Swiss Federal Act on Data Protection (nFADP)
Switzerland is on the verge of introducing a new Swiss Federal Act on Data Protection (nFADP), which will come into force on 1 September 2023. This update is necessary to adapt Swiss legislation to the digital age and to comply with the European Data Protection Regulation (GDPR). In this article, we'll explore in detail what this new law means for Swiss businesses and what you need to do to comply with its stringent requirements.
What is the new Swiss Federal Act on Data Protection?
The Swiss Data Protection Act exists since the 1990sbut it is now obsolete in the age of increasing digitalisation. The aim of this revision is to ensure that personal data can be exchanged between countries, while at the same time providing adequate protection for personal data.
The main changes
The new FADP introduces a number of significant changesThe first two deserve particular attention:
- Extended liability Previously, only the company itself could be held liable for breaches of the law. From now on, the person responsible, including owners and employees, may also be the first to be targeted by criminal proceedings. In addition, the maximum fine has been increased from CHF 10,000 to CHF 250,000.
- Limited scope The scope of the new Data Protection Act in Switzerland is now limited to the protection of the data of natural persons, excluding the data of legal entities.
- Alignment with the European RGPD Switzerland is adopting legislation equivalent to the General Data Protection Regulation (GDPR) in force in the EU since 2018. This harmonisation facilitates cross-border business relations.
- Explicit consent Consent: companies must obtain the consent of individuals in a clear and unambiguous manner before collecting or processing their personal data. Consent must be free, informed and active.
- Right to be forgotten Data protection: individuals can ask for their personal data to be deleted. Companies are obliged to delete personal data unless there is a legitimate reason to retain it.
- Privacy by design Companies must incorporate data protection into the design of their products and services by default.
- Notification of violations obligation to report any data breach presenting a high risk for data subjects as soon as possible.
These changes require an in-depth review of your data protection policies and practices.
Date of entry into force
Switzerland's new data protection law is due to come into force on 1 September 2023. It is important to note that there will be no transition period, which means that your company must comply from that date.
Implications for your company
To ensure compliance with the new Swiss Federal Act on Data Protection, you will need to take a number of essential stepsincluding :
- Managing and processing data in a modern way, in line with the current state of technology.
- Raise awareness and train your staff in data protection and data security.
- Fulfil various information and documentation obligations, such as keeping a register of data processing activities and publishing a data protection declaration on your website.
The consequences of non-compliance
Failure to comply with the new FADP could have serious repercussions. In addition to possible sanctions by the Federal Data Protection Commissioner, offenders risk fines of up to CHF 250,000 and criminal proceedings. It is important to note that these criminal sanctions are aimed primarily at those responsible for the organisation, in particular its directors.
Risks of breach
Your company runs a high risk of breaching the new Swiss Data Protection Act (nLPD) if you do not take the necessary measures to store, transfer, communicate and secure data appropriately.
Compliance deadline
The Federal Council has given Swiss companies one year to comply with the new Swiss Federal Act on Data Protectionfrom 31 August 2022. As a result, from 1 September 2023, all companies must comply with the new regulations.
No transition periods
There are no transitional periods, which means that all companies must comply with the new requirements from the date they come into force.
Consequences of delay
The supervisory authorities will be closely monitoring compliance with the new Swiss Data Protection Act (nLPD). Companies that fail to comply with the law may face investigations and potential complaints from customers, competitors or other interested parties.
Not sure if your website complies with the new Swiss Federal Act on Data Protection legal provisions? Contact us for a free audit. Do you make Google Ads campaigns or analytical tracking of your website? If so, you may be affected by the new Swiss Data Protection Act.
How to prepare for the new FADP
To avoid any intentional or negligent breaches of the new DPA, we recommend that you take proactive steps to comply with the law. Start now to put in place the necessary requirements, such as information duties and requests for information.
In conclusion, the new Swiss Federal Act on Data Protection (nLPD) brings significant changes that require immediate action from businesses. Don't delay compliance to avoid potential penalties and protect your company's reputation for data protection.
Checklist for compliance with the Swiss nLPD
- Determine whether the law applies to your data processing activities.
- To process personal data lawfully, fairly and solely for the purposes specified.
- Implement appropriate technical and organisational security measures.
- To inform users about the collection of their data and automated decisions concerning them.
- To allow users to access and transfer their data, and to respond to requests for rectification, erasure or restriction of processing.
- Carrying out data protection impact assessments for high-risk processing activities.
- Report data breaches to the authorities and to the individuals concerned, where appropriate.
- Only transfer personal data abroad if adequate protection is guaranteed by contract.
- Document your data processing activities.
- Implement additional safeguards in the event of profiling or processing of sensitive data.
FAQ on the new Swiss FADP
1. Is the Swiss DPA similar to the EU's GDPR?
Yes, the New Data Protection Act in Switzerland (nLPD) is broadly similar to the EU's GDPR and aims to offer similar protection for personal data.
2. How can I exercise my rights under the Swiss FADP as a citizen?
You can exercise your rights by contacting the organisations that hold your personal data and requesting access, correction or deletion of your data.
3. Are small businesses also subject to the Swiss DPA?
Yes, the Swiss Data Protection Act applies to all organisations, whatever their size.
4. What are the deadlines for reporting a data breach under the new Swiss Federal Act on Data Protection?
Data breaches must be reported to the authorities within 72 hours of discovery.
5. What are the consequences for companies that do not comply with the new Swiss FADP?
Companies that fail to comply with the Swiss Data Protection Act can face substantial fines, as well as damages for individuals affected by the data breach.