsible and not to the company, which leads to a personal risk. However, this is relativised by the fact that only wilfully action leads to a fine.
For GDPR-compliant EU companies and organizations the effort to become FADP-compliant is manageable. In most cases, Swiss law is less formalistic and requires less detailed content than the GDPR. However, there are a few points where the new FADP goes beyond the GDPR. If you are active in the Swiss market, you should be aware of the differences and ensure the necessary adjustments.
Annette Vogt Widmer, Lawyer (Switzerland) specialized in Governance, Compliance and Date Protection, Certified association and NPO manager (VMI), Frankfurt a.M. (Germany)
i Art. 3 para. 1 FADP
ii David Rosental, Das neue Datenschutzgesetz, p. 35 in: Jusletter 16 November 2020
iii Decision 138 II 346 of the Swiss Federal Supreme Court
iv Art. 2 para. 2 FADP
v Art. 14 FADP
vi David Rosental, Das neue Datenschutzgesetz, p. 64 in: Jusletter 16 November 2020
vii The principles of personal data processing are regulated in Art. 6 and 8 FADP and are largely identical to the principles of the GDPR.
viii The counterparts under the GDPR are „data concerning a natural person’s sex life or sexual orientation“, „personal data relating to criminal convictions and offences or related security measures“.
ix Art. 7 DSO
x Largely identical to the data protection officer according to GDPR
xi The Federal Data Protection and Information Commissioner (FDPIC) is the Swiss supervisory authority on data protection.
xii Art. 23 para. 4 FADP
xiii Art. 5 DSO
xiv Art. 24 DSO
xv According to Rosenthal, formulations that allow to clearly define the States are also permissible, e.g., “in all EU countries”, “worldwide”, “in the countries in which we are represented”.