Switzerland’s new Federal Act on Data Protection (nFADP) is the principal data protection regulation in Switzerland. This article will provide you with information on Switzerland’s nFADP and how it will affect business.
Switzerland’s new Federal Act on Data Protection is a comprehensive privacy regulation that is aimed at protecting the data privacy rights of Switzerland citizens. The law grants several rights to data subjects and implements several obligations for businesses processing the personal data of Swiss citizens.
In this article, we will give you a brief overview of Switzerland’s nFADP and how to comply with it. If you are a business owner handling the personal data of Swiss citizens, we encourage you to delve deeper into this article to understand how the law impacts your operations.
The new Federal Act on Data Protection (nFADP) is a comprehensive data protection regulation that protects the personality and fundamental rights of Swiss citizens when processing their personal data.
The Swiss government introduced the first Federal Data Protection Act (FADP) in 1992 to address growing privacy concerns in the face of emerging technologies.
After the European Union introduced the General Data Protection Regulation (GDPR), the Swiss government was prompted to consider revising its FADP to align with the latest privacy standards.
Then, the Federal Council of Switzerland started working on a revised version of the FADP to address the changes in the technological landscape. The revised nFADP was approved by both houses of the parliament and came into effect on September 1, 2023. The nFADP was designed to address the gaps in the first FADP and align with the standards of the EU’s General Data Protection Regulation.
Also Read: Singapore’s Personal Data Protection Act (PDPA) – An Overview
The nFADP governs how the personal data of Swiss citizens is handled by both private individuals and federal bodies, even if the processing occurs outside of Switzerland. It also applies to the initial phase of administrative proceedings.
The nFADP doesn’t apply to personal data managed by individuals for personal use only. It also doesn’t apply to data handled by the Federal Assembly and parliamentary committees as part of their deliberations.
Similarly, it doesn’t include personal data processed by institutional beneficiaries under the Host State Act of June 22, 2007, who have immunity from Swiss jurisdiction.
Also, the public registers used for private legal matters are not directly covered by the nFADP, as they are governed by provisions of applicable federal law. However, if these laws don’t include any guidelines for handling personal data, then the nFADP applies to regulate the processing of personal data within these public registers.
- Personal data: Personal data refers to any information that is related to an identified or identifiable individual.
- Data subject: Data subject refers to any individual whose personal data is processed.
- Sensitive personal data: Sensitive personal data refers to any data that carries sensitive information, such as religious, political, philosophical, or trade union-related views, health, race or ethnicity, genetic data, biometric data, data related to administrative and criminal proceedings, and data related to social assistance measures.
- Processing: Processing refers to the handling of personal data regardless of the methods or procedures used. It includes tasks such as collection, storage, keeping, use, modification, disclosure, archiving, deletion, or destruction of data.
- Profiling: Profiling refers to the automated processing of personal data of data subjects to evaluate the behavior and aspects of an individual. It includes predicting their job performance, financial situation, health, likes and dislikes, reliability, and behavior, and tracking their location and movements.
- Controller: Controller is a person or a federal body who is responsible for determining the purpose and means of processing personal data.
- Processor: Processor refers to a person or a federal body that processes the personal data of the data subjects on behalf of the controller.
Here are the seven major principles of processing personal data under nFADP:
- Personal data must be processed lawfully.
- The processing of personal data should be done honestly and fairly, and it should be reasonable.
- Personal data should only be collected for a specific purpose that the data subject can recognize. It can only be used further in a manner that is compatible with this purpose.
- Personal data should be deleted or made anonymous when it is no longer needed for the purpose for which it was collected.
- Ensure the accuracy of the personal data collected, processed, and stored.
- The consent of the data subjects should be obtained freely with full knowledge of why the data is processed.
- Obtain explicit consent from data subjects when processing sensitive personal data, doing high-risk profiling, and profiling by government bodies.
- Implement privacy by design and privacy by default in organizational and technical terms to promote a holistic approach to data privacy.
Switzerland’s new Federal Act on Data Protection (nFADP) grants some rights to data subjects to protect their personal data shared with businesses.
Right to Information
As per nFADP, individuals have the right to request information from the controller about processing their personal data. They should be provided with necessary information such as contact details of the controller, the type of personal data processed, why it is processed, how long it will be stored, who all have access to the data, and more.
This information should be provided free of charge within 30 days unless the Federal Council decides otherwise if the effort required is disproportionate.
Additionally, Individuals can have their health data shared through a chosen healthcare professional. Media outlets have the right to restrict access to personal data if it exposes sources, reveals unfinished drafts, or risks influencing public opinion. They may also decline access if the data is intended solely for personal use.
Right to Data Portability
Individuals have the right to request the controller to deliver their collected personal data in a portable format that enables them to transfer the data to another controller. Controllers must handle the data portability requests from consumers free of charge if it does not require excess effort.
Legal Rights
Switzerland’s nFADP extends some legal rights to data subjects regarding the processing of their personal data:
- Data subjects have the right to request the correction of incorrect personal data shared with the controller. However, the controller can deny the correction requests if:
- there’s any law that restricts the correction of the data
- the data is being used for public interest archiving purposes
- Data subjects can request to stop data processing activities, prevent disclosure of specific personal data to third parties, and delete or destroy the personal data if it violates data protection provisions.
- If it’s unclear whether the personal data is accurate or not, the data subject can ask for the data to be labeled as disputed.
- Data subjects can also request that any corrections, deletions, prohibitions, disputes, or judgments be shared with third parties or be published.
What are the Duties and Responsibilities of Controllers and Processors Under nFADP?
Below are the duties and responsibilities of data controllers and processors when processing the personal data of Switzerland citizens.
1. Provide Information
The data controllers should inform the data subjects about the data collection even if the data is not directly obtained from the data subject.
They should provide necessary information to the data subject to exercise their rights under the act. This includes:
- Identity and contact details of the controller
- purpose of processing the personal data
- the details of the data collected and processed
- the retention period for the data collected
- recipients or categories of recipients of the personal data
- categories of processed personal data
- If data is transferred across the border, the destination country or international organization and any relevant safeguards or exceptions.
This information should be provided within one month of receiving the data or at the time of disclosure, if earlier.
Exceptions for Providing Information
The nFADP mentions the following exceptions for providing information to data subjects.
Data controllers don’t have to provide the information in the following cases:
- if data subjects already have the required information
- if the processing is required by law
- if the data controller is legally obliged to maintain confidentiality
- for media organizations, if it exposes sources, reveals unfinished drafts, or risks influencing public opinion
If data is not obtained from the data subject, the duty to provide information ceases if:
- Providing information is not feasible.
- Providing information requires disproportionate effort.
The controller may restrict, delay, or waive information provision in certain cases, including:
- Overriding third-party interests.
- Information provision undermines processing purposes.
- The controller’s overriding interests or intention not to disclose data to third parties.
- Federal body’s obligations to protect public interests.
Automated decision making
The data controller should inform the data subject of any automated decisions significantly affecting them and allow them to express their perspective. Upon request, the data subject can request a human review of automated decisions.
2. Data Protection Impact Assessment
The data controller should perform an impact assessment to ensure the security of the personal data of data subjects. This will help controllers mitigate potential risks and implement proper security measures while processing high-risk data, such as sensitive information, on a large scale.
3. Consultation with FDPIC
Data controllers should consult with the Federal Data Protection and Information Commissioner (FDPIC) if the data processing activities pose a significant risk to the individual’s privacy or fundamental rights.
The FDPIC should notify the controller of any objections to the data processing within two months. If objections are raised, the FDPIC will suggest appropriate measures to protect the personal data of the data subjects.
4. Data Security Breach Notifications
Data controllers should report the data breaches to the FDPIC at the earliest possible. They should include details of the data breach, its impact, and the actions taken or planned.
The processor must also promptly report the data breach to controllers. Controllers should inform the data subjects about the breach, If necessary, for the data subject’s protection or at the FDPIC’s request.
5. Prevent Any Breaches of Personality Rights
Any individual who processes the personal data of another individual must not breach their personality rights.
The following cases are considered breach of personality rights:
- When personal data is processed against the principles of the act
- When personal data is processed against the interests of the data subject
- When sensitive personal data is shared with third parties
However, if data subjects have made their personal data publicly available or have not expressly prohibited its processing, no breach of personality rights occurs.
6. Implement Security Measures to Protect Personal Data
Data controllers are responsible for ensuring the security of the personal data of data subjects. They must take appropriate measures and security implementations to protect personal data from unauthorized access and data breaches.
7. Keep Records of Data Processing Activities
Data controllers must keep a record of their data processing activities. The record should include the following details:
- Identity of the controller and processors
- Purpose of data processing
- Description of categories of data subjects and personal data processed
- Categories of recipients
- Data retention period
- Security measures taken
- Details of the countries or states where the data is transferred
The cross-border transfer of personal data is permitted only if the Federal Council determines that the legislation of the respective state or international organization ensures an adequate level of protection similar to Switzerland’s nFADP.
In the absence of a decision by the Federal Council, personal data may only be transferred across the border if adequate data protection is ensured through:
- International treaties
- Agreements with the data controller and contractual partner from the other state or country (with prior notification to FDPIC)
- Specific guarantees established by the competent federal authority
- Standard data protection clauses approved, issued, or recognized in advance by the FDPIC Binding corporate rules pre-approved by the FDPIC or the relevant data protection authority in a jurisdiction with adequate protection
Here are some general guidelines to help you comply with the Switzerland’s nFADP:
- Understand the principles of the nFADP law.
- Process personal data lawfully, fairly, and for specific purposes only.
- Obtain explicit consent from data subjects for processing their personal data.
- Implement privacy by design and privacy by default principles for your business.
- Implement proper security measures to protect the personal data of data subjects.
- Appoint a Data Protection Officer (DPO) to manage the data processing activities.
- Keep records of the data processing activities.
- Regularly conduct data protection impact assessments.
- Report data breaches to FDPIC and affected individuals.
- Implement additional security measures when handling sensitive personal data.
- Transfer personal data internationally only if proper security measures are in place.
Switzerland’s nFADP enforces strict penalties on individuals and organizations for failing to comply with the regulations.
Individuals may face fines of up to CHF 250,000 for willfully providing false or incomplete information, failing to register with the FDPIC, disclosing personal data without meeting the legal requirements, or failing to ensure the security of the personal data.
Individuals may also be fined up to CHF 250,000 for wilfully disclosing confidential personal information of data subjects acquired during their practice or training and for disregarding regulations issued by the FDPIC or appeal courts.
Businesses can face criminal liability under Federal Administrative Criminal Law, with fines up to CHF 50,000 if individual perpetrators cannot be identified.
Also Read: Thailand Personal Data Protection Act (PDPA): All You Need to Know
Is the nFADP Similar to the GDPR?
Yes. Switzerland’s new Federal Act on Data Protection (nFADP) is designed to align with the EU’s GDPR in many aspects, aiming to achieve similar levels of data protection for individuals. Both regulations address similar principles, rights, and obligations for data processing.
What Is FDPIC?
The Federal Data Protection and Information Commissioner (FDPIC) regulates the nFADP and data processing activities by controllers and processors.
What Is Privacy by Design?
Privacy by Design (PbD) is an approach that proactively integrates data privacy principles right from the design stage itself. From design through development to deployment, privacy is considered at every stage of product development.
It aims to embed privacy as an essential component rather than an afterthought or retrofitting measure.
Check out our detailed guide on the Privacy by Design (PbD) framework for more information.
Does nFADP Mentions About Tracking Cookies?
No, nFADP doesn’t explicitly mention tracking cookies. However, the law requires organizations to be transparent about their data processing practices, including the purpose and legal basis for collecting and using personal data. This also includes informing individuals about the use of tracking technologies and how the collected data is used.
So, if you are using third-party cookies on your website, we recommend that you obtain prior cookie consent from your site visitors.
If you are using WordPress as your website CMS, our GDPR Cookie Consent plugin can help you easily manage cookie compliance for your website. Our plugin is compliant with IAB TCF guidelines and is now listed as a certified CMP by Google.
Conclusion
The new Federal Act on Data Protection is the principal data protection regulation in Switzerland. The law is aimed at protecting the data privacy rights of Switzerland citizens. It grants several rights to data subjects and implements certain obligations for individuals and businesses handling personal data of the data subjects.
The law is designed to align with the EU’s General Data Protection Regulation and establish a safer standard of privacy regulation in Switzerland.
We hope this article has helped you understand the nFADP of Switzerland. Do you have any questions? Please feel free to ask them in the comments section. We’d be happy to answer your questions.
Disclaimer: This article was written based on a translated version of the nFADP Act. It was intended for informational purposes only and does not represent legal advice. We have no intention of obtaining any kind of attorney-client relationship. If you are looking for legal advice, we recommend you contact a professional.
