Book a demo
Start for free

FADP Updates – What You Need to Know

Are you a publisher targeting users in Switzerland? Starting July 2024, it’s essential to integrate a certified CMP compliant with the TCF. This change to an opt-in model is crucial to maintain proper ad display and protect your revenue streams. Learn more →

The new Federal Data Protection Act (FADP) is the result of a complete revision of the previous Swiss Data Protection Act, which was passed on 25 September 2020 and entered into force September 2023.

The FADP contains similar provisions to the GDPR with some differences with respect to legal bases and sanctions.

Switzerland has a law governing data privacy known as the Federal Act on Data Protection, which dates back to 1992 and it was partially updated in 2019.

The Swiss Parliament has therefore adopted a fully revised version of the law to be more in line with the GDPR. The intention is that it will uphold a comparable quality of privacy and security as the rest of the EU, even though it will maintain the original concepts and vary slightly in some areas.

Updates to the FADP

In the updated FADP, privacy by design is introduced, resulting in stricter due diligence requirements for data processors and companies that store private data. Companies must now design their procedures with compliance in mind.

  • Biometric and genetic information are now considered sensitive data.
  • If there is a significant risk to the rights or privacy of data subjects, impact assessments must be carried out.
  • The obligation to disclose information has been extended.
  • It is now required to keep a register of processing activities. However, the regulation permits exemptions for SMEs whose handling of personal data carries only a small risk of harming the data subject.
  • In the event of a data security breach, prompt reporting must be made to the Federal Data Protection and Information Commissioner (FDPIC).
  • Profiling, or the automated processing of personal data, is now a recognized legal notion.
  • The FADP does not require a legal basis to process personal data according to the general principle of the law, which maintains that data processing activity is lawful in principle and a legal basis is only required should the data controller needs to justify processing. 
  • The opt-in/opt-out mechanism operates differently as (prior) consent may need to be employed in fewer situations.
    • the processing of personal data worthy of special protection, 
    • high-risk profiling by private individuals, 
    • profiling by a federal body.
  • Sanctions are directly aimed at natural persons even within organization.
  • Finally, the FADP contains more categories of sensitive data

Make sure your company is up-to-date with the main international legislations. You can easily generate and manage your documents with iubenda’s Privacy and Cookie Policy Generator

FADP updates and GDPR: What are the main differences?

  • information concerning automated decision-making;
  • the recipients or categories of recipients of the personal data, if any, to which personal data is disclosed;
  • the countries or international organizations to which the personal data is disclosed, if any.
  FADP GDPR
Applicability The FADP applies to you if your organization is based either in Switzerland or outside of Switzerland, and you are processing data of Swiss data subjects (except processing carried out for personal activities). The GDPR applies to you if your organization is based in the EU or processing data of EU data subjects (except processing carried out for personal or domestic activities)
Sensitive Data Under the FADP sensitive data include:
  • data concerning religious, philosophical, political, or trade union opinions or activities;
  • data concerning health, privacy, or racial or ethnic origin;
  • genetic data;
  • biometric data that uniquely identify a natural person;
  • administrative and criminal prosecutions and sanctions;
  • data concerning social assistance measures.
 Under the GDPR, sensitive data include:
  • data concerning religious or philosophical beliefs, political, or trade union opinions;
  • data concerning health, sexual orientation, racial or ethnic origin;
  • genetic data;
  • biometric data
Data Controller/Data Processor The Data controller and the Data Processor may enter into an agreement to regulate the processing of the data. Data Processing Agreement required
Conditions of processing With regard to private, express consent is required only for:
  • the processing of personal data worthy of special protection;
  • the processing of sensitive personal;
  • high-risk profiling by private persons
  • profiling by a federal body.
Federal bodies have the right to process personal data only if there is a legal requirement to do so. These include:
  • the data processed consists of sensitive personal data
  • profiling is carried out;
  • the purpose of the processing or the type of processing is likely to result in a serious interference with the fundamental rights of the data subject.
 Opt-in principle.
Disclosure obligations

The controller is to provide the following information within 30 days from the data subject’s access request (concerning the processing of the data subject’s personal data):

  • the identity and contact details of the data controller;
  • the categories of personal data being processed;
  • the purposes of processing;
  • the duration of storage of such personal data or the criteria used to determine such duration if the former is not available;
  • if the personal data was not collected directly from the data subject, the source of such personal data;
 The GDPR contains all the same elements as the FADP but also includes the requirements to disclose the legal basis for processing as well as the rights granted to the data subject such as the right to a copy of the data, the right to lodge a complaint and the right to withdraw consent to the data processing.
Transfer of personal data abroad

Personal data may only be transferred to foreign countries or international bodies that are deemed to provide an adequate level of protection, as verified by the Swiss Federal Council. In the absence of such an adequacy decision, personal data can be transferred abroad pursuant to:

  • an international treaty;
  • contractual provisions between the controller and the processor and its contracting partner communicated beforehand to the FDPIC;
  • specific safeguards prepared by the competent federal body and previously communicated to the FDPIC;
  • standard data protection clauses subject to the prior approval of the FDPIC;
  • binding corporate rules previously approved by the FDPIC.

Several exceptions to the transfer of personal data abroad are also provided for under the FADP. These include:

  • the explicit consent to the transfer of personal data being granted by the data subject;
  • the transfer of personal data is related to the performance or the conclusion of a contract between the controller and the data subject or the controller and a contracting partner in the interest of the data subject;
  • the transfer is necessary to safeguard an overriding public interest, enforce a legal claim before a court of law, to protect the life of the data subject or a third party where it is not possible to obtain the prior consent of the data subject within a reasonable time, the data subject has granted access to the data and has not expressly prohibited its processing, and the data originates from a legal register which is available to the public or to persons that possess a legitimate interest to such register.
  • Adequacy decisions of the European Commission;
  • Standard Contractual Clauses; and
  • Binding Corporate Rules.
Data Protection Officer Under the FADP you are not required to have a Data Protection officer, it is optional. The GDPR requires the appointment of a Data Protection Officer for private businesses
Data Breach Notifications The FDPIC only needs to be notified in the event of a high risk security breach as soon as possible. Notification to the data subjects is to be made only if necessary for the protection of the data subject or so requested by the FDPIC. Data breaches must be reported to the DPA within 72 hours.The data subject must be informed in the event of a high risk.
Penalties of non-compliance Fines of up to CHF 250,000 against the persons or entity responsible. Fines of up to EUR 10/20 million or 2/4% of annual worldwide turnover of the organization.

Do these changes apply to my company? 

This law applies to the processing of personal data concerning individuals by:

👉 private persons;

👉 federal agencies.

It does not apply to the processing of personal data by individuals for exclusively personal use. 

iubenda will continue to keep you updated about the changes made to the FADP; in the meantime, if you haven’t done so already, make sure you have an updated and compliant privacy and cookie policy in place. 

💡
How to Prepare for the FADP

The revised Swiss Federal Act on Data Protection (FADP) entered into force September 2023.

👉 See our guide How to Prepare for the FADP to see what steps you can take today!