Revised Swiss Data Protection Act: What companies from the EU need to consider

//Annette Vogt Widmer//

On 1 September 2023, Switzerland’s revised Federal Act on Data Protection (FADP) came into force together with its implementing provisions, the Data Protection Ordinance (DPO). What do the changes mean for companies and organizations from the EU? Who falls under the scope of the revised law? What differences are there compared to the GDPR?

By the revision, the new Data Protection Act has been aligned with the GDPR in many points. Terms and processes such as “controller”, “processor”, “profiling”, and “data protection impact assessment” have also been introduced and the “duty to provide information” when collecting personal data has been extended in a comparable way to the GDPR. Those who are GDPR-compliant therefore also largely fulfil the requirements of the FADP. However, a few points in which the FADP goes beyond the regulatory content of the GDPR must be considered.

Who falls under the scope of the FADP?

The FADP applies to „circumstances that have an effect in Switzerland, even if they were initiated abroad”ⁱ . The so-called effect principle appliesⁱⁱ . It is not only the location of the data processing that is decisive, but whether the data processing has an effect in Switzerland, e.g., by operating servers in Switzerland, publishing information and images about persons from Switzerlandⁱⁱⁱ, et cetera.

A company or organization that is based in the EU and processes data from natural persons in Switzerland must check whether the data processing in Switzerland is or can be “noticeable” in a relevant way. If this is the case, the FADP applies.

In terms of material scope, the FADP also applies to purely manual processing that is not part or intended to be part of a filing system. In this point the FADP goes further than the GDPR. However, this should be of little relevance in the age of digitalisation. Similar to the GDPR the FDPA does not apply on „processing by a natural person exclusively for personal use“.^iv

The FADP applies to the processing of personal data of natural persons only. The previous protection of data of legal entities has been removed with the revision.

Do you need a representative in Switzerland?

Similar to the GDPR, the new FADP requires certain foreign controllers to appoint a representative in Switzerland. In practice, however, the provision will mainly be relevant for large players such as Facebook, Google & Co. Companies from the EU processing personal data of individuals in Switzerland must designate a representative in Switzerland if „the processing is in connection with the offer of goods and services or the monitoring of the behaviour of persons in Switzerland and the processing is on large scale, carried out regularly and poses a high risk to the personality of the data subjects“.^v

Many companies will not consider the requirements to be fulfilled. In particular the high risk to the personality will not be given, just as in the data protection impact assessments processings are regularly adapted until there is no longer a high risk.^vi

What other differences are to be consider?

• Principles
  Different from the GDPR, the FADP, in principle, does not require neither consent nor any other justification for the processing of personal data – including sensitive personal data – provided compliance with the principles of data processing^vii, no objection is raised to the processing and no sensitive personal data is disclosed to third parties.

• Sensitive personal data
  The definition of „sensitive personal data“ under the FADP goes further. On the one hand, the terms “private sphere” (German: Intimsphäre) and “administrative and criminal proceedings or sanctions” are broader than their counterparts under the GDPR.^viii In addition “data on social assistance measures” are considered as sensitive data.

• Processing by processors
  Data processing by processors must also be assigned by contract. Unlike the GDPR, there is no legally prescribed form under the FADP. For reasons of proof, however, a written document has also become widely accepted in Swiss practice. In particular, it should be noted that prior approval from the controller it required to allow the processor to assign the data processing to third parties. In case of a general approval the controller must be granted a „right of veto“.^ix In this respect „data processing agreements“ must be adapted.

• Data protection officer
  Unlike under the GDPR, the appointment of a data protection officer^x is voluntary under the FADP. The „only“ advantage having a data protection officer: The obligation to consult the FDPIC^xi in the case of a high-risk data protection impact assessment no longer applies.^xii

• Documentation and reporting obligations
  As in the GDPR, the FADP also includes various documentation and reporting obligations. Beside the „notification of data breaches“, the „data protection impact assessment“ and the „record of processing activities“, the FADP knows an additional instrument: the „regulations on automated processing“ (German: Bearbeitungsreglement). The latter must be issued for automated processing if a large volume of sensitive personal data is processed or high-risk profiling is carried out.^xiii
  Under FADP, a „record of processing activities“ only has to be kept if 250 or more employees are employed or the same requirements that make it mandatory to keep a „regulations on automated processing“ are met. ^xiv

• Duty to provide information
  Under the previous Swiss Data Protection Act, information only had to be provided on the processing of sensitive personal data. As part of the revision, the information obligations were extended to all personal data processing. Different from the GDPR, the FADP contains fewer requirements as to what information must be provided. In one respect, however, the FADP goes further than the GDPR: If the personal data is disclosed abroad, the State must be named. This applies regardless of whether the State has an adequate level of data protection or not.^xv In the absence of an adequate level of data protection, information on the guarantees or the application of an exception must as well be provided.

In order to be GDPR-compliant, a privacy policy created under the GDPR must be adjusted, in particular with regard to the following points:
– Countries to which data is transferred: These must be named
– Sensitive personal data: Do those correspond to the extended definition of the FADP?
– Supervisory authority: The Federal Data Protection and Information Commissioner (FDPIC) must be named

• Sanctions
  Finally, the criminal provisions should also be mentioned. With fines not exceeding CHF 250,000, they are much lower than under the GDPR. Different than under GDPR, fines are primarily imposed on the natural person responsible and not to the company, which leads to a personal risk. However, this is relativised by the fact that only wilfully action leads to a fine.

Conclusion
For GDPR-compliant EU companies and organizations the effort to become FADP-compliant is manageable. In most cases, Swiss law is less formalistic and requires less detailed content than the GDPR. However, there are a few points where the new FADP goes beyond the GDPR. If you are active in the Swiss market, you should be aware of the differences and ensure the necessary adjustments.

Annette Vogt Widmer, Lawyer (Switzerland) specialized in Governance, Compliance and Date Protection, Certified association and NPO manager (VMI), Frankfurt a.M. (Germany)