The Revised Swiss Federal Act on Data Protection

On 25 September 2020, the parliament of Switzerland replaced its long-existing Federal Act on Data Protection of 1992 (“1992 Law”) with a modernized version, the Federal Act on Data Protection 2020 (“revised FADP”). The revised FADP is expected to come into effect on 1 September 2023.

The revised FADP has brought several significant changes to the previous data protection law in line with the recent technological advancements. The Federal Data Protection and Information Commissioner (FDPIC) has recently published a guide explaining the changes to be introduced by the revised FADP.

Some of the key changes introduced in the revised FADP are explained below:

Personal Data

Both the 1992 Law and revised FADP define personal data as any information relating to an identified or identifiable natural person. As per the 1992 Law, the processing of information relating to an identified or identifiable legal person, such as a commercial organization, is considered personal data.

However, the revised FADP does not govern the processing of personal data relating to legal persons. All other categories of information that are present in the 1992 Law, such as any information that directly identifies a person or information that allows identification indirectly by reference to additional information, continues to be considered personal data under the provisions of the revised law.

Sensitive Personal Data

As per the 1992 Law, the following categories of personal data are considered sensitive:

• Personal data concerning religious, ideological, political, or trade union-related views or activities,
• Personal data concerning health, the intimate sphere, or the racial origin of an individual,
• Personal data concerning social security measures, and
• Personal data concerning administrative or criminal proceedings and sanctions.

Retaining the above categories, the revised FADP has added two additional categories:

• Genetic data, and
• Biometric data that uniquely identifies an individual.

Privacy-by-Design and Privacy-by-Default

The revised FADP introduces the principles of privacy-by-design and privacy-by-default. The privacy-by-design requires organizations to implement the data protection principles in line with the FADP from the planning or design stage by putting in place appropriate technical and organizational measures and designing applications and systems in a way that data is anonymized or deleted by default. The privacy-by-default, on the other hand, requires organizations to enable privacy-compliant options by default.

Data Subjects’ Rights

In the 1992 Law, data subjects have the following rights:

• The right to receive information about the processing,
• The right to access,
• The right to rectification and deletion,
• The right to receive a copy of the personal data,
• The right to transfer personal data to another controller,
• The right to object to the processing of personal data, and
• The right to complain to the Federal Data Protection and Information Commissioner (FDPIC).

In addition to the aforementioned rights of data subjects, the revised FADP has introduced the following two new rights:

• The right to data portability: allows data subjects to receive and transmit their data in a commonly used, readable electronic format. This must be done with the consent of the data subject, or directly in accordance with a contract This right is free of cost with the exception where the fulfillment of the data subject’s request requires disproportionate effort by the controller.
• The right to intervene in case of automated decision-making: requires data controllers to inform data subjects of decisions that are solely based on automated processing and which have legal effects on data subjects or affect them significantly so that data subjects can choose not to be subject to automated decision-making.

Increased Obligations on Organizations

The data processing principles of lawfulness, good faith, transparency, purpose limitation, accuracy, and data security of the 1992 Law continue to apply in the revised FADP. However, the revised FADP has introduced further responsibilities on organizations which are as follows:

• Enhanced Information Obligation
  Data controllers must inform data subjects about the controller’s identity, contact details, the purpose of the processing of data, the identity of recipients of data and categories of data recipients in case of data transfer to third parties, the jurisdiction where the data is transferred to, and requisites safeguards implemented in case of cross-border data transfer. As per the new FADP, private data controllers must notify the data subjects in advance every time-sensitive data or data for profiling is collected, whether directly or indirectly. The obligation to provide information does not apply to personal data that is just acquired incidentally or along the way.
• Records of Processing Activities
  Both data controllers and data processors must maintain records of their data processing activities. This obligation does not apply to companies with less than 250 employees and whose processing entails only a low risk of infringing the personality of data subjects.
• Data Protection Officers (DPOs)
  The revised FADP stipulates that businesses can appoint a DPO, who does not necessarily need to be the business employee. In the case of a private business, the appointment of the DPO is discretionary, whereas, for federal bodies, it is obligatory. Any data protection-related advice should be kept separate from the business’s other legal advice and activities.
• Data Protection Impact Assessments
  Data protection impact assessments (DPIAs) are mandatory whenever data processing activity is likely to cause a high risk to an individual's personality or fundamental rights. The processing's nature, scope, context, and purposes—particularly when adopting new technologies—all carry a significant risk. Where the processing involves sensitive personal data on a broad scale or systematic monitoring of extensive public areas, data controllers must carry out a data protection impact assessment to assess the risks of such processing and mitigate those risks. If high risks are continually identified by DPIA despite taking appropriate measures, data controllers then must seek an opinion from FDPIC. FDPIC can either suggest any clarifications and changes to the DPIA itself or can advise the controller of the proper modification measures. An important point to note here is that FDPIC is not an approval body, its opinions do not have a binding effect, and at the same time, these are not subject to challenge either. If the requirements and recommendations are not followed, controllers must anticipate that such data processing relevant to the FDPIC's recommendations may be subject to decisions. This can go as far as FDPIC outrightly forbidding data processing.
• Codes of Conduct
  Professional, trade, and business associations are encouraged by the new FADP to create their own codes of conduct and submit them for review by the FDPIC and later published. This helps organizations to avoid having to create their own support and guidelines for the implementation of the new FADP. The benefit of this type of self-regulation is that data controllers do not need to perform their own DPIAs if they abide by a code of conduct that is based on an older, still-applicable DPIA, includes safeguards for personal information and fundamental rights, and has been approved by the FDPIC.
• Certifications
  As per the revised FADP, operators and manufacturers can have their services, products, and systems certified. Businesses can demonstrate that they have a suitable data protection management system in place and that they follow the principle of privacy by default. A private data controller can even skip the DPIA if they use a certified system, product, or service.

Mandatory Breach Notification Obligation

Under the revised FADP, data controllers must notify all data losses that are expected to cause a high risk to the personality rights or the fundamental rights of data subjects to the FDPIC as soon as possible. Data controllers may also be required to notify personal data breaches to data subjects if there is a need to protect data subjects or if requested by the FDPIC.

With the introduction of the mandatory breach notification obligation, data controllers are no longer required to register their data files with the FDPIC if they process sensitive personal data or regularly disclose personal data to third parties, as they are required to do so in the 1992 Law. Only instances of privacy breach or fundamental rights violation must be reported to the FDPIC; unsuccessful or successfully thwarted cyberattacks need not be reported.

Cross-Border Data Transfers

The revised FADP allows cross-border data transfers to only those countries that provide an adequate level of data protection. For all other countries and in the absence of an adequacy decision by the Federal Council, data controllers and data exporters may rely on treaties and use contractual measures such as the standard contractual clauses and binding corporate rules.

The FDPIC maintains a list of countries that provide an adequate level of data protection that is reviewed at least once annually. Following the decision of the Court of Justice of the European Union in the Schrems II case, the FDPIC has removed the United States from the list of “adequate level of protection under certain circumstances” and has declared that data protection is insufficient in the United States.

As a result, the Swiss-US Privacy Shield can no longer be relied on for cross-border data transfer. Cross-border data transfer to countries that won’t be included in the list of adequate countries can take place only if adequate data protection is guaranteed by other means, such as through international treaties, data protection clauses, or binding corporate rules.

Swiss Representatives

Under the revised FADP, all organizations that are established outside Switzerland are required to have a representative in Switzerland where the data processing (1) is related to the offering of goods or services in Switzerland or monitoring of their behavior, (2) is extensive, (3) takes place regularly in Switzerland, and (4) is likely to result in a high risk to the personality of data subjects. No such obligation exists to appoint a Swiss representative under the 1992 Law.

Investigation Process

The revised FADP requires the FDPIC to automatically investigate all violations of the legislation by federal bodies as well as private persons.

FDPIC Authority & Decisions

According to the revised FADP, FDPIC can now conduct proceedings under the Administrative Procedure Act. This mandates FDPIC to formally rule against federal bodies or private data processors and controllers, who can then appeal the ruling/decision to the Federal Administrative Court. In addition, it also empowers FDPIC to adjust data processing in full or in part, halt or even cease data processing, and erase or have personal data deleted in case of non-compliance.

Severe Fines

Under the revised FADP, data controllers may be held criminally liable to pay a fine up to CHF 250K for any wilful misconduct. This amount is significantly high compared to the amount of CHF 10,000 in the 1992 Law and applies to a broad range of violations. Any such fine will be imposed by a competent jurisdiction court of law.

Companies are also now subject to fines of up to CHF 50,000 if identifying the criminally responsible natural person within the company or organization would require a disproportionate effort. Moreover, as per the revised FADP, the FDPIC cannot impose sanctions and also cannot file a complaint. The fines are imposed by the prosecution authorities, and FDPIC can only report an offense and enforce the rights of a private claimant in proceedings. Violations such as failure to provide information, to report the breach of professional confidentiality, etc., are only punishable on a complaint.

What’s Next?

Organizations must proactively manage and avoid potential personal data breaches and review their data protection policies in line with the requirements of the upcoming Swiss Federal Act on Data Protection.

Ask for a DEMO today to understand how Securiti can help you comply with the Swiss revised Federal Act on Data Protection, GDPR, e-Privacy Directive, and a whole host of other global privacy laws and regulations with ease.