What is the main difference between the new FADP and the GDPR?
The new Federal Act on Data Protection (FADP) went into effect on 1 September 2023 and the biggest difference between FADP and GDPR is that private data controllers can be fined up to 250,000 CHF – while in the EU, only companies are held liable.
But first, let’s get some basics straight.
Do Swiss companies need to comply with the GDPR?
Yes, Swiss companies need to comply with the GDPR if they:
- process personal data of individuals located in the European Union (EU),
- offer goods or services to EU individuals, or
- monitor the behavior of EU individuals.
In this case, they should take the necessary measures to ensure compliance with the EU regulation.
What is the GDPR equivalent in Switzerland?
In Switzerland, the privacy and the fundamental rights of persons with regards to data processing are governed by the Federal Act on Data Protection (FADP) – which as of 1 September 2023 got its first revision since being enacted in 1992.
Why is the revision of the FADP important?
With the revision of the FADP, the Swiss government responds to the fundamental changes the technological and social landscape has undergone since 1992. The aim is to grant data subjects stronger self-determination in relation to their data.
Plus, by aligning the new FADP to the EU’s GDPR, Switzerland can be recognized as a third country with an adequate level of data protection. The benefit: Free data transfer between Switzerland and the EU is possible also in the future, helping Swiss companies to remain competitive.
«Organizations doing business in both Switzerland and the EU should be aware of this: Despite the alignment of the new FADP with the GDPR, certain differences remain. Most notably the provisions on sanctions.» Yasin Kücükkaya |
|
7 major differences between the new FADP and GDPR
The GDPR and the FADP have many similarities, such as strict sanctions for violations, breach notification requirements, and a focus on data privacy and protection. However, the provisions may differ in detail. Here come the 7 key differences:
Topic |
New FADP |
GDPR |
Sanctions |
Up to CHF 250,000 against responsible private persons |
Up to EUR 20 million or 4% of the company’s worldwide annual revenue |
Designation of a Data Protection Officer |
Not mandatory but recommended |
Mandatory according to art. 37 GDPR. |
Data breach notifications |
Mandatory reporting as soon as possible |
Mandatory reporting within 72 hours |
Data exports |
Adequacy is determined by the Swiss Federal Council. |
Adequacy is determined by the European Commission. |
Data Protection Impact Assessment |
Consultation of a Data Protection Officer instead of the FDPIC is possible in case of high risk despite measures taken. |
Duty to consult the supervisory authority in case of high risk despite measures taken. |
Profiling |
General obligation to obtain consent is only imposed for high-risk profiling. |
General obligation to obtain consent |
Sensitive data |
Includes the two additional categories «data on administrative or criminal proceedings and sanctions» and «data on social security measures». |
According to art. 9 GDPR. |
|
|
|
-
Sanctions
New FADP: Responsible private persons can be fined with up to 250,000 CHF
GDPR: The supervisory authorities of each EU member state can impose administrative fines and penalties for non-compliance with the provisions. This includes fines of up to 4% of a company's global annual revenue or 20 million EUR (whichever is greater) for the most serious violations, e.g. processing personal data without consent or failing to implement adequate security measures. -
Designation of a Data Protection Officer (DPO)
New FADP: The appointment of a Data Protection Officer – in Switzerland Data Protection Advisor (DPA) – is not mandatory, but strongly recommended. The DPA is the single point of contact for the Federal Data Protection and Information Commissioner FDPIC.
GDPR: According to art. 37 GDPR, it is mandatory to appoint a DPO under certain circumstances. -
Data breach notifications
New FADP: Any data breaches must be reported to the FDPIC as soon as possible.
GDPR: Data breaches must be reported to the competent EU supervisory authority within 72 hours. -
Data exports
New FADP: Adequacy of data exports is determined by the Swiss Federal Council. EU standard contractual clauses and binding corporate rules can be applied.
GDPR: Adequacy of data exports is determined by the European Commission. Standard contractual clauses and binding corporate rules apply.
-
Data Protection Impact Assessment
New FADP: If there is a high risk to the privacy of fundamental rights of data subjects, a Data Protection Impact Assessment (DPIA) must be performed. If the risk continues to exist despite the measures taken, a DPA instead of the FDPIC can be consulted.
GDPR: If the risk continues to exist despite the measures, the supervisory authority must be consulted.
-
Profiling
New FADP: The revised law regulates profiling, i.e. automated data processing to evaluate personal aspects of an individual, such as economic circumstances, health, interests, behavior, or location. However, a general obligation to obtain consent is only imposed for high-risk profiling.
GDPR: A general obligation to obtain consent applies. -
Sensitive data
New FADP: As per September 2023, sensitive personal data under the FADP also includes data on administrative or criminal proceedings and sanctions as well as data on social security measures. This means two additional categories compared to the GDPR.
GDPR: Sensitive data – under GDPR called special categories of personal data – include: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or a natural person’s sex life or sexual orientation.
To summarize: The new FADP is aligned to the GDPR as much as possible, making sure Swiss companies keep their competitive edge.
Yet, certain differences remain. The good news is: you are now aware of them.