What is FADP? The New Swiss Data Protection Law, Explained

What is FADP?

The Federal Act on Data Protection (FADP) aims to protect the privacy and the fundamental rights of persons when their data is processed. 

The FADP came into force in 1992 - at a time when the Internet was not yet being used commercially and today's digital reality was not yet foreseeable. On 1 September 2023, the revised FADP came into effect. It includes changes aiming to better protect Swiss citizens’ personal data.

For example, companies have to justify why they collect information from their customers and to disclose with which third parties they share this information. Additionally, individuals now have the right to know how long their data will be stored and what purposes it will be used for. They can also request corrections of any inaccurate data without having to give a reason.

The new FADP compliance requirements

Any Swiss-based and international company that provides goods or services to Swiss citizens and organizations or processes sensitive data about them, such as medical records, genetic material, and political views, is subject to the new law. If a company has no physical presence in Switzerland, it is not exempt from the FADP requirements. It needs to designate a Swiss representative who acts as a point of contact for the supervisory authority and data subjects in Switzerland for all issues related to data processing.

Revision of the FADP

The FADP was passed in 1992. However, the Swiss government realized that it needed to update the law to reflect modern security threats and to provide improved guidelines to companies for protecting sensitive information. Another goal was to harmonize the law with the EU’s General Data Protection Regulation (GDPR).

After several rounds of public comments, the revised version of the FADP was expected to take effect on 1 January 2022, but was pushed back to enter into force on 1 September 2023. The new FADP clearly aligns Swiss with EU standards. It ensures that the free movement of data with the European Union can be maintained, helping Swiss companies to remain competitive.

Five key changes to be aware of

Here are five key changes to the FADP and how they impact Swiss and international organizations:

1. Extended User Consent

   The revised FADP focuses on end users’ awareness of the usage of their data and data collection consent. When obtaining consent from the data subject, organizations must clearly communicate the rights and options the individuals have. In addition, they must provide clear information about the collection, storage, processing, and use of the individuals’ data as well as take action as per the privacy preferences of individuals without asking for any reasons or pursuing them for reconsideration.

2. Easier Subject Access Requests

   The new FADP makes subject access requests easier for individuals as there is no need for them to provide any information about themselves or their connection with the person who processed their personal data. Any individual can ask for details about the personal data an organization collects and stores about them at any time, namely:

   
   What personal information an organization holds about an end user
   - How they use it
   - Who they share it with and
   - How they collect the data

3. Increased Severity of Sanctions

   Any individual may object to the processing of their personal data if there's no legitimate interest in processing or if the person simply chooses not to share their information. Under certain circumstances, individuals are also able to restrict specific types of processing, such as automated decision-making or profiling.
   
   The revised law expands the power of the Federal Data Protection and Information Commissioner (FDPIC) to enforce an increased severity of sanctions against companies failing to meet the new standards. However, unlike the European data privacy authorities, the FDPIC has no sanctioning powers under the new law. The offending persons are fined by the cantonal prosecution authorities. Although the FDPIC may lodge a complaint and exercise the rights of a private plaintiff in the proceedings, he/she has no right to file a criminal complaint.
   
   In the case of infringements, private persons can be fined up to CHF 250,000 depending on severity. Punishable are wilful acts and omissions, such as violation of duties to provide information and breaches of professional secrecy, but not negligence. In principle, the responsible natural person is fined. However, the company itself can also be fined up to CHF 50,000 if the investigation to determine the actual person responsible within the company would involve a disproportionate effort.

4. Breach Notifications

   The new FADP requires organizations to communicate a cyberattack or a security breach to users, the FDPIC, and all potentially affected stakeholders as soon as possible to avoid legal sanctions and further complications. The data controllers of an organization must take the following communication steps in case of a security incident:

   - Notify the FDPIC immediately
   - Explain the type of personal data breach
   - Describe potential consequences of the data breach
   - Explain remedy measures and mitigate risks for data subjects affected
   - Notify the data subjects affected by the data breach
   

5. Privacy by Design and Default

   As per the new law, organizations must take into account the latest data security and processing principles at the planning and design stage of applications, keeping the privacy of users in mind. This enables them to build security-first applications that ensure «privacy by design and default» rather than improving security and privacy features at a later stage or after a security incident.

Further important changes

• Only data of natural persons are now covered.
• The definition of «sensitive personal data» includes genetic and biometric data.
• Data Protection Impact Assessments (DPIA) must be conducted if there is a high risk to the privacy or fundamental rights of data subjects.
• Keeping a register of processing activities is mandatory. Exemptions are possible for SMEs whose data processing presents limited risk to the data subject.

GDPR vs. new FADP

While the GDPR and the FADP have many similarities (e.g. strict sanctions for violations, breach notification requirements, and a focus on data privacy and protection), there are also some key differences:

Why is it so important to comply with the new FADP?

• Failure to comply can result in significant fines as well as reputational damage.
• Compliance helps organizations to build trust with their customers and to show their commitment to protecting personal data.
• Compliance helps to ensure that individuals' personal data is handled in a responsible and secure manner and that individuals have control over how their data is used.
• Compatibility with EU law: The new FADP shall ensure that the free movement of data with the European Union can be maintained, helping Swiss companies to remain competitive.

What is the first thing a company should do in view of the new FADP?

• Prioritize the protection of data.
• Perform a data protection gap analysis:
  
  
  • Analyze the current situation in terms of data protection.
  • Identify any potential weaknesses and risks related to data protection.
  • Define a roadmap for mitigating the risks and implementing measures.
• Appoint a Data Protection Officer (DPO) who is responsible for monitoring compliance with Swiss FADP and other data protection laws, and for providing advice and guidance on data protection.
• Keep records of all processing activities (data processing register).
• Define internal practices and procedures for storing, using, transferring, and destroying data in compliance with the new law.
• Define processes for Subject Access Requests, handling of data breaches and Data Protection Impact Assessments.
• Educate all employees on the new FADP and privacy-related issues .