Switzerland’s Federal Act on Data Protection FADP

1. Introduction

While Switzerland is not a part of the EU nor the EEA, the EU’s GDPR has compelled the Swiss government to bring forward data privacy laws following international standards. On 25 September 2020, the Switzerland government approved the Federal Data Protection Act (FADP), replacing the previous 1992 Act. The new Swiss FADP took effect on 1st September 2023.

Even though the right to privacy is guaranteed under Article 13 of the Swiss Federal Constitution, a dedicated and thorough data protection law brings forward various provisions to protect data subjects' personal information.

2. Regulatory Authority

The Federal Data Protection and Information Commissioner (FDPIC) is the regulatory authority that enforces the provisions of the FADP. The FDPIC has broad powers where it may require controllers to, amongst other things:

• Comply with their obligations under the FADP,
• Correct, cease, or suspend the processing of personal data, or
• Delete personal data processed by them entirely or partially.

3. Who Needs to Comply with FADP

The FADP applies to businesses and federal authorities that process personal data.

3.1 Material Scope

The FADP governs the processing of personal data of natural persons. Processing means any operation in relation to personal data, irrespective of the means and methods used, such as collection, storage, alteration, disclosure, archival, deletion, or any other use of personal data. At the same time, data processing carried out by individuals for exclusively personal use is exempt from the application of the FADP.

3.2 Territorial Scope

The FADP’s territorial reach is both within and outside of Switzerland based on the principle of effect, so the FADP applies to the processing of personal data, which has an effect in Switzerland, even if it occurs abroad.

4. Definitions of Key Terms

4.1 Personal Data

The FADP defines personal data as any information relating to an identified or identifiable natural person, that is, any information that directly or indirectly (with the help of other information held by an entity or that it can reasonably access) identifies a person. This information includes but is not limited to:

• A person’s name,
• Picture showing a person's face,
• Email address,
• Telephone number,
• Social security number, or
• Customer number.

4.2 Sensitive Data

The FADP defines the following as sensitive personal data:

• Personal data on religious, philosophical, ideological, political, or trade union-related views or activities;
• Personal data on health or the intimate sphere;
• Data on racial or ethnic origin of a natural person;
• Personal data on social assistance measures;
• Personal data on administrative and criminal proceedings or sanctions;
• Genetic data; and
• Biometric data that unambiguously identifies a natural person.

5. Obligations for Organizations Under FADP

5.1 Lawful Basis Requirements

As per the FADP, any processing of personal data must be lawful. The FADP generally allows businesses, organizations, and natural persons to process personal data and does not impose lawful basis requirements for them. However, public authorities require a lawful basis for processing personal data.

5.2 Consent Requirements

Under the FADP, consent is only valid if it is informed, specific, and freely given. Data controllers need to obtain the express consent of data subjects where sensitive personal data is processed, high-risk profiling is carried out by a private person, or profiling is carried out by a federal body.

5.3 Duty to Inform

The FADP requires data controllers to adequately inform data subjects of the collection of their personal data. Data subjects should be provided with the information necessary to be able to assert their rights under the FADP, including, at the minimum:

• Identity and contact details of the controller;
• Categories of data collected (if not collected directly from the data subject);
• Processing purposes; and
• Recipients (including, in case of cross-border transfers, the name of the recipient country or international organization and other transfer details) or categories of recipients to whom personal data is transmitted.

5.4 Security Requirements

The FADP requires data controllers and subcontractors to adopt appropriate organization and technical measures to ensure adequate security of personal data. These measures should be aimed at preventing data security breaches.

5.5 Data Breach Requirements

The FADP generally requires data controllers to notify the FDPIC of data breaches that are likely to result in high risks for data subjects, as soon as possible. The breach notification should, at the minimum, include details about the nature of the breach, its consequences, and the measures taken or envisaged. Unless one of the exemptions under the FADP applies, data controllers should notify data subjects of breaches where it is necessary for their protection or if the FDPIC requires so. The FADP also mandates data processors to notify controllers of breaches as soon as possible.

5.6 Data Protection Officer Requirement (DPO)

The revised FADP does not make it mandatory for businesses and organizations to appoint a Data Protection Officer (DPO). However, the federal authorities processing personal data are obliged to appoint a DPO. The FADP also encourages businesses to appoint a DPO.

The appointed DPO must have the industry skills, professional capabilities, and expertise necessary to carry out their tasks, and if the DPO is an internal employee of the company, then their primary job description should not conflict with the duties of a DPO. Further, a DPO must have access to the resources, files, and information repository necessary to perform their duties. The contact details of the DPO appointed under the FADP must be published and submitted to FDPIC.

5.7 Data Protection Impact Assessment (DPIA)

The revised FADP requires data controllers to perform DPIAs for high-risk processing activities, particularly for large-scale processing of sensitive personal data or the systematic monitoring of publicly accessible areas on a large scale. According to the revised FADP, a DPIA must include a comprehensive description of the planned processing, an assessment of the risks involved, and the measures planned to mitigate such risks.
The FADP exempts private controllers from performing a DPIA if:

• they perform the processing activity on the basis of a legal obligation,
• they use a system, product, or service certified as per Article 13 of the revised FADP, or
• they comply with a code of conduct as per Article 11 of the revised FADP.

If the DPIA shows a significant risk to an individual's privacy and fundamental rights, even after the controller's proposed safeguards, they must seek the FDPIC's opinion. However, private controllers may skip this requirement where they have consulted their data protection advisor as per Article 10 of FADP.

5.8 Record of Processing Activities (RoPA)

The revised FADP requires data controllers and data processors to maintain records of processing activities. The controller's record must include the following essential information:

1. their identity;
2. the purpose of data processing;
3. descriptions of data subjects and the personal data categories processed;
4. recipient categories,
5. ideally, the retention period or its determination criteria;
6. a general description of security measures under Article 8; and
7. if data is disclosed internationally, information about the relevant country and guarantees per Article 16. This record ensures transparency and compliance with data protection regulations.

The record of the processor must contain the details on the identity of the processor and of the controller, the categories of processing carried out on behalf of the controller. However, businesses with less than 250 employees that perform low-risk data processing activities are exempt from maintaining a RoPA.

5.9 Third-Party Processing Requirements

The processor may only assign processing to a third party with prior approval from the controller. The FADP mandates that businesses must transparently disclose and provide a rationale for processing individuals' personal data by third parties. In such cases, third parties are obligated to adhere to the legal prerequisites associated with the data subject's consent when handling their personal data. This ensures that data processing by third parties aligns with the consent and legal requirements.

5.10 Cross-Border Data Transfer Requirements

Private companies or Federal bodies may only transfer personal data to countries where an adequate level of data protection is guaranteed. The Federal Council issues a list of such countries after an assessment. If a country does not have an adequate level of data protection, cross-border transfers can rely on contractual guarantees.

In such cases, the controller is responsible for ensuring that the recipient complies with these contractual clauses. Federal bodies have the option to rely on binding corporate rules, which are approved by FDPIC or a foreign data protection authority, to transfer personal data abroad. Moreover, The Federal Council may provide for other suitable guarantees other than those mentioned in Article 16 of FADP.

The data controllers are obliged to inform data subjects if they intend to transfer their personal data outside Switzerland, specifying the countries where their data is intended to be transferred.

5.11 Privacy by Design and Privacy by Default

To safeguard personal data and uphold users’ privacy, the principles of privacy by design and privacy by default must be introduced. This will ensure that all the software, hardware, and services are set up to ensure data protection from the design stage and throughout the lifecycle. The technical and organizational safeguards must be specifically tailored to align with the current technological advancements, the nature and scope of data processing, and the potential risks it may pose to the individual's personality or fundamental rights

6. Data Protection Certification

The Federal Council has established the Data Protection Certification Ordinance (DPCO) to allow certification bodies to assess data processing systems, products, and services. Certified entities are exempt from certain data protection obligations and can demonstrate their compliance. This certification process enhances transparency and empowers individuals to choose products and services that prioritize data protection, improving overall data security.

7. Data Subject Rights

7.1 Right to be Informed

The FADP requires the controllers to inform the data subjects about the collection of personal data and to be transparent regarding processing purposes. The revised FADP specifies the minimum information that is to be conveyed to a data subject during data collection. Additionally, the data subjects must be informed if the controller uses automated decision-making and is obliged to publish the contact details of the DPO.

7.2 Right to Access

The FADP empowers data subjects with the right to access a copy of their personal data, which is being processed. Data subjects also have the right to submit an access request to the controller, seeking access to the following information:

• Identity and contact details of the controller.
• Details about the personal data and the purposes for its processing.
• The retention period for personal data or, if not possible, the criteria used to determine this duration.
• Background information regarding personal data, including its origin or sources.
• Information about recipients or categories of recipients of personal data.
• Insights on automated decision-making processes and the underlying logic behind their usage.

However, a controller has the authority to refuse, limit, or defer providing data in certain circumstances, such as where there is a legal obligation to comply with Swiss law, like professional secrecy, or protecting the overriding interests of third parties or when the data subject’s request is manifestly unfounded, unrelated to privacy, or frivolous.

Furthermore, the controller may also exercise these rights based on its own interests, provided that personal data is not shared with third-party recipients. It's important to note that the effectiveness of the controller's business secrets protection is relatively weaker under these conditions.

7.3 Right to Rectification

Under the FADP, data subjects have a right to rectify their inaccurate data by making a request to the data controller. However, the law also empowers the data controller to refuse any rectification requests if it is prohibited by law or if processing the personal data serves a public purpose.

7.4 Right to Erasure

The FADP empowers data subjects with the right to erasure. However, a data controller may refuse to delete the personal data of a data subject on a legal basis.

7.5 Right to Object/Opt-Out

The FADP provides data subjects a right to object/opt-out of the processing of their personal data. However, the right to object/opt-out isn’t absolute, meaning data controllers may continue to process the personal data of a data subject if the processing of personal data is necessary for their compliance obligations.

7.6 Right to Data Portability

The data subject has the right to receive a copy of their personal data and the option to request that their personal data be transferred to another data controller. The provision of these rights is subjected to two conditions: the data controller processes the data automatically, and the data processing either has the data subject's consent or is directly related to the conclusion or execution of a contract with the data subject. Exceptions to the right to access are also applicable to data portability, and a controller can refuse if it entails a disproportionate effort.

7.7 Right Not to be Subject to Automated Decision-Making

The revised FADP mandates data controllers to inform data subjects if they use automated decision-making, its logic involved and the potential consequences. The data subjects also have the right to be heard and provide their input when automated systems are used to make significant decisions about them. These obligations are exempt when the decision is in connection to a contract with the data subject, and the controller fulfills the data subject's request, or when the data subject consents to the automated decision-making.

8. Fee

Other than the already mentioned activities that are subjected to fees (opinions on codes of conduct and data protection impact assessments, and approval of standard contractual clauses and binding corporate data protection rules), according to the revised FADP, the FPDIC will also charge fees for the investigation process and other consultancy services. A fee ranging from CHF150 to CHF250 per hour will be applied, depending on the position of the staff delivering the service. Additional charges may be incurred for services demanding extraordinary effort, complexity, or urgency. Fees may be exempted by the FDPIC in cases where the service aligns with public interest or involves minimal effort. Complaint processing is conducted without any associated charges.

9. Penalties for Non-Compliance

The FDPIC and the state prosecutors enforce the provisions of the FADP. Under the previous FADP, data controllers violating the law were fined up to CHF 10,000. However, under the revised FADP, the maximum fine of CHF 250,000 is primarily directed against the responsible natural person. Specific duties pertaining to which criminal fines for deliberate breaches may be imposed, including:

• Providing data collection and automated decision information.
• Disclosing data upon a subject's request.
• Cooperating with the FDPIC during investigations.
• Complying with regulations for cross-border data transfers.
• Adhering to processor assignment requirements.
• Meeting minimum data security standards.
• Upholding professional confidentiality.
• Abiding by FDPIC rulings or court decisions.

In cases where identifying the responsible individual for a violation involves excessive investigative efforts, state prosecutors may impose fines of up to CHF 50,000 on the business or organization.

10. How an Organization Can Operationalize the FADP

To comply with FADP, organizations must:

• Regularly maintain their data inventories and distinguish sensitive personal data and personal data;
• Reevaluate the FADP obligations and adopt measures for seamless compliance;
• Explicitly disclose their data processing activities through transparent formal policies and privacy notices;
• Address the requests of data subjects and have a user-friendly platform to facilitate data subjects;
• Have a thorough data breach notification system in place;
• Catalog their processes and determine cross-border data flows from Switzerland to other countries, and fulfill cross-border requirements under the FADP;
• Have a detailed data subject requests architecture in place;
• Establish procedures to scan, track and produce RoPA reports for compliance;
• Have autonomous, robust, and organizational security measures in place to protect their processing activities; and
• Conduct data protection impact assessments as required under the FDPA.

11. How Securiti Can Help

The global dynamics of accessing, protecting, and sharing personal data are rapidly changing, requiring organizations to become more privacy-conscious of their processes and responsible guardians of their consumers' data while automating privacy and security operations for swift action.

With a growing database of users and potential users, organizations must incorporate robotic automation to operationalize compliance without missing out. While multiple services offer software that enables companies to comply with global privacy regulations, those solutions only go as far as possible with various restrictions or elementary data-driven functions.

Securiti binds reliability, intelligence, and simplicity working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you comply with Switzerland’s FADP and other privacy and security regulations worldwide.

Request a demo today to witness Securiti in action.