Significant changes to the Swiss government’s approach to data protection flew somewhat under the radar for companies that prioritized compliance with the EU’s General Data Protection Regulation (GDPR). Aside from Swiss companies, any company that does business in Switzerland and processes personal data with an actual or potential effect in Switzerland must also comply with the updated data protection law. This article outlines everything you need to know about the Swiss data protection law.
The Revised Federal Act on Data Protection (FADP)
The revised Swiss Federal Act on Data Protection essentially implements stricter rules on the processing of personal data. When such processing occurs at a cantonal public body belonging to one of Switzerland’s 26 cantons, the cantonal data protection law applies rather than the revised FADP.
The original Swiss Federal Data Protection Act (DPA) came into force in 1993 when the technological, data security, and data privacy landscape looked a lot different. Now, increased digitization of services and increased data processing call for adequate data protection adapted to the prevailing technological and sociological developments.
Furthermore, with a data breach of sensitive personal data making media headlines all too often in recent years, the Swiss Federal Council felt it was time for an update to the rules that govern data processing activities involving this data.
Here are some key changes under the new law, which comes into force on September 1, 2023:
- Individuals who intentionally breach the rules face sanctions of CHF 250,000.
- The updated regulation governs only the processing of data belonging to natural persons (legal entities are no longer protected).
- A revised definition of sensitive personal data now includes biometric data that uniquely identifies an individual and genetic data. This is in addition to the existing definition, which includes personal data concerning religious, ideological, political, or trade union-related views or activities, health, and racial origin.
- There’s an increase in the fundamental rights of data subjects that expands from previous rights, such as the right of access, the right to know the purpose of the processing, and the right to deletion, to now include the right to data portability and the right to intervene when automated decision-making impacts data subjects.
- Data controllers must now inform data subjects about the identity of recipients of data and categories of data recipients in case of a data transfer to third parties.
- For high-risk data processing activities, one of the new safeguards is a mandatory data protection impact assessment for data controllers and data processors.
- It’s obligatory for data controllers to report high-risk data breaches to the Federal Data Protection and Information Commissioner (FDPIC)
FADP vs. GDPR
It’s important to note that while the Swiss federal authorities took inspiration from and used the EU General Data Protection Regulation as a baseline for changing Switzerland’s approach, there are important differences (and many similarities) between the two privacy laws.
A major difference is that data processing operations require a defined legal basis under GDPR that does not apply to the FADP. Any of six legal bases (including consent, public interest, or legitimate interest) must apply when justifying the processing of personal data. Swiss law does not require this justification, although the explicit consent of the data subject is required for high-risk profiling (e.g., personality profiles) or when processing particularly sensitive personal data.
Data Protection Officer (DPO)
Another difference is that the European Commission makes it mandatory for organizations to appoint a data protection officer (DPO) if they are public authorities/bodies or if the organization’s core activities involve the processing of sensitive data on a large scale or involve large-scale, regular and systematic monitoring of individuals.
Appointing a DPO is not obligatory (but it is recommended) for private companies under FADP. For federal bodies, a DPO is mandatory.
Data Breach Notifications
Companies that process personal data and discover a breach face different reporting requirements. Under FADP, prompt notification is required only if ‘necessary for the protection of the data subject. Furthermore, such data breaches don’t have a strict time limit for reporting under FADP, whereas, under GDPR, a 72-hour time limit is in place from the time a company becomes aware of a breach.
International data transfers are treated pretty similarly. Data flows are allowed under both regulations to third countries with adequate data protection. A list of third countries and whether their data protection is deemed appropriate by the Swiss Federal Council is available here (all EEA countries meet the requirement). Where a third country’s data protection is deemed inadequate, protective measures such as Standard Contractual Clauses (SCC) must be used.
Interesting differences also emerge in the punishments enforced for breaches of the necessary security measures and data processing requirements mandated by these laws. While both allow for the relevant data protection authority to cease or restrict processing activities and investigate activities, fines target different parties.
The Swiss Act penalizes individuals responsible for failing to ensure an adequate level of data protection or for adhering to other information obligations set out under the rules. On the contrary, GDPR fines companies for violations rather than individuals.
Solving Complex Compliance Requirements
Companies operating in the private sector (service providers, for-profit entities) need to take note of the changes governing the collection of personal data and its processing that the revised Swiss data protection act enforces. These changes are part of an increasingly tightened data protection landscape that implements stricter measures to ensure organizations protect the data they collect and process about individuals. Where both GDPR and FADP apply to your business, slight adjustments to compliance are important to protect private persons in line with the different rules.
Don’t neglect the value of technological solutions to help solve your complex compliance needs. Endpoint Protector is a leading data loss prevention (DLP) solution that helps your business meet regulatory requirements through restrictive policies, blocking unwanted file transfers, policy-based blocking of cross-border data transfers, content filtering, USB port control capabilities, and more.
Frequently Asked Questions
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.