The new Federal Data Protection Act (FADP) is the result of a complete revision of the previous Swiss Data Protection Act, which was passed on 25 September 2020 and will enter into force on 1 January 2023.
The FADP contains similar provisions to the GDPR with some differences with respect to legal bases and sanctions.
The Swiss Parliament has therefore adopted a fully revised version of the law to be more in line with the GDPR. The intention is that it will uphold a comparable quality of privacy and security as the rest of the EU, even though it will maintain the original concepts and vary slightly in some areas.
In the updated FADP, privacy by design is introduced, resulting in stricter due diligence requirements for data processors and companies that store private data. Companies must now design their procedures with compliance in mind.
|Applicability||The FADP applies to you if you carry out processing in Switzerland even if you carry out the processing abroad (except for personal data processed by an individual solely for personal purposes).||The GDPR applies to you if your organization is based in the EU or processing data of EU data subjects (except processing carried out for personal or domestic activities)|
|Sensitive Data||Under the FADP sensitive data include:
||Under the GDPR sensitive data include:
|Data Controller/Data Processor||There is no contractual obligation to determine liability||Data Processing Agreement required|
|Conditions of processing||With regard to private, express consent is required only for:
||The GDPR contains all the same elements as the FADP with the addition of the ‘retention period’.|
|Transfer of personal data abroad||If you transfer personal data abroad, you must inform your users about the recipient state or international body.||
|Data Protection Officer||Under the FADP you are not required to have a Data Protection officer, it is optional.||The GDPR requires the appointment of a Data Protection Officer for private businesses|
|Data Breach Notifications||The FDPIC only needs to be notified in the event of a high risk and there is no time limit. Notification to the data subjects only if necessary for its protection||Data breaches must be reported to the DPA within 72 hours.The data subject must be informed in the event of a high risk.|
|Penalties of non-compliance||Fines of up to CHF 250,000 (about 254,000 euros) against the persons responsible||Fines of up to EUR 10/20 million or 2/4% of annual worldwide turnover of the organization..|
This law applies to the processing of personal data concerning individuals by:
👉 private individuals;
👉 federal agencies.
It does not apply to the processing of personal data by individuals for exclusively personal use.
The revised Swiss Federal Act on Data Protection (FADP) is scheduled to enter into force on January 1 2023. It is important that you get ready for the changes.
👉 See our guide How to Prepare for the FADP to see what steps you can take today!