'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on October 16, 2020 AUTHOR PRIVACY RESEARCH TEAM
On 25 September 2020, the parliament of Switzerland replaced its long-existing Federal Act on Data Protection of 1992 (“1992 Law”) with a modernized version, the Federal Act on Data Protection 2020 (“revised FADP”). The referendum period will end in January 2021 and the revised FADP is expected to come into effect in January 2022.
The revised FADP has brought several significant changes to the previous data protection law in line with the recent technological advancements. Some of the key changes introduced in the revised FADP are explained below:
Both 1992 Law and revised FADP define personal data as any information relating to an identified or identifiable natural person. As per the 1992 Law, the processing of information relating to an identified or identifiable legal person is considered as personal data. However, the revised FADP does not govern the processing of personal data relating to legal persons. All other categories of information that are present in the 1992 Law such as any information that directly identifies a person or information that allows identification indirectly by reference to additional information continues to be considered personal data under the provisions of the revised law.
As per the 1992 Law, the following categories of personal data are considered sensitive:
Retaining the above categories, the revised FADP has added two additional categories:
In the 1992 Law, data subjects have the following rights:
In addition to the aforementioned rights of data subjects, the revised FADP has introduced the following two new rights:
The data processing principles of lawfulness, good faith, transparency, purpose limitation, accuracy and data security of the 1992 Law continue to apply in the revised FADP. However, the revised FADP has introduced further responsibilities on organizations which are as follows:
Under the revised FADP, data controllers must notify all data losses that are expected to cause a high risk to the personality rights or the fundamental rights of data subjects to the FDPIC as soon as possible. Data controllers may also be required to notify personal data breaches to data subjects if there is a need to protect data subjects or if requested by the FDPIC. With the introduction of the mandatory breach notification obligation, data controllers are no longer required to register their data files with the FDPIC if they process sensitive personal data or regularly disclose personal data to third parties, as they are required to do so in the 1992 Law.
The revised FADP allows cross-border data transfers to only those countries that provide an adequate level of data protection. For all other countries and in the absence of an adequacy decision by the Federal Council, data controllers and data exporters may rely on treaties and use contractual measures such as the standard contractual clauses and binding corporate rules. The FDPIC maintains a list of countries that provide an adequate level of data protection, that is reviewed at least once annually. The list currently includes countries of the European Union and the EEA and some non-European countries such as Argentina, Canada, New Zealand, and Uruguay, as providing an equivalent and adequate level of data protection. Following the decision of the Court of Justice of the European Union in the Schrems II case, the FDPIC has removed the United States from the list of “adequate level of protection under certain circumstances” and has declared that data protection is insufficient in the United States. As a result, the Swiss-US Privacy Shield can no longer be relied on for cross-border data transfer.
Under the revised FADP, all organizations that are established outside Switzerland are required to have a representative in Switzerland where the data processing
Under the revised FADP, data controllers may be held criminally liable to pay a fine up to CHF 250K for any wilful misconduct. This amount is significantly high in comparison to the amount of CHF 10,000 in the 1992 Law and applies to a broad range of violations. Any such fine will be imposed by a court of law of competent jurisdiction.
The FDPIC has stated that it will offer a more detailed statement on the revised law once the ongoing referendum period has expired. Till that time, organizations must proactively manage and avoid potential personal data breaches and review their data protection policies in line with the requirements of the upcoming Swiss Federal Act on Data Protection.
Ask for a DEMO today to understand how SECURITI.ai can help you comply with the Swiss revised Federal Act on Data Protection, GDPR, e-Privacy Directive, and a whole host of other global privacy laws and regulations, with ease.