Switzerland and data protection

Switzerland is implementing new legislation to better protect its citizens’ data – the new Swiss Federal Act on Data Protection („revFADP”), replacing the old Federal Data Protection Act of 1992.

revFADP improves the processing of personal data and grants Swiss citizens new rights in line with other comprehensive data protection laws such as the General Data Protection Regulation (GPDR) and the UK GDPR.

This important legislative change also comes with a number of increased obligations for companies operating in Switzerland.

Companies should quickly get up to speed with the requirements of the revFADP, as the law takes effect on September 1, 2023. Companies should not assume that GDPR and UK GDPR compliance equates to revFADP compliance. While this revised legislation has many similarities to GDPR, there are some clear differences that companies should be aware of.

Here’s what businesses should know:

  1. There is no grace period for compliance
    Unlike recent changes to data protection legislation, revFADP does not provide a grace period for businesses to get up to speed. Therefore, companies that process data of Swiss citizens have just over eight months to comply.
  2. Penalties
    The RevFADP does not impose civil penalties on entities. However, willful violations of the law can result in criminal sanctions of up to 250,000 Swiss Francs (CHF) against individuals (potential DPOs and directors), rather than the entity.
  3. The Swiss Federal Commission for Data Protection and Information (FDPIC) does not have the right to file a criminal complaint. Traditional law enforcement and prosecution authorities will be responsible for applying criminal sanctions. While individuals can face fines under revFADP, companies can also be fined up to CHF 50,000 if an investigation to determine the liable individual within the company or organization would involve a disproportionate effort – demonstrating that revFADP focuses on holding individuals accountable and that authorities should not have to search hard to find a responsible person.
    The penalties under revFADP are a huge contrast to the GDPR, which only fines companies for breaches and not individuals.
  4. Expanded definition of sensitive data.
    RevFADP expands the list of data that falls under the category of „sensitive personal data.” The new list includes genetic and biometric data that unambiguously identifies an individual. The data subject’s explicit consent is required when processing sensitive personal data.
  5. Profiling.
    Like the GDPR, the RevFADP now contains a legal definition of „profiling” that corresponds to the EU GDPR and was not previously included in the FADP. The data subject’s explicit consent is required for the creation of high-risk profiles (e.g. personality profiles) of personal data.
  6. The emphasized importance of an „independent” DPO.
    Although a DPO is optional for private entities under the GDPR and revFADP, the Swiss Federal Data Protection and Information Commission (FDPIC) strongly emphasizes the importance of an independent DPO – meaning that DPO activities should remain separate from other business activities of the company, including other legal advice and representation. Thus, the use of an in-house position or outside counsel may not satisfy the independence requirement for the DPO. In addition, the FDPIC has recommended that the DPO should speak at least one of the Swiss languages (e.g., French, German, Italian, Romanian, French) in order to communicate effectively with data subjects in Switzerland. In particular, English is not an official language of the Swiss Confederation.
  7. Breach notification only for serious attacks + no clear notification deadline. According to Article 24 of the New Swiss Federal Data Protection Act, the controller must notify the FDPIC of certain serious breaches of personal data „as soon as possible”. It is not clear whether „as soon as possible” is faster or slower than the 72-hour requirement under the GDPR. The FDPIC also emphasizes that breach notifications should only be made if they represent an „imminent danger” to data subjects. Thus, controllers are not required under the revFADP to notify the FDPIC of unsuccessful cyber attacks.
  8. Data transfers. There is an expectation to use Switzerland-specific SCCs for Swiss-only transfers. However, the FDPIC has not yet issued a Swiss-only mechanism for transfers. In addition, the FDPIC has not published any adequacy decision, but it is assumed that the appropriate countries for data transfers will reflect the European Commission’s decision(s). In the meantime, the EU Standard Contractual Clauses (EU SCCs) and approved binding corporate rules are appropriate mechanisms for transferring personal data to and from Switzerland.
  9. Privacy Policy.
    Article 25 revFADP ( revDSG_EN ) contains an extensive list of minimum information that data controllers must disclose to data subjects. Privacy policies should be updated to reflect the following information:
  • Identity and contact details of the controller;
  • purpose of data processing;
  • The identity of the recipients of the data and the categories of recipients of the data in case of transfer of data to third parties;
  • the jurisdiction to which the data are transferred;
  • the necessary safeguards put in place in case of cross-border data transfer; and
  • as mentioned above, private data controllers must notify data subjects in advance whenever time-sensitive or profiling data are collected, directly or indirectly.

10. Data Protection Impact Assessment (DPIA) is required.
Data Protection Impact Assessments are nothing new in Swiss data protection law, as federal bodies are already obliged to conduct DPIAs. Under Art. 22 revFADP, data controllers in the private sector must now also conduct DPIAs if the planned processing is likely to involve a high risk to the privacy or fundamental rights of data subjects. Processing is considered high risk if profiling or extensive processing of sensitive data is planned.

11. Records of processing activities in Switzerland. The RevFADP requires both controllers and processors to keep a list of all data processing activities. This list reflects the processing details in Annex I.B. of the EU KYC. The list must be kept up to date. The RevFADP provides an exception to this requirement for businesses with fewer than 250 employees and where the data processing involves a low risk of breach of privacy for data subjects.

You can view the text of the RevFADP revDSG_EN here