Switzerland’s Federal Act on Data Protection FADP

1. Introduction

While Switzerland isn’t a part of the EU nor the EEA, the EU’s GDPR has compelled the Swiss government to bring forward data privacy laws following international standards. On 25 September 2020, the Switzerland government approved the Federal Data Protection Act (FADP), replacing the previous 1992 Act. The new Swiss FADP will take effect in 2022.

Even though the right to privacy is guaranteed under Article 13 of the Swiss Federal Constitution, a dedicated and thorough data protection law brings forward various provisions to protect data subjects' personal information.

2. Regulatory Authority

The Federal Data Protection and Information Commissioner (FDPIC) is the regulatory authority that enforces the provisions of the FADP. The FDPIC has broad powers where it may require businesses or organizations or any Federal authority to:

• Correct the personal data of a data subject
• Suspend the processing of the personal data of a data subject
• Delete the data subjects’ personal data entirely or partially

3. Who Needs to Comply with the Law

The FADP applies to businesses and Federal authorities who process the personal data of data subjects.

3.1 Material Scope

The FADP governs the processing of personal data. This includes collecting, storing, altering, disclosing, archiving, deleting, or any other use of the data subjects’ personal data. At the same time, data processing of data subjects’ personal data for personal household purposes is exempted under the law. The FADP also has sector-specific requirements for businesses operating in various sectors.

3.2 Territorial Scope

The FADP’s territorial reach is both within and outside of Switzerland, where entities process the personal data of Switzerland’s data subjects.

4. Definitions of Key Terms

4.1 Personal Data

The FADP outlines personal data as any information that identifies a person. This information includes, but is not limited to:

• A person’s full name
• Picture showing a person's face
• Email address
• Telephone number
• Social security number
• Customer number

4.2 Sensitive Data

The FADP defines the following as sensitive personal data:

• Religious data
• Ideological data
• Political data
• Trade union-related views or activities
• Health data
• Racial origin of an individual
• Social security measures
• Administrative or criminal data
• Genetic data
• Biometric data

5. Obligations for Organizations Under FADP

5.1 Lawful Basis Requirements

The FADP allows businesses, organizations, or natural persons to process the personal data of data subjects. However, public authorities need to comply with the FADP regulations and the law when processing the personal data of data subjects. On the other hand, private data controllers have the leverage to process personal data under the FADP.

5.2 Consent Requirements

Under the FADP, consent is only valid if informed and freely given. Data controllers need to take explicit consent where sensitive personal data is involved or a high-risk profile. As such, data controllers and websites need to obtain prior, informed, freely given, and explicit consent from individuals within Switzerland when processing their personal data. Also, the FADP empowers individuals to withdraw their consent.

5.3 Registration Requirements

Any business that regularly processes the sensitive personal data of individuals or regularly discloses the personal data to third parties has to register their data documents with the FDPIC. However, if a business has appointed a data protection officer and notified the FDPIC of such appointment, they are exempted from this registration obligation.

5.4 Privacy Notification

The FADP demands businesses to be fair in their data processing activities, and that data processing must be performed in accordance with the privacy notice of a business.

5.5 Security Requirements

The security requirements of the FADP apply to businesses in specific sectors e.g. regulated medical device manufacturers, healthcare such as hospitals, energy suppliers, banks, or telecommunications services providers.

5.6 Data Breach Requirements

The current FADP does not have a data breach notification requirement for businesses. However, the revised FADP would demand data controllers to promptly notify the FDPIC of data breaches that may result in high risks for data subjects.

However, data controllers will need to:

• Notify the FDPIC as soon as the data breach takes place
• Explain the type of personal data breach
• Describe potential consequences of the data breach
• Explain remedy measures and mitigate risks for data subjects affected
• Notify the data subjects affected by the data breach

5.7 Data Protection Officer Requirement (DPO)

The current FADP doesn’t make it mandatory for businesses and organizations to appoint a DPO. However, the revised FADP encourages businesses to appoint a DPO. The DPO must have the industry skills, professional capabilities, and expertise necessary to carry out the daily tasks of a DPO.

5.8 Data Protection Impact Assessment (DPIA)

The revised FADP will demand data controllers to perform DPIAs when processing the personal data of data subjects. Businesses dealing with high-risk and large-scale sensitive personal data will be required to conduct risk assessments.

5.9 Record of Processing Activities (RoPA)

The revised FADP will require data controllers and data processors to maintain records of processing activities. However, businesses with less than 250 employees are exempt from maintaining RoPA.

5.10 Third-Party Processing Requirements

Regarding third-party processing, the FADP requires businesses to disclose and justify when processing the personal data of individuals. Third parties will need to address the data subject’s consent when processing the personal data of data subjects.

5.11 Cross border data transfer Requirements

Data controllers will need to inform data subjects if they intend to transfer their personal data internationally. Additionally, data controllers will need to specify the countries where their data is intended to be transferred.

6. Data Subject Rights

6.1 Right to be Informed

The FADP requires businesses to inform the data subjects of personal data collection and the processing purposes to be transparent. Under the FADP, data subjects have a right to be informed when the data controller collects their personal data and the purposes of the processing if the data collection and processing activities aren’t explicitly defined.

6.2 Right to Access

The FADP empowers data subjects with the right to access their personal data and the right to receive a copy of their personal data currently being processed. The data subjects can also ask the data controller regarding the background of the personal data such as its origin or sources, the intended purposes of data processing, the details of personal data currently being processed, and the beneficiaries of their personal data.

6.3 Right to Rectification

Under the FADP, data subjects have a right to rectify their inaccurate data by making a request to the data controller. However, the law also empowers the data controller to refuse any rectification requests on a legal basis.

6.4 Right to Erasure

The FADP empowers data subjects with the right to erasure. However, a data controller may refuse to delete the personal data of a data subject on a legal basis.

6.5 Right to Object/Opt-Out

The FADP provides data subjects a right to object/opt-out to the processing of their personal data. However, the right to object/opt-out isn’t absolute, meaning data controllers may continue to process the personal data of a data subject if the data is necessary for their compliance obligations.

6.6 Right to Data Portability

The data subject has the right to receive a copy of their personal data and the option to request that their personal data be transferred to another data controller.

6.7 Right Not to be subject to Automated Decision-Making

Although the current FADP does not include this right, the revised FADP compels data controllers to inform data subjects if they use automated individual decision-making. Additionally, it empowers data subjects to the right to be informed in the case of individual decision-making.

7. Penalties for Non-compliance

The FDPIC and the state prosecutors enforce the provisions of the FADP. Under the current FADP, data controllers violating the law may be fined up to CHF 10,000. However, under the revised FADP, the maximum fine amount will be CHF 250,000.

As far as businesses and organizations are concerned, the revised FADP will bring forward criminal liabilities for each. More than the organization, their data controller will be liable with a monetary fine of up to CHF 50,000.

8. How an Organization Can Operationalize the FADP

To comply with FADP, organizations must:

• Regularly maintain their data inventories and distinguish sensitive personal data and personal data;
• Reevaluate the FADP obligations and adopt measures for seamless compliance;
• Explicitly disclose their data processing activities through transparent formal policies and privacy notices;
• Address the requests of data subjects and have a user-friendly platform to facilitate data subjects;
• Have a thorough data breach notification system in place;
• Catalog their processes and determine cross-border data flows from Switzerland to other countries, and fulfill cross border requirements under the FADP;
• Have a detailed data subject requests architecture in place;
• Establish procedures to scan, track and produce RoPA reports for compliance;
• Have autonomous, robust, and organizational security measures in place to protect their processing activities; and
• Conduct data protection impact assessments as required under the FDPA.

9. How can Securiti Help

The global dynamics of accessing, protecting, and sharing personal data are rapidly changing, requiring organizations to become more privacy-conscious of their processes and responsible guardians of their consumers' data while automating privacy and security operations for swift action.

With a growing database of users and potential users, organizations need to incorporate robotic automation to operationalize compliance without missing out. While multiple services offer software that enables companies to comply with global privacy regulations, those solutions only go as far as possible with various restrictions or elementary data-driven functions.

Securiti binds reliability, intelligence, and simplicity working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with Switzerland’s FADP and other privacy and security regulations worldwide. See how it works. Request a demo today.