Compliance Strategies & RegulationsData Protection

Navigating the New Swiss Federal Act on Data Protection (revFADP) – A Detailed Guide for Swiss Companies

Blog_Header_EN-min.jpg
unnamed.webp
Juan
16.08.2023

Introduction: The Dawn of a New Data Protection Era in Switzerland

Switzerland has ushered in a new era of data protection with the introduction of the new Federal Act on Data Protection (nFADP). The new legislation replaces the previous 1992 Act, effectively reflecting the evolving digital age and aligning Swiss regulations closely with the European Union's General Data Protection Regulation (GDPR). The new law introduces several new requirements that companies will need to meet in order to stay compliant.

This article aims to guide companies, especially those venturing into the intricacies of data protection for the first time, through the new landscape shaped by the nFADP. It outlines key changes, critical provisions, compatibility with the EU GDPR, and the necessary steps for achieving compliance.

Major Innovations of the nFADP

The nFADP builds on the existing data protection framework while introducing several new elements. These include:

  1. Stronger transparency requirements: The nFADP places a robust emphasis on transparency, requiring companies to justify their reasons for gathering customer data, and reveal who will have access to it. This information must be explicit, unambiguous, and easily accessible (nFADP Article 15). Data subjects now have the right to understand the duration of data storage, its utilization, and the power to rectify erroneous data without any need for justification.
  2. Right to Information: The law asserts that any person may request information from the controller of a data file to ascertain whether their personal data is being processed (Art. 25 revDSG).
  3. Expanded compliance obligations for Businesses: The nFADP has extended its reach beyond Swiss borders, mirroring the GDPR (Article 3). All Swiss and international companies that provide goods and services to Swiss residents or monitor their behavior must comply with the nFADP. Businesses without a physical presence in Switzerland must appoint a Swiss representative responsible for all matters related to data processing (nFADP Article 3).
  4. Strengthened Regulatory Powers and Sanctions: The Swiss Federal Data Protection and Information Commissioner (FDPIC) finds its powers bolstered under the nFADP. It can impose stringent sanctions against private individuals failing to comply with the regulations, with penalties of up to CHF 250,000 for individuals and, in some cases, up to CHF 50,000 may be fined to the company in the event of a breach in the course of business, particularly if a disproportionate effort would be required to identify the offending individual within the organization (Article 60 nFADP).(Article 60 nFADP).
  5. Data Breach Reporting: Timeliness Matters: Companies must promptly report data breaches to the FDPIC and the affected parties (nFADP Article 24), mitigating damage, maintaining trust and circumventing further legal complications.
  6. Privacy by Design and Privacy by Default: Taking a leaf out of the GDPR (Article 25), Article 7 of the nFADP mandates companies to integrate data protection principles from the design phase of products or services, applying the strictest privacy settings by default. This anticipatory approach aids in incorporating privacy at every operational level.
  7. Data Protection Impact Assessment: Private and public-sector data controllers must perform a data protection impact assessment (DPIA) if data processing is likely to pose a high risk to the personality or fundamental rights of data subjects (Art. 22 nFADP).
  8. The FDPIC’s Role: The nFADP bestows additional duties and powers upon the FDPIC, introducing changes for data processors and data subjects. The FDPIC will charge private data processors for a number of its services in the future (Art. 59 nFADP).
  9. Data Protection Officer: The notification of Data Protection Officers (DPOs) to the FDPIC is provided for under Articles 10 para. 3 nFADP for private individuals and Art. 10 para. 4 nFADP for federal bodies. Private companies may appoint a Data Protection Advisor (DPA), who doesn't necessarily need to be an employee and whose main role is to provide independent advice on data protection, help create rules and regulations, and deliver training. After a data protection impact assessment, companies may solely rely on the DPA's advice without needing to consult the FDPIC further.

nFADP and GDPR: Understanding the Differences

Despite having common objectives, the nFADP and GDPR exhibit distinct nuances that businesses operating in both jurisdictions need to comprehend. Here's a comparative analysis:

 nFADPGDPR
Data Protection Officer AppointmentRecommended but not mandatory (nFADP Article 10 and 12)Mandatory for certain businesses (GDPR Article 37)
Data Breach ReportingPrompt reporting required (nFADP Article 24)Reporting required within 72 hours (GDPR Article 33)
SanctionsUp to CHF 250,000 for individuals (nFADP Article 60-64)Up to €20 million or 4% of annual global turnover for companies (GDPR Article 83)
Information DisclosureLess stringent requirements for privacy notices (nFADP Article 19)Detailed requirements for privacy notices (GDPR Article 13 and 14)
Data TransfersDetermined by the Federal Council (nFADP Article 16)Determined by the European Commission (GDPR Chapter V)
ConsentStronger transparency requirements (nFADP Article 19)Extensive transparency obligations (Art. 13 GDPR)

 

Preparing for Compliance with the nFADP: A Practical Guide

Transitioning from the FADP to the nFADP

For companies previously compliant with the FADP, the transition to the nFADP might seem daunting, but it's crucial. Conducting a gap analysis to identify data protection shortcomings and risks, and developing a strategic plan to address these gaps is vital. Implementing robust data handling procedures, stringent security measures, and effective training programs will ensure a smooth transition.

The Continued Relevance of the GDPR

Despite the introduction of the nFADP, Swiss companies must not overlook the GDPR, particularly if they process EU citizens' data. Achieving GDPR compliance not only ensures seamless data exchange with EU partners but also maintains the company's global market competitiveness.

Conclusion

The nFADP represents a significant milestone in Switzerland's data protection landscape. Understanding the implications of this new law is vital for Swiss companies and those operating in Switzerland, to ensure compliance, evade substantial penalties, and maintain customer trust.

By understanding the nFADP's key provisions, appreciating the differences with the GDPR, and planning for a smooth transition, companies can ensure secure and responsible handling of personal data. Although the task might seem formidable, the rewards of maintaining robust data protection practices are immense.

Here are some key takeaways from the article:

  • The nFADP is a significant overhaul of Switzerland's data protection laws, bringing them more in line with the GDPR
  • The nFADP introduces a number of new requirements for businesses, including stronger transparency requirements, expanded breach notification obligations, and increased sanctions for individuals and (in some cases) businesses
  • Businesses that operate in Switzerland or process the personal data of Swiss residents will need to take steps to ensure compliance with the nFADP
  • There are a number of resources available to help businesses understand and comply with the nFADP, including the FDPIC's website and guidance documents

We hope this article has been instrumental in providing an overview of the nFADP. For any further inquiries, please don't hesitate to reach out.

More articles

iso27001-eng

ISO 27001: The Ultimate Guide to Compliance and Certification

ISO 27001 is an essential standard for managing information security, ensuring sensitive data is handled systematically. This blog serves as a thorough guide to ISO 27001 certification, outlining its main requirements and advantages for businesses. It emphasizes how organizations of any size can improve data protection and show their dedication to cybersecurity. The article contrasts ISO 27001 with NIS2, explores their distinctions and connections, provides real-world adoption examples, and presents a compliance framework with steps on using tools like heyData for effective implementation.

Learn more
Blog_Header_4_Sept_2024_NIS-2-EN.webp

How to Achieve NIS2 Compliance: What Businesses Need to Know

The NIS2 Directive, effective from October 17, 2024, strengthens the EU's cybersecurity framework by expanding on the 2016 NIS Directive. It applies to large and medium enterprises in critical sectors like energy, transport, banking, and healthcare, as well as some smaller firms, especially those impacting essential services. NIS2 mandates stringent security measures, emphasizing risk management, corporate accountability, incident reporting, business continuity, and inter-state cooperation. Companies must comply to avoid penalties, with significant focus on proactive cybersecurity strategies and cross-border collaboration within the EU.

Learn more
webinar-gdpr-marketing-eng

Webinar Recap: GDPR and Marketing

Are compliance regulations turning your marketing strategies into a headache? Our latest webinar, led by Arthur Almeida, LL.M., Privacy Success Manager at heyData, is designed to help you tackle these challenges head-on. Focused on addressing your specific concerns, this live Q&A session provided direct access to an expert who understands the nuances of GDPR compliance in the marketing world.

Learn more

Get to know our team today, with no obligations!

Contact us