Switzerland’s Revised Federal Act on Data Protection (FADP)

In an effort to increase transparency and give individuals more control over their data, the Swiss Federal Council presented a revision of the Federal Act on Data Protection (FADP) in September 2017. Switzerland approved the revision in 2020 and it will go into effect September 1, 2023. The main objective behind the revision is to raise Swiss data protection laws to match GDPR. It stresses supplying extended information for data extraction, stricter sanctions, and requires companies to maintain precise records of data that has been extracted. The FADP differs from the existing Data Protection Act because it does not protect the data of legal entities’ but rather sticks to protecting the personal data of individuals.

Key Definitions

Controller of the Data File

Controller of the Data File

Private persons or federal bodies that decide on the purpose and content of a data file.

Personal Data

Personal Data

All information relating to an identified or identifiable person.

Data File

Data File

Any set of personal data that is structured in such a way that the data is accessible by data subject.

Processing

Processing

Any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving or destruction of data.

Key Principles of FADP

Consent

Consent

Previously, the DPA allowed leniency to data controllers when it came to consent. The data controller was allowed to combine all processing purposes into one single consent request, which left room for discrepancies. Under FADP, data controllers will have to obtain explicit and specific consent for one or more specific processing purposes.

Data Breaches

Data Breaches

FADP mandates that data controllers must report high risk breaches, first and foremost, to the Swiss Federal Data Protection and Information Commissioner. The controller must also inform the affected person(s).

Sanctions

Sanctions

The revised FADP defines clear sanctions in case of a breach. It stipulates individuals who intentionally breach the new Swiss Federal Act on Data Protection will face fines up to CHF 250,000.

Data Protection Impact Assessment

Data Protection Impact Assessment

Organizations that process personal data as well as data controllers are required to conduct a data protection impact assessment. This is to assess whether the processing would involve risk to the fundamental rights of the individual whose data is being processed.

Core Differences Between the Revised FADP and GDPR

 

Objective

Controller & Processor Relationship

Territorial Scope

In Case of a Breach

Data Protection Officer (DPO)

Revised FADP
Aims to protect the personal and fundamental rights of natural persons whose data is being processed.
Requires that data exports be mentioned, although it doesn’t demand detailed content requirements nor explicit contractual obligation. It holds all participating persons liable.
Applicable to fact patterns that have an effect in Switzerland, even if they occurred abroad.
The controller must only inform the FDPIC in case of high risk. There is no 72-hour notice limit. Affected persons only need to be notified if ‘necessary for the protection of the data subject’.
Organizations have no obligation to hire a dedicated DPO. They’re only advised to have a Data Protection Advisor but it’s not a legal requirement.
GDPR
Protects the fundamental rights of natural persons to safeguard their personal data and rules relating to free movement of personal data.
Demands minimal contents and details of controller processor relationship but requires contractual specification of responsibilities between the two parties. The processor also has limited liabilities.
Applicable to the processing of personal data in the context of the activities of an establishment, a controller, or a processor in the Union, regardless of whether the processing takes place in the Union or not.
Data breaches bearing risks for data subjects must be reported to the data protection authority within 72 hours. GDPR requires that affected persons must be notified in case of high risk to the individual.
Require businesses passing certain thresholds to appoint a DPO.

The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.

See Loyalty in Action

Be inspired with endless ways to make every customer interaction rewarding.

GET A DEMO

We Can Help

Let's explore how loyalty can help you become one of your customers' most beloved brands.

CONTACT US

©2021 All Rights Reserved. AnnexCloud