From 1 September 2023, the totally revised Data Protection Act (revFADP) will come into force in Switzerland, representing an important step for data protection. It focuses on the protection of personal data by limiting the scope to data of natural persons and introducing new categories of data such as “genetic data” and “biometric data”. Companies will have to adapt to significant changes, such as adapting data protection declarations, keeping processing records and training employees to meet the more stringent requirements. With this comprehensive revision, Switzerland is taking an important step towards contemporary data protection and strengthening its position as a reliable partner for the free movement of data in the digital world.
1. Why is a total revision of data protection law in Switzerland necessary?
In Switzerland, the totally revised Federal Act on Data Protection (revFADP) of September 25, 2020 and the implementing provisions in the new Data Protection Ordinance (DPO) of August 31, 2022 and the new Ordinance on Data Protection Certifications (DPCO) of August 31, 2022 will enter into force on September 1, 2023. The first federal law on data protection dates back to 1992. Today, a complete revision of the data protection law is necessary in order to guarantee the population adequate data protection adapted to the technological and social changes of our time. In particular, the transparency of data processing will be improved and the self-determination of the persons concerned over their data will be strengthened.
The compatibility of Swiss law with EU law, in particular with the European General Data Protection Regulation (EU) 2016/679 (“GDPR”) is also in the background. The revision is intended to bring Swiss data protection legislation as a whole closer to the requirements of Regulation (EU) 2016/679. The revFADP is intended to ensure that the free flow of data with the European Union can be maintained so that Swiss companies do not lose competitiveness. In addition, the total revision should allow Switzerland to ratify the Council of Europe’s revised data protection convention ETS 108 as well as implement the Schengen-relevant Directive (EU) 2016/680 on data protection in criminal matters. This approximation and the ratification of the revised Convention ETS 108 are central to ensuring that the EU continues to recognize Switzerland as a third country with an adequate level of data protection and that cross-border data transfers remain possible without further hurdles in the future.
The revFADP introduces major changes for companies.
2. What will be the scope of application?
The revFADP has adopted the market place principle from the GDPR (Art. 3(1), Art. 14 and Art. 15 revFADP). The revFADP thus applies to circumstances that have an effect in Switzerland, even if they are initiated abroad (Art. 3 para. 1 revFADP).
In addition, the revFADP is no longer applicable to the processing of data of legal entities (e.g. stock corporations, associations). Only the data of natural persons will be affected in the future. The revFADP is therefore only applicable to the processing of personal data of natural persons.
3. Will the data categories be changed?
The revFADP introduces new categories of data. For example, the category of personal data requiring special protection has been expanded to include “genetic data” (Art. 5 lit. c Nr. 3 revFADP) and “biometric data that uniquely identify a natural person” (Art. 5 lit. c Nr. 4 revFADP). These categories of data are also found in the GDPR.
4. Will the EU prohibition principle be adopted?
The revFADP continues to assume that the processing of personal data is in principle permitted, provided that it is carried out in compliance with data protection, i.e. in particular in compliance with the general processing principles (e.g. lawfulness, good faith, proportionality, recognizability, purpose limitation). In contrast to the GDPR, the prohibition principle does not apply and a justification (e.g. consent, law, etc.) does not have to be provided for each processing operation.
5. What are the obligations of the data processor?
a) Are the processing principles respected?
The processing principles (Art. 6 revFADP) have been slightly reworded as part of the revision, but their content corresponds to the current regulation (see in particular Art. 4 FADP). The processing principles are thus still the same as under EU law (e.g. purpose limitation, transparency, data accuracy). In contrast to EU law, however, delete: as mentioned (see Section 1 above), no legal ground or justification is required for data processing under the revised FADP if the processing principles are complied with or if no particularly sensitive personal data of third parties is disclosed. With regard to the grounds for justification, it should be noted that these are more strictly regulated under the revFADP than under the previous law, in particular with regard to checking the creditworthiness of a data subject and the research privilege (see Art. 31 revFADP compared to Art. 13 FADP).
b) How must processing activities be inventoried?
A record of processing activities (processing inventory) becomes mandatory (Art. 12 revFADP). However, the Ordinance on Data Protection (Art. 24 DPO) provides an exception for SMEs whose data processing involves only a low risk of violations of the personality of data subjects. However, it is not a criminal offense to fail to keep a record of processing activities.
c) How to deal with risks?
- “Privacy by Design” and “Privacy by Default”: The two principles known from the GDPR, “Privacy by Design” (data protection by technology) and “Privacy by Default” (data protection by data protection-friendly default settings) are introduced in Article 7 revFADP. “Privacy by Design” means for developers to build the protection and respect of users’ privacy into the structure of the products or services that will collect personal data. The principle of “Privacy by Default” ensures that the highest level of security is already in place when the product or service is put on the market, by activating by default, i.e. without user intervention, all the necessary measures for data protection and restriction of data use. In other words, all software, hardware and services must be configured in such a way that the data is protected and the privacy of the user is safeguarded. For example, applications must be designed in such a way that personal data is pseudonymized, anonymized or regularly deleted by technology as standard. Likewise, only personal data that is absolutely necessary for the purpose of use should be collected, and further personal data only if this is actively selected or authorized.
- Data protection impact assessment: According to Article 22 revFADP, private data controllers (e.g. private hospitals) must now also carry out and document a prior data protection impact assessment if processing may entail a high risk to the personality or fundamental rights of the data subject. A high risk may arise in particular from the use of new technologies (e.g. artificial intelligence), from the type, scope, circumstances and purpose of the processing (Art. 22 para. 2 revFADP). In particular, high-risk profiling or the extensive processing of personal data requiring special protection constitutes such a high risk.
- Obligation to report data protection breaches: The revised law introduces a new reporting obligation in the event of a data breach (Art. 24 revFADP). A prompt notification is required if data security has been breached. It must be addressed to the Federal Data Protection and Information Commissioner (FDPIC).
d) Have the information obligations been strengthened?
Compared to the current DPA, the revFADP contains strengthened information obligations of the data controller. The importance of compliance with the increased transparency requirements is underpinned by the fact that a breach of the duty to inform under the revFADP can be punished with a fine of up to CHF 250,000 (Art. 60 revFADP). Pursuant to Article 19 revFADP, there will now be a duty to provide information for every acquisition of personal data. For every acquisition of personal data – and no longer only of so-called particularly sensitive data – the data subject must be informed in advance. In addition to the general duty to inform discussed above, a special duty to inform is also introduced for automated individual decisions (Art. 21 revFADP).
The strengthened information obligations practically require a data protection statement that complies with the revFADP. In this context, the currently existing data protection declarations must be reviewed and, if necessary, revised until the revised law enters into force.
6. What rights will data subjects have?
a) What minimum information must be provided?
The revision expands the content of the right to information (Art. 8 FADP) by establishing a catalog of minimum information that must be provided to the data subject in any case upon request (Art. 25 para. 2 revFADP). Violation of Article 25 revFADP can be punished with a fine of up to CHF 250,000 (Art. 60 revFADP).
b) Is data portability carried out?
Article 28 revFADP now grants data subjects with regard to personal data which they have disclosed to the data controller and which have been processed automatically by the data controller a right to data surrender and transfer. The data must be provided free of charge (Art. 28 para. 3 revFADP) and in a standard electronic format (Art. 28 para. 1 revFADP).
7. Will the fines be higher?
The maximum fine that can be imposed for a deliberate violation of the FADP has been significantly increased to CHF 250,000 (previously CHF 10,000) as part of the revision.
8. Is there a need for action?
Companies should conduct a gap analysis to determine the need for action. In particular, it should be checked whether existing data protection declarations need to be adapted or rewritten and whether written contracts exist with all order processors. Then, existing directories of processing activities must be supplemented or newly created. In doing so, it must be ensured that all information is available in a collected form, which then also allows the information and disclosure obligations to be performed in compliance with the law.
Employees should also be trained, for example field staff with regard to the databases they use.
LINDEMANNLAW can help you implement the changes of the new Swiss data protection law! Contact us for a detailed consultation.
