Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
Published on September 14, 2022 AUTHOR - PRIVACY RESEARCH TEAM
On 25 September 2020, the parliament of Switzerland replaced its long-existing Federal Act on Data Protection of 1992 (“1992 Law”) with a modernized version, the Federal Act on Data Protection 2020 (“revised FADP”). The revised FADP is expected to come into effect on 1 September 2023.
The revised FADP has brought several significant changes to the previous data protection law in line with the recent technological advancements. The Federal Data Protection and Information Commissioner (FDPIC) has recently published a guide explaining the changes to be introduced by the revised FADP.
Some of the key changes introduced in the revised FADP are explained below:
Both the 1992 Law and revised FADP define personal data as any information relating to an identified or identifiable natural person. As per the 1992 Law, the processing of information relating to an identified or identifiable legal person, such as a commercial organization, is considered personal data.
However, the revised FADP does not govern the processing of personal data relating to legal persons. All other categories of information that are present in the 1992 Law, such as any information that directly identifies a person or information that allows identification indirectly by reference to additional information, continues to be considered personal data under the provisions of the revised law.
As per the 1992 Law, the following categories of personal data are considered sensitive:
Retaining the above categories, the revised FADP has added two additional categories:
The revised FADP introduces the principles of privacy-by-design and privacy-by-default. The privacy-by-design requires organizations to implement the data protection principles in line with the FADP from the planning or design stage by putting in place appropriate technical and organizational measures and designing applications and systems in a way that data is anonymized or deleted by default. The privacy-by-default, on the other hand, requires organizations to enable privacy-compliant options by default.
In the 1992 Law, data subjects have the following rights:
In addition to the aforementioned rights of data subjects, the revised FADP has introduced the following two new rights:
The data processing principles of lawfulness, good faith, transparency, purpose limitation, accuracy, and data security of the 1992 Law continue to apply in the revised FADP. However, the revised FADP has introduced further responsibilities on organizations which are as follows:
Under the revised FADP, data controllers must notify all data losses that are expected to cause a high risk to the personality rights or the fundamental rights of data subjects to the FDPIC as soon as possible. Data controllers may also be required to notify personal data breaches to data subjects if there is a need to protect data subjects or if requested by the FDPIC.
With the introduction of the mandatory breach notification obligation, data controllers are no longer required to register their data files with the FDPIC if they process sensitive personal data or regularly disclose personal data to third parties, as they are required to do so in the 1992 Law. Only instances of privacy breach or fundamental rights violation must be reported to the FDPIC; unsuccessful or successfully thwarted cyberattacks need not be reported.
The revised FADP allows cross-border data transfers to only those countries that provide an adequate level of data protection. For all other countries and in the absence of an adequacy decision by the Federal Council, data controllers and data exporters may rely on treaties and use contractual measures such as the standard contractual clauses and binding corporate rules.
The FDPIC maintains a list of countries that provide an adequate level of data protection that is reviewed at least once annually. Following the decision of the Court of Justice of the European Union in the Schrems II case, the FDPIC has removed the United States from the list of “adequate level of protection under certain circumstances” and has declared that data protection is insufficient in the United States.
As a result, the Swiss-US Privacy Shield can no longer be relied on for cross-border data transfer. Cross-border data transfer to countries that won’t be included in the list of adequate countries can take place only if adequate data protection is guaranteed by other means, such as through international treaties, data protection clauses, or binding corporate rules.
Under the revised FADP, all organizations that are established outside Switzerland are required to have a representative in Switzerland where the data processing (1) is related to the offering of goods or services in Switzerland or monitoring of their behavior, (2) is extensive, (3) takes place regularly in Switzerland, and (4) is likely to result in a high risk to the personality of data subjects. No such obligation exists to appoint a Swiss representative under the 1992 Law.
The revised FADP requires the FDPIC to automatically investigate all violations of the legislation by federal bodies as well as private persons.
According to the revised FADP, FDPIC can now conduct proceedings under the Administrative Procedure Act. This mandates FDPIC to formally rule against federal bodies or private data processors and controllers, who can then appeal the ruling/decision to the Federal Administrative Court. In addition, it also empowers FDPIC to adjust data processing in full or in part, halt or even cease data processing, and erase or have personal data deleted in case of non-compliance.
Under the revised FADP, data controllers may be held criminally liable to pay a fine up to CHF 250K for any wilful misconduct. This amount is significantly high compared to the amount of CHF 10,000 in the 1992 Law and applies to a broad range of violations. Any such fine will be imposed by a competent jurisdiction court of law.
Companies are also now subject to fines of up to CHF 50,000 if identifying the criminally responsible natural person within the company or organization would require a disproportionate effort. Moreover, as per the revised FADP, the FDPIC cannot impose sanctions and also cannot file a complaint. The fines are imposed by the prosecution authorities, and FDPIC can only report an offense and enforce the rights of a private claimant in proceedings. Violations such as failure to provide information, to report the breach of professional confidentiality, etc., are only punishable on a complaint.
Organizations must proactively manage and avoid potential personal data breaches and review their data protection policies in line with the requirements of the upcoming Swiss Federal Act on Data Protection.
Ask for a DEMO today to understand how Securiti can help you comply with the Swiss revised Federal Act on Data Protection, GDPR, e-Privacy Directive, and a whole host of other global privacy laws and regulations with ease.