Legislative Update: Swiss Data Protection Act took effect September 1
Posted in Cybersecurity, Data Privacy

The new Swiss Federal Act on Data Protection, known by the acronym “nFADP,” took effect on September 1. The law was enacted by the Swiss parliament in 2020.

The law introduces new rights for Swiss citizens, but also corresponding obligations for businesses that process personal data subject to the law. The law is intended to be more closely aligned to the European Union’s General Data Protection Regulation and allows for a free flow of information between EU and Swiss companies.

Noteworthy provisions

Here are some of the more noteworthy provisions of the new law and how it contrasts with its predecessor, the Federal Data Protection Act of 1992”:

  • Scope: The new law has a narrower scope as it applies to data of natural persons, rather than legal “persons,” like corporations. The new law further clarifies that the law extends to any circumstances that have effect in Switzerland even if they were initiated abroad. Thus, any entity that processes personal data of Swiss residents or that may have an effect on Swiss territory may be subject to the Act.
  • Extended definitions: The new law expands the definition of “sensitive data” by adding genetic and biometric data that uniquely identifies a natural person. The Act also introduces and defines “profiling” and “high-risk profiling” as two distinct concepts with heightened security requirements and protections.
  • New principles: Although most of the principles of the predecessor remain unchanged, the new law introduces new principles: “data protection by design,” and “data protection by default.” These new principles require controllers to have technical and organizational measures in place appropriate to the nature and risk of processing the data.
  • Record of processing activities: Both controllers and processors are required under the new law to maintain a record of their processing activities. At a minimum, the record must contain the information enumerated in the law, unless an exception by the Federal Data Protection Commissioner has been granted to a legal entity with fewer than 250 employees and whose processing of data does not pose heightened risk to the data subjects.
  • Mandated data protection impact assessments: Controllers processing personal data that is likely to result in a heightened risk to the data subjects will be required to conduct data protection impact assessments beforehand, unless the private controller is required by law to process personal data.
  • Reporting data protection breaches: The law requires controllers to notify the Commissioner of any data security breach that is likely to result in high risk to the data subjects. The law does not have a deadline for such reporting and merely indicates that the Commissioner must be notified “as quickly as possible.” In addition, the controller must inform the data subject of a breach required for the protection of the subject or if requested by the Commissioner.
  • Violations and fines: The new law provides for fines to be levied against those who violate the Act.

Similarities to, differences from, the GDPR

 The Swiss nFADP has many similarities with the GDPR:

  • Obligations of transparency and publishing of privacy notices.
  • Adoption of administrative, technical, and security measures.
  • Conducting data protection impact assessments.
  • Entering contractual arrangements with processors.
  • Maintaining a register of processing activities.
  • Providing certain rights to data subjects.
  • Application to cross-border data transfers.

Nevertheless, the nFADP and GDPR are not identical. Some noteworthy differences include the following:

  • Explicit consent under nFADP is required only for processing of sensitive personal data, high-risk profiling by private persons, and profiling by a federal body.
  • The GDPR requires that covered entities appoint a Data Protection Officer under certain circumstances. The nFADP does not have a similar obligation. However, controllers operating outside Switzerland are required by the nFADP to appoint a representative in Switzerland if the controllers meet certain requirements enumerated in the nFADP.
  • The nFADP requires that data breaches be reported to Federal Data Protection Commissioner as soon as possible, and to data subjects under certain circumstances.

Conclusion

Controllers and Processors collecting and processing personal data of data subjects in Switzerland, or whose processing will have an impact on Swiss territory, must evaluate their processing activities to determine how their obligations have changed. After determining their compliance obligations, they should establish policies/procedures and processes to address the new obligations.

The Constangy Cybersecurity & Data Privacy Team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address these complex and evolving regulatory requirements. If you would like additional information on how to prepare your organization, contact us directly at cyber@constangy.com.

TAGS: Cyber Team, CyberMonday, Cybersecurity, Data Privacy, Data Security, Global Security and Privacy, Swiss Federal Act on Data Protection
Facebook Twitter/X Linkedin Email

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Search

Get Updates By Email

Subscribe

Archives

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek