Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
While Switzerland isn’t a part of the EU nor the EEA, the EU’s GDPR has compelled the Swiss government to bring forward data privacy laws following international standards. On 25 September 2020, the Switzerland government approved the Federal Data Protection Act (FADP), replacing the previous 1992 Act. The new Swiss FADP will take effect in 2022.
Even though the right to privacy is guaranteed under Article 13 of the Swiss Federal Constitution, a dedicated and thorough data protection law brings forward various provisions to protect data subjects' personal information.
The Federal Data Protection and Information Commissioner (FDPIC) is the regulatory authority that enforces the provisions of the FADP. The FDPIC has broad powers where it may require businesses or organizations or any Federal authority to:
The FADP applies to businesses and Federal authorities who process the personal data of data subjects.
The FADP governs the processing of personal data. This includes collecting, storing, altering, disclosing, archiving, deleting, or any other use of the data subjects’ personal data. At the same time, data processing of data subjects’ personal data for personal household purposes is exempted under the law. The FADP also has sector-specific requirements for businesses operating in various sectors.
The FADP’s territorial reach is both within and outside of Switzerland, where entities process the personal data of Switzerland’s data subjects.
The FADP outlines personal data as any information that identifies a person. This information includes, but is not limited to:
The FADP defines the following as sensitive personal data:
The FADP allows businesses, organizations, or natural persons to process the personal data of data subjects. However, public authorities need to comply with the FADP regulations and the law when processing the personal data of data subjects. On the other hand, private data controllers have the leverage to process personal data under the FADP.
Under the FADP, consent is only valid if informed and freely given. Data controllers need to take explicit consent where sensitive personal data is involved or a high-risk profile. As such, data controllers and websites need to obtain prior, informed, freely given, and explicit consent from individuals within Switzerland when processing their personal data. Also, the FADP empowers individuals to withdraw their consent.
Any business that regularly processes the sensitive personal data of individuals or regularly discloses the personal data to third parties has to register their data documents with the FDPIC. However, if a business has appointed a data protection officer and notified the FDPIC of such appointment, they are exempted from this registration obligation.
The FADP demands businesses to be fair in their data processing activities, and that data processing must be performed in accordance with the privacy notice of a business.
The security requirements of the FADP apply to businesses in specific sectors e.g. regulated medical device manufacturers, healthcare such as hospitals, energy suppliers, banks, or telecommunications services providers.
The current FADP does not have a data breach notification requirement for businesses. However, the revised FADP would demand data controllers to promptly notify the FDPIC of data breaches that may result in high risks for data subjects.
However, data controllers will need to:
The current FADP doesn’t make it mandatory for businesses and organizations to appoint a DPO. However, the revised FADP encourages businesses to appoint a DPO. The DPO must have the industry skills, professional capabilities, and expertise necessary to carry out the daily tasks of a DPO.
The revised FADP will demand data controllers to perform DPIAs when processing the personal data of data subjects. Businesses dealing with high-risk and large-scale sensitive personal data will be required to conduct risk assessments.
The revised FADP will require data controllers and data processors to maintain records of processing activities. However, businesses with less than 250 employees are exempt from maintaining RoPA.
Regarding third-party processing, the FADP requires businesses to disclose and justify when processing the personal data of individuals. Third parties will need to address the data subject’s consent when processing the personal data of data subjects.
Data controllers will need to inform data subjects if they intend to transfer their personal data internationally. Additionally, data controllers will need to specify the countries where their data is intended to be transferred.
The FADP requires businesses to inform the data subjects of personal data collection and the processing purposes to be transparent. Under the FADP, data subjects have a right to be informed when the data controller collects their personal data and the purposes of the processing if the data collection and processing activities aren’t explicitly defined.
The FADP empowers data subjects with the right to access their personal data and the right to receive a copy of their personal data currently being processed. The data subjects can also ask the data controller regarding the background of the personal data such as its origin or sources, the intended purposes of data processing, the details of personal data currently being processed, and the beneficiaries of their personal data.
Under the FADP, data subjects have a right to rectify their inaccurate data by making a request to the data controller. However, the law also empowers the data controller to refuse any rectification requests on a legal basis.
The FADP empowers data subjects with the right to erasure. However, a data controller may refuse to delete the personal data of a data subject on a legal basis.
The FADP provides data subjects a right to object/opt-out to the processing of their personal data. However, the right to object/opt-out isn’t absolute, meaning data controllers may continue to process the personal data of a data subject if the data is necessary for their compliance obligations.
The data subject has the right to receive a copy of their personal data and the option to request that their personal data be transferred to another data controller.
Although the current FADP does not include this right, the revised FADP compels data controllers to inform data subjects if they use automated individual decision-making. Additionally, it empowers data subjects to the right to be informed in the case of individual decision-making.
The FDPIC and the state prosecutors enforce the provisions of the FADP. Under the current FADP, data controllers violating the law may be fined up to CHF 10,000. However, under the revised FADP, the maximum fine amount will be CHF 250,000.
As far as businesses and organizations are concerned, the revised FADP will bring forward criminal liabilities for each. More than the organization, their data controller will be liable with a monetary fine of up to CHF 50,000.
To comply with FADP, organizations must:
The global dynamics of accessing, protecting, and sharing personal data are rapidly changing, requiring organizations to become more privacy-conscious of their processes and responsible guardians of their consumers' data while automating privacy and security operations for swift action.
With a growing database of users and potential users, organizations need to incorporate robotic automation to operationalize compliance without missing out. While multiple services offer software that enables companies to comply with global privacy regulations, those solutions only go as far as possible with various restrictions or elementary data-driven functions.
Securiti binds reliability, intelligence, and simplicity working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with Switzerland’s FADP and other privacy and security regulations worldwide. See how it works. Request a demo today.
See how easy it is to manage privacy compliance with robotic automation.