Swiss Flag

Switzerland is implementing new legislation to better protect its citizens’ data (“revFADP”), replacing the longstanding Federal Act on Data Protection of 1992. The revFADP improves the processing of personal data and grants Swiss citizens new rights consistent with other comprehensive data protection laws, such as the General Data Protection Regulation (GPDR) and UK GDPR. This important legislative change also comes with a number of increased obligations for companies doing business in Switzerland. Companies must quickly get up to speed on the revFADP requirements because the Act takes effect on September 1, 2023. Companies should not assume that compliance with the GDPR and UK GDPR equals compliance under the revFADP. While this revised legislation has many similarities to the GDPR, there are a few stark differences companies should be aware of. Here is the breakdown of what companies should know.

  • No Compliance Grace Period. Unlike recent modifications to data protection legislation, the revFADP does not offer a grace period for companies to get up to speed. Therefore, companies processing data of Swiss citizens have a little over eight months to get compliant.
  • Penalties. The revFADP does not impose civil penalties on entities. However, intentional violations of the Act can result in criminal sanctions of up to 250,000 Swiss Francs (CHF) against individuals (potentially DPOs and C-Suite executives) rather than the entity. The Swiss Federal Data Protection and Information Commission (FDPIC) has no right to file a criminal complaint. Law enforcement and traditional prosecution authorities will be responsible for enforcing criminal sanctions. Although individuals face fines under the revFADP, companies can also be fined up to CHF 50,000 if an investigation to determine the punishable natural person within the company or organization would entail disproportionate effort – demonstrating that the revFADP is focused on holding individuals accountable and that authorities should not have to search hard for a responsible individual. The sanctions under the revFADP are a huge contrast to the GDPR, which only fines companies for violations rather than individuals.
  • Expanded Definition of Sensitive Data. The revFADP expands the list of data that fall under the category of “sensitive personal data.” The new list includes genetic and biometric data that unequivocally identify a natural person. The explicit consent of the data subject is required when processing sensitive personal data.
  • Profiling Addressed. Like the GDPR, the revFADP now contains a legal definition of “profiling” that corresponds to the EU GDPR and was not included in the previous FADP. The explicit consent of the data subject is required for high-risk profiling (e.g., personality profiles) of personal data.
  • Emphasized Importance of an “Independent” DPO. While a DPO is optional for private entities under the GDPR and revFADP, the Swiss Federal Data Protection and Information Commission (FDPIC) strongly emphasizes the importance of an independent DPOmeaning that the DPO’s activities should remain separate from other business activities of the company, including other legal advice and representation. Thus, using an internal position or outside counsel may not satisfy the independence requirement for DPOs. Additionally, the FDPIC has recommended that DPOs speak at least one of the languages of Switzerland (e.g., French, German, Italian, Romansh) to effectively communicate with Swiss data subjects. Notably, English is not an official language of the Swiss Confederation.
  • Breach Notice for Serious Attacks Only + No Clear Notice Timeframe. Under Article 24 of the revFADP, the controller must notify the FDPIC of certain serious personal data breaches “as soon as possible.” Whether “as soon as possible” is faster or slower than the 72-hour requirement under the GDPR is unclear. The FDPIC also emphasizes that notice of breaches should only be made if they pose an “imminent danger” to data subjects. Thus, controllers are not required under the revFADP to inform the FDPIC about unsuccessful cyberattacks.
  • Data Transfers. There is an expectation to use Swiss-specific SCCs for Swiss-only transfers. However, the FDPIC has not issued a Swiss-only mechanism for transfers yet. Additionally, the FDPIC has not released any adequacy decisions, but the assumption is that adequate countries for data transfers will mirror the European Commission’s decision(s). In the interim, the EU Standard Contractual Clauses (EU SCCs) and approved Binding Corporate Rules are appropriate mechanisms to transfer personal data to and from Switzerland.
  • Privacy Policy Considerations. Article 25 revFADP contains an extended list of minimum information that data controllers must disclose to data subjects. Privacy policies should be updated to reflect the following information:
    • the controller’s identity and contact details;
    • the purpose of the processing of data;
    • the identity of recipients of data and categories of data recipients in case of data transfer to third parties;
    • the jurisdiction where the data is transferred to;
    • requisites safeguards implemented in case of cross-border data transfer; and
    • as stated above, private data controllers must notify the data subjects in advance each time-sensitive data or data for profiling is collected, whether directly or indirectly.
  • Data Protection Impact Assessment (DPIAs) Required. Data protection impact assessments are nothing new in Swiss data protection law, federal bodies are already required to conduct DPIA. Under Art. 22 revFADP, data controllers from the private sector must now also conduct DPIAs if the planned processing may involve a high risk to the privacy or the fundamental rights of data subjects. Processing is deemed high risk if profiling or extensive processing of sensitive data is planned.
  • Records of Swiss Processing Activities Required. The revFADP requires both data controllers and data processors to keep a list of all data processing activities. This list mirrors the details of processing Annex I.B. found in the EU SCCs. The list must always be kept up to date. The revFADP carves out an exemption to this requirement for businesses with less than 250 employees and where data processing entails a low risk of privacy breaches for data subjects.

We will continue to monitor FDPIC updates and guidance on the revFADP. For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy & Data Security Mobile Application.