Skip links
Switzerland’s new Federal Act on Data Protection
Published in: Articles

Switzerland’s Federal Act on Data Protection (nFADP) – What you need to know

Author
Published on:

The new Federal Act on Data Protection (nFADP) regulates how the data of Swiss citizens should be handled. The nFADP came into effect on September 1, 2023, and is a revised version of the original Federal Act on Data Privacy of 1992.

The nFADP introduces stricter policies on personal data processing and gives Swiss citizens new rights over the control of their personal data.

nFADP – What’s new?

As technology has evolved over the years, the previous FDAP struggled to regulate new technological advancements, highlighting the urgent need for Switzerland to implement major reforms that align with these developments. Some of the major changes that was introduced in the nFADP include:

  • Only data of natural persons (such as you, me or your neighbour) are covered and protected under the nFADP. Data of legal persons (such as companies or organisations) are not covered.
  • Genetic and biometric data are considered sensitive data.
  • Introduction of the principles of “Privacy by Design” and “Privacy by Default”. Privacy by Design means that developers have to consider the protection and respect of users’ privacy when developing products or services that collect personal data. Privacy by Default means that products or services should have the highest level of security by configuring it to protect and respect users’ privacy.
  • It is mandatory for companies to keep a register of processing activities. However, SMEs whose processing poses limited risks are exempted from this.
  • Companies are required to promptly notify the Federal Data Protection and Information Commissioner in the event of a data security breach.
  • Automated profiling of personal data is regulated.
  • Appointment of a data protection officer in a company. This person should be the contact person for users and authorities dealing with data protection in Switzerland.

The aim of the Swiss government was to improve the processing of personal data and make its data privacy law compatible with the European Union’s General Data Protection Regulation (GDPR). Since companies in both countries engage in business a lot, it is crucial to be aware of the requirements of both country’s data privacy regulations.

In this article, we will discuss the overview of the nFADP and compare it with the GDPR.

nFADP – Scope

The nFADP applies to the processing of the personal data of an individual by another person or federal bodies. But it does not apply to data that is processed by individuals that are exclusively used for personal purposes (personal use); data that is processed by the Federal Assembly and parliamentary committees during deliberations (governmental processes); and data that is processed by entities enjoying immunity under the Host State Act (institutional immunity). 

This Act also applies to situations that have an impact in Switzerland, even if it originated from a country outside of Switzerland.

Requirements for Personal Data Collection and Processing

Before collecting and processing your users’ personal data, here are a few things to bear in mind:

  1. Ensure that your data collection and processing methods are done honestly, transparently and with integrity. This can be done by clearly informing users that their data will be collected and the reason for this. The data you collect must only be relevant to your stated purpose. For example, if you are verifying a person’s identity for a loan, you may request them to provide a valid ID or passport biodata. But you cannot ask them for their financial records or how many relationships they’re in.
  2. You must also ensure that the personal data collected is used for a specific purpose and will not be misused for unrelated purposes. For example, if you are collecting financial data to assess a person’s creditworthiness, you cannot use that information to make decisions about their employment status without their consent or a lawful basis.
  3. You must destroy data that is no longer required for processing.
  4. The data that you’ve collected should be accurate and updated. If the personal data is incorrect or incomplete, then you can correct it, delete or destroy it.
  5. A user’s consent is legally valid only if it is given voluntarily, for the purpose and process that you have told the user and you must ensure that the user has been fully informed about the processing before giving consent. Consent should be given without force, threats or coercion. For example, an employer cannot force its employees to disclose their financial status by making it a condition of their employment.
  6. It is mandatory for you to obtain explicit consent if you are collecting and processing personal sensitive data; or using automated processing (like AI, algorithms etc) to evaluate, predict or make decisions based on a person’s characteristics, behaviour or law enforcement, national security or social welfare for a private person or organisation or government agency or authority.

Important Note: According to nFADP, sensitive personal data includes data relating to:

  • Religious, philosophical, political or trade union-related views or activities;
  • Health, private life (personal relationships, thoughts, beliefs and lifestyle choices) or affiliation to race or ethnicity;
  • Genetic data;
  • Biometric data that uniquely identifies a human individual;
  • Administrative and criminal proceedings or sanctions; and
  • Social assistance measures.

nFADP – Legal Basis 

The nFADP requires the controller and processor to guarantee a level of data security by introducing technical and organisational measures to avoid the possibility of data security breaches. It is important to note that a controller can assign the processing of personal data to a processor (a third-party service provider or vendor) if:

  1. The processor can process the personal data in a way that the controller is legally allowed to do. The processor will have to follow the same rules and limitations as the controller is subjected to; and
  2. There are no legal or contractual obligations that prevent the controller from delegating the personal data processing to a processor. For example, if you signed a non-disclosure agreement with a client, then you cannot assign the data processing procedure to a third party.

According to the nFADP, if private controllers are based in another country and they process personal data of Swiss nationals, then they must appoint a representative in Switzerland. Also, the data processing procedure will have to meet the following requirements:

  1. The processing is related to offering goods or services or tracking people’s behaviour in Switzerland
  2. Processing involves a large amount of data
  3. Processing happens regularly
  4. Processing significantly affects the privacy of the individuals involved

Data Sharing and Third Parties

Data sharing and transferring is sometimes unavoidable especially when companies would need to share data with third-party partners to conduct their operations. Both nFADP and GDPR place rigorous requirements on data controllers and processors regarding the sharing of data, especially with external parties.

The nFADP requires that individuals must be informed if their personal data will be shared with a third-party. The controllers and processors must obtain the individual’s voluntary consent. The nFADP requires that contracts with third parties must have an adequate level of data protection according to the standard set in the Act. Data controllers should have a legitimate reason for processing and sharing personal data with third parties, including obtaining consent, fulfilling contractual obligations and complying with legal requirements.

Similarly, the GDPR also requires companies to have written agreements with third parties about receiving personal data. This must comply with the GDPR standards such as cybersecurity, confidentiality and data breaching reporting. Data controllers are also obligated to be GDPR compliant by presenting proper documentation, regular assessments and maintaining records of data processing activities, especially those by third parties.

International Transfers Under The nFADP

The nFADP states that personal data can only be disclosed to a party based in another country if the Federal Council has decided that the legislation of the recipient country or international body can guarantee an adequate level of protection. The Swiss Federal Council periodically maintains a list of countries that guarantee an adequate level of data protection.

But if the Federal Council has not decided whether a country’s legislation can provide the required level of data protection, then personal data can be disclosed under the following requirements:

  1. The recipient country has signed a treaty under international law;
  2. Clear data protection clauses are in the agreement between the controller or processor and the contractual partner. FDPIC must be notified beforehand;
  3. A federal body from the recipient country can provide specific guarantees. FDPIC must be notified beforehand; or
  4. The contract contains standard data protection clauses or binding corporate rules that have been approved by the FDPIC or an authority in the recipient country that handles data protection.

However, there are exceptions to when personal data can be disclosed abroad. Personal data can only be disclosed abroad if the user has explicitly consented to this disclosure; the disclosure is part of a contract between the controller and user or controller and contract partner; disclosure is needed to protect the public interest or establish, exercise or enforce legal rights before a court or foreign authority; disclosure is necessary to protect the user’s life and is not possible to obtain the user’s consent within a reasonable time; the user made the data publicly available; or the data is from a statutory register that is publicly available.

It is important to note that if personal data becomes publicly available through automated services (such as websites, social media or databases) then it cannot be considered as disclosure of data abroad even though the information can be accessed from other countries.

Under the GDPR, companies transfer data, especially outside the European Economic Area, data controllers must have safeguards such as standard contractual obligation clauses and binding corporate policies and ensure compliance with the regulation.

Companies Obligations Under The nFADP

Businesses that have previously aligned with the EU General Data Protection Regulation (GDPR) will need to implement very few adjustments. The Swiss Federal Council emphasized in the nFADP the risk-based strategy where businesses should evaluate the risks of data subjects during the entire data lifecycle and address it appropriately.

 

Provide information when collecting personal data

It is mandatory for the controller to inform the user that the personal data is being collected and if the data will be disclosed abroad, the user must be informed. When informing the user, the controller must also provide its identity, contact details, purpose for processing and the recipients of the personal data (if any). If the data is not collected directly from the user, the controller must, at least one month after receiving the data, inform them that the information has been collected and if applicable, that it is being disclosed aboard.

An exception to informing the user when collecting personal data applies if the user is already aware, if the processing is required by law, if the controller is a private individual obligated by law to maintain confidentiality, or if the controller is legally required to uphold professional secrecy, protect third-party interests, or if the access request is unjustified.

 

Privacy Policy

Companies have to provide a comprehensive privacy policy that clearly outlines the types of personal data that is collected, its purposes for data processing and the rights of users. This should be easily accessible to the users.

 

Keep a record of processing activities

The nFADP requires controllers to include a minimum of the following information in its record:

  1. Identify of the controller
  2. Purpose of the processing
  3. Description of the categories of data subjects and categories of processed personal data
  4. Categories of recipients
  5. The retention period for the personal data or the criteria for determining this period
  6. General description of the measures taken to guarantee data security
  7. If data is disclosed abroad, details of the State and the guarantee that there is an appropriate level of data protection

As for processors, the nFADP requires their records to contain:

  1. information on the identity of the processor and controller
  2. the categories of processing carried out on behalf of the controller
  3. General description of the measures taken to guarantee data security
  4. If data is disclosed abroad, details of the State and the guarantee that there is an appropriate level of data protection

 

Certification of Processing Systems or Programs

Manufacturers of data processing systems or programs and controllers and processors can certify their systems, products or services by recognised independent certification bodies.

 

Data Protection Officer

Under the nFADP, businesses can designate a data protection advisor who can be relied on to give internal advice without consulting the Federal Data Protection and Information Commissioner (FDPIC) regarding the Data Protection Impact Assessment.

 

Develop appropriate Data-Sharing or Third-Party Sharing Practices

Controllers and processors have to take heed of the compliance complexities, especially with sensitive data, by ensuring legal justification, implementing technical (e.g., encryption) and organisational safeguards, and securing data protection agreements with third parties. Review data processing agreements with external suppliers to ensure it is compliant with the nFADP’s requirements.

 

Conduct Data Protection Impact Assessments (DPIA)

This is a requirement if the processing of personal data can pose a high risk to the user’s personality or fundamental rights. A DPIA can be done beforehand. According to nFDAP, a high risk may occur if it involves a large-scale processing of sensitive personal data; or the public areas are systematically monitored on a large scale.

The DPIA should include a description of the planned processing, an evaluation of the risks to the users’ personality or fundamental rights and a description of the measures to protect the users’  personality and fundamental rights.

Private controllers are exempted from carrying out a DPIA if they are required by law to process the data. Also, a private controller does not need to carry out a DPIA if its system, product or service is certified by an independent certification body.

 

Compliance Audit

Regularly conduct compliance audits by internal and third-party experts to ensure that the company is compliant with the nFADP.

 

Data Breach Notification

The controller must, as soon as possible, notify the FDPIC of any data security breach that can pose a high risk to the users’ personality or fundamental rights. The controller must state the nature of the breach, consequences and measures taken or planned. The users’ must also be informed of the data security breach to protect themselves or if FDPIC requests.

Features

Similarities

 

nFADP

GDPR

 

International data transfers

Data protection adequacy is determined by Swiss Federal Council

Data protection adequacy is determined by the European Commission

 

Scope

Protects personal data of people in Switzerland

Protects personal data of people in EU and EEA

 

 

Differences

 

nFADP

GDPR

 

Penalties

Maximum fine of CHF 250,000 against private individuals

Maximum fine of EUR 20 million or 4% of the company’s worldwide annual revenue

 

Processing Activities

Provide list of all recipient countries and ensure they have adequate level of data protection

Provide all records of processing activities including the name of the company, personal data that is processed, its purpose and security measures

 

Data breach notification

Report to the relevant authority as soon as possible. No specified timeframe

Report within 72 hours

 

Data Protection Impact Assessments

Requires DPIA only if processing poses a high risk to users’ personality and fundamental rights. Exempts controllers whose software, products or service are certified by an independent certification body.

Mandatory even though there is no high risk posed. Must be conducted every 3 years. Has a list of processing operations that require a DPIA

 

Monica Aguilar picture
Monica Aguilar
+ posts

Monica is a legal and business professional with a diverse background in law, media, and corporate governance. Her career began in journalism, where she worked as a radio host, TV and print business journalist, and television producer, before transitioning into commercial law. As a barrister and solicitor in Fiji, she advised on corporate governance, foreign investment, mergers and acquisitions, contract law, and regulatory compliance.

Take a tour of product