Switzerland's New Data Protection Law: 5 Key Changes You Should Know about FADP 2023

Discover how Switzerland is safeguarding its citizens' personal data with the new Federal Act on Data Protection (nFADP) starting September 1, 2023.

Switzerland is taking a significant stride forward in safeguarding its citizens' personal information by implementing the new Federal Act on Data Protection (nFADP) legislation starting September 1, 2023. This new law marks a significant step forward in fortifying data protection and ensuring the security of its citizens' data.

If you're a German company planning to expand your business to Switzerland or a European company eyeing opportunities in the Swiss market, there's some important news you need to know. In this blog, we will delve into the key amendments introduced by the revised FADP, compare it with the General Data Protection Regulation (GDPR), and explore the reasons behind Switzerland's decision to revise its data protection law.

What is FADP?

The Federal Act on Data Protection (FADP) is a legislation in Switzerland designed to protect the privacy and fundamental rights of individuals during the processing of their data. It was initially introduced in 1992. However, with the rapid advancements in technology and digital practices, a revised version is set to take effect in September of this year.

The New FADP Requirements – 5 Key Changes for Businesses

1. Enhancing Data Protection

Companies will be required to justify why they collect user information and disclose the parties with whom they share it. The new obligation not only applies to Swiss companies but also to non-Swiss companies that cater to Swiss residents or monitor their online behaviour. According to Adnovum, ‘any Swiss-based and international company that provides goods or services to Swiss citizens and organizations or processes sensitive data about them, such as medical records, genetic material, and political views, will be subject to the new law.’ Moreover, individuals will have the right to know how their data will be used, how long will it be stored, and request corrections if any inaccuracies are found without providing a reason.

2. Empowering Data Rights and Consent Rules

The revised FADP also grants individuals greater control over their personal data. Users have the right to access the information companies have about them, correct, request the deletion of their information, and withdraw their consent at any time if they change their minds, giving them more say in its usage. Furthermore, companies need to be clear about why they want the data and obtain unambiguous consent.

3. Improved Data Security Measures

With the revised FADP, companies are required to report any data breaches promptly. This means that if there's a security incident that could impact people's rights and freedoms, companies must notify the Swiss authorities. This is a move to ensure that data is better protected from unauthorized access.

4. Data Protection Officer

Larger companies handling sensitive data or engaging in monitoring of individuals are strongly encouraged to appoint a Data Protection Officer (DPO). While it may not be mandatory in all jurisdictions, having a DPO is considered an ideal and proactive step towards robust data protection practices and ensuring compliance with relevant laws.

Alternatively, an External Data Protection Officer serves as an excellent solution for businesses facing limited resources or financial constraints. They not only monitor data protection laws but also provide expert guidance on complex data protection matters. This option enables businesses to maintain compliance without the burden of an internal appointment. Learn more about how an external DPO is the optimal solution for your company.

5. Smooth Data Transfer with EU Countries

Companies that operate in both Switzerland and the European Union might be happy to learn that the revised FADP aligns data transfer rules with the EU. Therefore, making the move of data between Switzerland and EU countries much easier and business operations smoother. According to SME Portal Switzerland, ‘companies that have already complied with the EU General Data Protection Regulation (GDPR) will have minimal changes to make.’

New FADP vs. GDPR

The new Swiss FADP shares similarities with the European Union's GDPR in protecting individuals' data rights and enforcing penalties for non-compliance. However, there are notable differences between the two:

• The FADP is not a carbon copy of the GDPR and there are a few points where the nFADP will be even stricter than the GDPR. According to PwC, Swiss-based companies that are already GDPR-compliant should consider adapting the provisions of the revFADP for data processing outside the GDPR's scope to benefit from its flexibility or less stringent provisions. Whereas, EU companies looking to operate in Switzerland must ensure compliance with the FADP when handling personal data that falls under the territorial scope of the Swiss market.
• According to Adnovum, The FADP can fine private individuals up to 250,000 CHF for non-compliance, whereas the GDPR allows for administrative fines up to 4% of a company's global annual revenue or 20 million EUR (whichever is greater).
• Under the FADP, data breaches must be reported to the Federal Data Protection and Information Commissioner as soon as possible, whereas the GDPR requires reporting to the competent EU supervisory authority within 72 hours.
• The FADP requires a Data Protection Impact Assessment (DPIA) for high-risk privacy cases, and consultation with a Data Protection Advisor if the risk persists. In contrast, the GDPR requires consultation with the supervisory authority.
• The designation of a Data Protection Officer (DPO), also known as a Data Protection Advisor (DPA) in Switzerland, is not obligatory, it is highly encouraged. Whereas under certain circumstances, the GDPR mandates the appointment of a DPO.
• FADP regulates profiling and sensitive data with consent obligations for high-risk cases, while GDPR's sensitive data covers a broader range, including racial/ethnic origin, political opinions, religious beliefs, genetic/biometric data, and health information.

Learn more about the comparison between the nFADP and the EU Regulation here.

Why is Switzerland updating the FADP?

In response to the rapid technological advancements in recent years, it has become increasingly apparent that the current FADP, which was enacted in 1992, is no longer adequately equipped to address the evolving challenges in data security. Over the years, the Swiss Data Protection Act has remained unchanged and did not keep pace with the emergence of new threats and the growing importance of protecting sensitive information in the digital age. Upon recognizing this need for reform, the Swiss government has taken the initiative to update and improve the law, aiming to provide more robust guidelines and regulations to protect personal data from modern security risks effectively.

Harmonizing the law with the EU's GDPR is another crucial goal. Although the revised version was expected to take effect on 1 January 2022, it has been postponed to September 2023. This update ensures alignment with EU standards, allowing the free movement of data with the European Union, thereby helping Swiss companies maintain competitiveness in the global market.

Conclusion

The revised Swiss Federal Act on Data Protection (nFADP) is a massive step towards enhancing data privacy and security in Switzerland. Therefore, it's essential for companies intending to operate in the Swiss market to grasp the updates and comply with these regulations as well as demonstrate their commitment to data protection.

Don't miss out on the latest insights and stay ahead on all things compliance! Subscribe to our email newsletter to get more data protection updates and the latest blogs delivered right to your inbox.