Are you a publisher targeting users in Switzerland? Starting July 2024, it’s essential to integrate a certified CMP compliant with the TCF. This change to an opt-in model is crucial to maintain proper ad display and protect your revenue streams. Learn more →
The new Federal Data Protection Act (FADP) is the result of a complete revision of the previous Swiss Data Protection Act, which was passed on 25 September 2020 and entered into force September 2023.
The FADP contains similar provisions to the GDPR with some differences with respect to legal bases and sanctions.
What is the Swiss FADP?
The Swiss Parliament has therefore adopted a fully revised version of the law to be more in line with the GDPR. The intention is that it will uphold a comparable quality of privacy and security as the rest of the EU, even though it will maintain the original concepts and vary slightly in some areas.
Updates to the FADP
In the updated FADP, privacy by design is introduced, resulting in stricter due diligence requirements for data processors and companies that store private data. Companies must now design their procedures with compliance in mind.
You can anticipate the following major changes for companies:
- Biometric and genetic information are now considered sensitive data.
- If there is a significant risk to the rights or privacy of data subjects, impact assessments must be carried out.
- The obligation to disclose information has been extended.
- It is now required to keep a register of processing activities. However, the regulation permits exemptions for SMEs whose handling of personal data carries only a small risk of harming the data subject.
- In the event of a data security breach, prompt reporting must be made to the Federal Data Protection and Information Commissioner (FDPIC).
- Profiling, or the automated processing of personal data, is now a recognized legal notion.
- The FADP does not require a legal basis to process personal data according to the general principle of the law, which maintains that data processing activity is lawful in principle and a legal basis is only required should the data controller needs to justify processing.
- The opt-in/opt-out mechanism operates differently as (prior) consent may need to be employed in fewer situations.
- the processing of personal data worthy of special protection,
- high-risk profiling by private individuals,
- profiling by a federal body.
- Sanctions are directly aimed at natural persons even within organization.
- Finally, the FADP contains more categories of sensitive data
Make sure your company is up-to-date with the main international legislations. You can easily generate and manage your documents with iubenda’s Privacy and Cookie Policy Generator.
FADP updates and GDPR: What are the main differences?
- information concerning automated decision-making;
- the recipients or categories of recipients of the personal data, if any, to which personal data is disclosed;
- the countries or international organizations to which the personal data is disclosed, if any.
FADP | GDPR | |
---|---|---|
Applicability | The FADP applies to you if your organization is based either in Switzerland or outside of Switzerland, and you are processing data of Swiss data subjects (except processing carried out for personal activities). | The GDPR applies to you if your organization is based in the EU or processing data of EU data subjects (except processing carried out for personal or domestic activities) |
Sensitive Data | Under the FADP sensitive data include:
|
Under the GDPR, sensitive data include:
|
Data Controller/Data Processor | The Data controller and the Data Processor may enter into an agreement to regulate the processing of the data. | Data Processing Agreement required |
Conditions of processing | With regard to private, express consent is required only for:
|
Opt-in principle. |
Disclosure obligations |
The controller is to provide the following information within 30 days from the data subject’s access request (concerning the processing of the data subject’s personal data):
|
The GDPR contains all the same elements as the FADP but also includes the requirements to disclose the legal basis for processing as well as the rights granted to the data subject such as the right to a copy of the data, the right to lodge a complaint and the right to withdraw consent to the data processing. |
Transfer of personal data abroad |
Personal data may only be transferred to foreign countries or international bodies that are deemed to provide an adequate level of protection, as verified by the Swiss Federal Council. In the absence of such an adequacy decision, personal data can be transferred abroad pursuant to:
Several exceptions to the transfer of personal data abroad are also provided for under the FADP. These include:
|
|
Data Protection Officer | Under the FADP you are not required to have a Data Protection officer, it is optional. | The GDPR requires the appointment of a Data Protection Officer for private businesses |
Data Breach Notifications | The FDPIC only needs to be notified in the event of a high risk security breach as soon as possible. Notification to the data subjects is to be made only if necessary for the protection of the data subject or so requested by the FDPIC. | Data breaches must be reported to the DPA within 72 hours.The data subject must be informed in the event of a high risk. |
Penalties of non-compliance | Fines of up to CHF 250,000 against the persons or entity responsible. | Fines of up to EUR 10/20 million or 2/4% of annual worldwide turnover of the organization. |
Do these changes apply to my company?
This law applies to the processing of personal data concerning individuals by:
👉 private persons;
👉 federal agencies.
It does not apply to the processing of personal data by individuals for exclusively personal use.
iubenda will continue to keep you updated about the changes made to the FADP; in the meantime, if you haven’t done so already, make sure you have an updated and compliant privacy and cookie policy in place.
How to Prepare for the FADP
The revised Swiss Federal Act on Data Protection (FADP) entered into force September 2023.
👉 See our guide How to Prepare for the FADP to see what steps you can take today!