In an effort to increase transparency and give individuals more control over their data, the Swiss Federal Council presented a revision of the Federal Act on Data Protection (FADP) in September 2017. Switzerland approved the revision in 2020 and it will go into effect September 1, 2023. The main objective behind the revision is to raise Swiss data protection laws to match GDPR. It stresses supplying extended information for data extraction, stricter sanctions, and requires companies to maintain precise records of data that has been extracted. The FADP differs from the existing Data Protection Act because it does not protect the data of legal entities’ but rather sticks to protecting the personal data of individuals.
Private persons or federal bodies that decide on the purpose and content of a data file.
All information relating to an identified or identifiable person.
Any set of personal data that is structured in such a way that the data is accessible by data subject.
Any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving or destruction of data.
Previously, the DPA allowed leniency to data controllers when it came to consent. The data controller was allowed to combine all processing purposes into one single consent request, which left room for discrepancies. Under FADP, data controllers will have to obtain explicit and specific consent for one or more specific processing purposes.
FADP mandates that data controllers must report high risk breaches, first and foremost, to the Swiss Federal Data Protection and Information Commissioner. The controller must also inform the affected person(s).
The revised FADP defines clear sanctions in case of a breach. It stipulates individuals who intentionally breach the new Swiss Federal Act on Data Protection will face fines up to CHF 250,000.
Organizations that process personal data as well as data controllers are required to conduct a data protection impact assessment. This is to assess whether the processing would involve risk to the fundamental rights of the individual whose data is being processed.