Switzerland’s Revised Federal Act on Data Protection (FADP)
In an effort to increase data privacy in Switzerland, transparency and give individuals more control over their data, the Swiss Federal Council presented a revision of the Federal Act on Data Protection (FADP) in September 2017. Switzerland approved the revision in 2020 and it will go into effect September 1, 2023. The main objective behind the revision is to raise laws related to data privacy in Switzerland to match GDPR. It stresses supplying extended information for data extraction, stricter sanctions, and requires companies to maintain precise records of data that has been extracted to create an optimal environment for data privacy in Switzerland. The FADP differs from the existing Data Protection Act because it does not protect the data of legal entities’ but rather sticks to protecting the personal data of individuals.
Key Definitions
Controller of the Data File
Any information relating to a person, which enables the identification of such person, whether directly or indirectly, but not including the information of deceased persons.
Personal Data
All information relating to an identified or identifiable person.
Data File
Any set of personal data that is structured in such a way that the data is accessible by data subject.
Processing
Any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving or destruction of data.
Key Principles of FADP
Consent
Previously, the DPA allowed leniency to data controllers when it came to consent. The data controller was allowed to combine all processing purposes into one single consent request, which left room for discrepancies. Under FADP, data controllers will have to obtain explicit and specific consent for one or more specific processing purposes.
Data Breaches
FADP mandates that data controllers must report high risk breaches, first and foremost, to the Swiss Federal Data Protection and Information Commissioner. The controller must also inform the affected person(s).
Sanctions
The revised FADP defines clear sanctions in case of a breach. It stipulates individuals who intentionally breach the new Swiss Federal Act on Data Protection will face fines up to CHF 250,000.a
Data Protection Impact Assessment
Organizations that process personal data as well as data controllers are required to conduct a data protection impact assessment. This is to assess whether the processing would involve risk to the fundamental rights of the individual whose data is being processed.
Core Differences Between the Revised FADP and GDPR
| Revised FADP | GDPR | |
|---|---|---|
| Objective | Aims to protect the personal and fundamental rights of natural persons whose data is being processed. | Protects the fundamental rights of natural persons to safeguard their personal data and rules relating to free movement of personal data. |
| Controller & Processor Relationship | Requires that data exports be mentioned, although it doesn’t demand detailed content requirements nor explicit contractual obligation. It holds all participating persons liable. | Demands minimal contents and details of controller processor relationship but requires contractual specification of responsibilities between the two parties. The processor also has limited liabilities. |
| Territorial Scope | Applicable to fact patterns that have an effect in Switzerland, even if they occurred abroad. | Applicable to the processing of personal data in the context of the activities of an establishment, a controller, or a processor in the Union, regardless of whether the processing takes place in the Union or not. |
| In Case of a Breach | The controller must only inform the FDPIC in case of high risk. There is no 72-hour notice limit. Affected persons only need to be notified if ‘necessary for the protection of the data subject’. | Data breaches bearing risks for data subjects must be reported to the data protection authority within 72 hours. GDPR requires that affected persons must be notified in case of high risk to the individual. |
| Data Protection Officer (DPO) | Organizations have no obligation to hire a dedicated DPO. They’re only advised to have a Data Protection Advisor but it’s not a legal requirement. | Require businesses passing certain thresholds to appoint a DPO. |
The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.