Swiss Federal Data Protection Act (FADP)

SR 235.1 - Federal Act of 25 September 2020 on Data Protection

Highlights

Territorial Scope:

The FADP applies to the processing of Personal Data of natural persons by private persons and federal bodies in the context of the activities that have an effect in Switzerland, regardless of whether the processing takes place in Switzerland or not. This summary outlines the responsibilities and obligations of private persons (which under the act means natural and legal persons).¹

The Act does not apply to personal data being processed by a natural person exclusively for personal use, by parliamentary institutions during their deliberation, and entities who enjoy immunity in Switzerland.

Principles:

• Lawfulness
• Proportionality
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Data protection by design and data protection by default.

Controller and Processor Obligations:

• Implement appropriate technical and organizational measures to ensure and to demonstrate that processing is performed in accordance with the FADP.
• Implement appropriate technical and organizational measures, which are designed to implement data protection principles by design and by default.
• Controllers and Processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
• For Processors, not process Personal Data except on instructions from the Controller, unless required to do so by the law.
• For Controllers not established in Switzerland, designate in writing a Swiss representative when processing Personal Data of persons in Switzerland and when the processing:
  
  • is connected to the offering of goods or services or monitoring of behavior of persons in Switzerland;
  • is done on a large scale;
  • is carried out regularly;
  • poses high risk to the personality of the Data Subjects.
• For Controllers and Processors, maintain a record of their processing activities containing at minimum the information enumerated in the law, unless an exception by the Federal Data Protection and Information Commissioner (FDPIC) has been granted to a legal entity that has less than 250 employees and whose processing of data does not pose heightened risk to the data subjects.
• Notify the Data Subject the Controller is collecting Personal Information about them, the purpose of collection, use or disclosure, international transfers, the rights individuals are entitled to, including if information is collected from someone other than the individual.
• Notify the Data Subject about decision-making that is exclusively based on automated processing, the outcome of which may have legal consequences or considerable adverse effects on the data subject.
• If processing Personal Data that is likely to result in a heightened risk to the Data Subjects, Controllers will be required to conduct data protection impact assessments beforehand, unless the private controller is required to process personal data by law.
• For Controllers, in the case of a Breach of Data Security that is likely to result on high risk to the data subjects, notify the FDPIC as soon as possible. In addition, the Controller must inform the Data Subject of a breach if this is required for their protection or if requested by the FDPIC.
• For Processors, notify the Controller without undue delay after becoming aware of a Data Security Breach.

Data Subject Rights:

The Controller shall respond to the Data Subject without undue delay and in any event within 30 days of receipt of the request.

• Right of information
• Right to data portability
• Right to rectification
• Right to erasure (“right to be forgotten”)
• Right to restriction of processing
• Right to object to processing of Personal Data

Cross-border Data Transfers to Third Countries or International Organizations:

• Transfers on the basis of an Adequacy Decision: A transfer of Personal Data to a third country or an international body may take place where it is based on the Switzerland’s decision that the foreign country or international body has been assessed as providing adequate protection for people’s rights and freedoms about their Personal Data.
• Transfers subject to Appropriate Safeguards: In the absence of adequacy regulations, a Controller or Processor may transfer Personal Data to a third country or an international organization only if the adequate level of data protection is guaranteed by: (a) an international treaty; (b) data protection clauses incorporated in the agreement between Controller and Processor; (c) specific guarantees by applicable federal body; (d) standard contractual clauses approved by FDPIC; or (e) binding corporate rules approved by FDPIC.
• Exceptional Circumstances: In certain circumstances, Personal Data may be disclosed abroad if the data subject has consented to such disclosure; disclosure is connected to the performance of a contract between the Controller and the Data Subject, or a contractual partner; disclosure is necessary to safeguard public interest, exercise legal rights; to protect the life of data subject; data subject has made data generally available.

Data Security Breach Notification:

• Timeline and requirements for Notification to the Federal Data Protection and Information Commissioner (FDPIC): As quickly as possible after becoming aware of a Data Security Breach (unless the Data Security Breach is unlikely to result in a risk to the personality or fundamental rights of natural persons) the Controller must notify FDPIC. In the notification it shall at minimum specify the nature of the Data Security Breach, its consequences and the measures taken or planned to be taken by the Controller. The Processor shall notify the Controller without undue delay after becoming aware of a Data Security Breach.
• Requirements for Notification to Affected Data Subjects: When the Data Security Breach is likely to result in a high risk to the fundamental rights and personality of natural persons, the Controller shall communicate the Data Security Breach to the Data Subject if the notification is required for their protection or if the FDPIC so requests.
• When Notification to Affected Data Subjects may be delayed or be avoided?
  
  • If the Controller is prevented from disclosing such information under a law or statutory duty of confidentiality.
  • If it would involve disproportionate effort or if the notification is done instead by a public communication or similar measure whereby the Data Subjects are informed in an equally effective manner.

More Details

Definitions:

• Controller: The private person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
• Breach of Data Security: A breach of security that leads to the accidental or unlawful loss, deletion, destruction or modification or unauthorized disclosure or access to Personal Data.
• Data Subject: A natural person whose Personal Data is processed.
• High Risk Profiling: Profiling that poses a high risk to the data subject by matching data that allow an assessment to be made of essential aspects of the personality of a natural person.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Processor: A private person or federal body that processes Personal Data on behalf of the Controller.
• Profiling: Any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
• Sensitive Personal Data: Personal Data revealing religious, philosophical, political, or trade union views or activities, data concerning health, the private sphere, race or ethnic origin, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data relating to administrative and criminal sanctions and data relating to social assistance measures.

Penalties:

The Federal Data Protection and Information Commissioner (FDPIC) supervises the application and compliance with the FDAP. Infringements of certain obligations by private persons can be subject to administrative fines up to 250,000 Francs.

Effective Date:

September 1, 2021

¹ Note that the FADP has an extensive section specifically regulating the obligations of Federal Bodies, which is not included here. For more information see Chapter 6 Special Provisions on Data Processing by Federal Bodies.