Iubenda logo
Start generating

Documentation

Table of Contents

FADP Updates – What You Need to Know

The new Federal Data Protection Act (FADP) is the result of a complete revision of the previous Swiss Data Protection Act, which was passed on 25 September 2020 and will enter into force on 1 January 2023

The FADP contains similar provisions to the GDPR with some differences with respect to legal bases and sanctions.

Switzerland has a law governing data privacy known as the Federal Act on Data Protection, which dates back to 1992 and it was partially updated in 2019.

The Swiss Parliament has therefore adopted a fully revised version of the law to be more in line with the GDPR. The intention is that it will uphold a comparable quality of privacy and security as the rest of the EU, even though it will maintain the original concepts and vary slightly in some areas.

Updates to the FADP

In the updated FADP, privacy by design is introduced, resulting in stricter due diligence requirements for data processors and companies that store private data. Companies must now design their procedures with compliance in mind.

  • Biometric and genetic information are now considered sensitive data.
  • If there is a significant risk to the rights or privacy of data subjects, impact assessments must be carried out.
  • The obligation to disclose information has been extended; prior notification of the individual in question is required before collecting any personal information, not only sensitive information.
  • It is now required to keep a register of processing activities. However, the regulation permits exemptions for SMEs whose handling of personal data carries only a small risk of harming the data subject.
  • In the event of a data security breach, prompt reporting must be made to the Federal Data Protection and Information Commissioner (FDPIC).
  • Profiling, or the automated processing of personal data, is now a recognized legal notion.
  • The FADP does not require a legal basis to process personal data according to the general principle of the law, which maintains that data processing activity is lawful in principle and a legal basis is only required should the data controller needs to justify processing. 
  • The opt-in mechanism operates differently as the consent of the data subject is required only in 3 specific cases: 
    • the processing of personal data worthy of special protection, 
    • high-risk profiling by private individuals, 
    • profiling by a federal body.
  • Sanctions are directly aimed at natural persons holding senior positions in the organization, except in a few cases.
  • Finally, the FADP contains more categories of sensitive data

Make sure your company is up-to-date with the main international legislations. You can easily generate and manage your documents with iubenda’s Privacy and Cookie Policy Generator

FADP updates and GDPR: What are the main differences?

FADP GDPR
Applicability The FADP applies to you if you carry out processing in Switzerland even if you carry out the processing abroad (except for personal data processed by an individual solely for personal purposes). The GDPR applies to you if your organization is based in the EU or processing data of EU data subjects (except processing carried out for personal or domestic activities)
Sensitive Data Under the FADP sensitive data include:
  • data concerning religious, philosophical, political, or trade union opinions or activities;
  • data concerning health, privacy, or racial or ethnic origin;
  • genetic data;
  • biometric data that uniquely identify a natural person;
  • administrative and criminal prosecutions and sanctions;
  • data concerning social assistance measures.
Under the GDPR sensitive data include:
  • data concerning religious, philosophical, political, or trade union opinions or activities;
  • data concerning health, privacy, or racial or ethnic origin;
  • genetic data;
  • biometric data
Data Controller/Data Processor There is no contractual obligation to determine liability Data Processing Agreement required
Conditions of processing With regard to private, express consent is required only for:
  • the processing of personal data worthy of special protection;
  • high-risk profiling by private individuals;
  • profiling by a federal body.
Federal bodies have the right to process personal data only if a legal basis so provides and the legal bases are as follows:
  • personal data worthy of special protection are processed;
  • profiling is carried out;
  • the purpose of the processing or the type of processing is likely to result in a serious interference with the fundamental rights of the data subject.
Opt-in principle.
Disclosure obligations
  • the identity and contact details of the data controller;
  • the categories of personal data collected; the purposes of the processing;
  • the categories of recipients of the personal data, if any; the list of data subjects’ rights;
  • the countries or international organizations to which the personal data are disclosed, if any; safeguards for disclosures to countries not on the white list; and
  • automated individual decision-making.
The GDPR contains all the same elements as the FADP with the addition of the ‘retention period’.
Transfer of personal data abroad If you transfer personal data abroad, you must inform your users about the recipient state or international body.
  • Adequacy decisions of the European Commission;
  • Standard Contractual Clauses; and
  • Binding Rules.
Data Protection Officer Under the FADP you are not required to have a Data Protection officer, it is optional. The GDPR requires the appointment of a Data Protection Officer for private businesses
Data Breach Notifications The FDPIC only needs to be notified in the event of a high risk and there is no time limit. Notification to the data subjects only if necessary for its protection Data breaches must be reported to the DPA within 72 hours.The data subject must be informed in the event of a high risk.
Penalties of non-compliance Fines of up to CHF 250,000 (about 254,000 euros) against the persons responsible Fines of up to EUR 10/20 million or 2/4% of annual worldwide turnover of the organization..

Do these changes apply to my company? 

This law applies to the processing of personal data concerning individuals by:

👉 private individuals;

👉 federal agencies.

It does not apply to the processing of personal data by individuals for exclusively personal use. 

iubenda will continue to keep you updated about the changes made to the FADP; in the meantime, if you haven’t done so already, make sure you have an updated and compliant privacy and cookie policy in place. 

💡
How to Prepare for the FADP

The revised Swiss Federal Act on Data Protection (FADP) is scheduled to enter into force on January 1 2023. It is important that you get ready for the changes.

👉 See our guide How to Prepare for the FADP to see what steps you can take today!