As a result of the new Swiss Federal Act on Data Protection (“FADP”), major aspects of the processing of personal data will be altered beginning in 2022. On September 1, 2023, firms will be required to adhere to stronger regulations, and they will need to adjust their current standards and data protection declarations to meet those requirements.
What does the new FADP entail, exactly?
It’s important, first and foremost, that the Data Protection Act be updated to reflect the rapidly evolving technical and social environment (such as the rise of big data, social media, and the Internet of Things), as follows: The goal is to increase the capacity of the individual to make decisions on their own data. It will also be updated to comply with European privacy laws: Swiss data protection standards must be upheld for data transfers between Switzerland and the EU to continue to be uncomplicated in the future, according to the goal of this law.
Is there a reason why the revision is so crucial?
For Swiss businesses, if the EU Commission no longer acknowledged that Switzerland’s level of privacy is adequate, the interchange of data with EU businesses would become more complex, placing them at a competitive disadvantage.
How soon will the new FADP come into force?
As of September 1, 2023, both the new FADP and a related Ordinance to the FADP will come into effect simultaneously.
When will businesses be required to comply with the new data protection laws?
The updated FADP came into effect on January 1, 2014.
What are the relevant transition periods?
In the revised FADP, there are no transition periods for new members. The consequences for failing to comply with FADP requirements by this deadline are as follows:
- The amended FADP gives the FDPIC more authority to enforce it. On its initiative, or after being notified, it may open an investigation into an organization and, in cases of violations of data protection laws, drastic mandate steps such as adjusting or suspending data processing or even removing files entirely if necessary.
- Additional civil law remedies are available to data subjects under the updated FADP. As part of a series of reforms to the Civil Procedure Code, judicial procedures must be free of charge.
In the worst-case situation, how much can a corporation anticipate to pay in penalties for breaking the updated FADP?
Private people may be penalized up to CHF 250,000 if they intentionally infringe the new FADP, such as violations of responsibilities to disclose information, collaborate, or exercise duties of care. There is a maximum punishment of up to CHF 50,000 that may be imposed on corporations if it is impossible to identify the culprits, and no fine of more than CHF 50,000 can be imposed on such individuals.
The GDPR, on the other hand, does not penalize people but imposes far larger penalties on corporations.
What are the most important changes?
When it comes to data protection, the FADP now only protects the data of individuals, as opposed to the data belonging to organizations, as was previously the case.
Genetic and biometric data are now considered highly sensitive.
Improved transparency: Businesses are now required to disclose information in greater detail than previously. Not only is it necessary to notify individuals about the gathering of highly sensitive data, but it is also necessary to do so when data is gathered from third parties, such as public databases or publicly available sources. In addition to revealing the data controller’s name and contact information, it is necessary to reveal the aim of the processing, the recipients or groups of recipients, and, if the data is exported, the country to which it will be sent. The updated FADP is much tougher than the GDPR in this regard.
Companies must retain a list of processing activities with the necessary information, although they are no longer needed to keep a list of data acquisitions. List of processing operations. It is recommended to connect these directories effectively, especially if the same program or database is used for many data processing tasks. The Federal Council may make exceptions for enterprises with fewer than 250 workers. As of right now, there is no official word on when the new regulation will be put into effect.
An adequate assessment of the data processing on personal or basic rights of the data subjects is now required by law for all companies. Data protection impact assessments are now mandatory for all companies. This must be recorded, and it must be done in writing.
Profiling: Automated data processing may also be used to analyze personal features like an individual’s health, interests, behavior, and location. The new FADP additionally controls profiling. The amended FADP, in contrast to the GDPR, does not impose a general need to get permission. Only in the case of the very high-risk profile is such a requirement enforced.
Data security breaches, such as accidental or unlawful loss, deletion, destruction, alteration, or unauthorized access to personal data, must now be reported quickly to the FDPIC (within 72 hours under the GDPR)). In general, the controller is obligated to notify the data subject if doing so is essential for the data subject’s safety or if the FDPIC so requests.
Designing apps with data protection in mind from the outset means that organizations must not rely on default privacy settings to get users’ agreement for processing that isn’t strictly essential; this is known as privacy-by-design and privacy-by-default.
What exactly do the acronyms stand for?
The Swiss Data Protection Act (FADP) is an example of federal law (Federal Act on Data Protection). The new Data Protection Act is referred to as the amended FADP in the revised FADP.
The ordinance of the Federal Council pertaining to the FADP is known as OFADP. It includes all of the specifics for putting the plan into action. An updated law has yet to be published in full. On June 23, 2021, the Federal Council issued the proposed ordinance for public comment.
The General Data Protection Regulation (GDPR) of April 27, 2016, is the European Union’s law. Since May 25, 2018, it has been immediately applicable to all European Union member states. Even though this is a European rule, specific constraints apply to Swiss businesses when implementing it.
What remains unchanged?
Because of this, the amended FADP does not fundamentally alter the way data is handled in the same way as GDPR does. As in the past, and in contrast to the GDPR, private firms are not obliged to get permission or other justification for processing personal data, provided:
- Compliance with data protection and privacy laws is ensured by the use of open data processing principles such as accordance with the information duties, the connection to a specified purpose, proportionality, and the protection of personal data.
- No objections have been raised by the individual whose data is being processed.
- Furthermore, no highly sensitive personal data (intended for use by third parties) is shared.
Only the processing of especially sensitive personal data and the use of high-risk profiling necessitates obtaining the user’s explicit permission.
Do foreign companies also need to comply with the new law?
Does the new FADP follow the “effects doctrine” when it comes to the geographic area of application? Yes. If you’re a foreign company operating in the Swiss market or if your data processing influences the Swiss market, the GDPR applies to you as well.
If they frequently handle a considerable amount of personal data in Switzerland in connection with product or service offerings or monitor the behavior and if the processing represents a high risk for data subjects, enterprises with foreign offices must appoint a representative in Switzerland.
The FADP, on the other hand, mandates the appointment of a data protection officer for all Swiss enterprises that handle the personal data of EU citizens. Regardless of the level of threat.
Which companies are at a higher risk of breaching the new FADP?
Among them are organizations that handle a large quantity or especially sensitive personal data, conduct profiling, manage webshops or produce automated individual judgments, or transmit personal data overseas (outside the EU).
How much time will it take for business owners to implement the full overhaul of the FADP?
A company’s level of effort will depend on whether or not its operations make it a target of the new advances and how well it has already adapted. GDPR-compliant companies will need to make little or no changes. Companies that solely do business in Switzerland, on the other hand, should immediately begin a gap analysis.
Is it now mandatory for every business to have a data protection advisor on staff?
According to GDPR, a data protection adviser is not required, but several advantages do so. This adviser serves as the primary point of contact for workers, customers, and government agencies when it comes to data security problems. For high-risk data protection impact assessments, obligatory consultation of the FDPIC is not necessary if a data protection expert is engaged.
Does every company now have to appoint or hire a data protection advisor?
Whether or whether a corporation has a legal department or a data protection officer who meets the requirements of the old FADP is a factor to consider. In the absence of that, we highly urge getting outside assistance.”
What will a business have to do starting in 2022 to comply with the new data protection regulations?
- Personalize online and promotional and commercial agreements’ privacy policies by reviewing and modifying them.
- Organize and revise internal procedures for data processing
- Set up a computer system for processing data.
- Implement a mechanism that guarantees that data subject rights are processed promptly (e.g., requests for information or deletion)
When there is a data breach, notify affected parties
If you’re using new, high-risk processing technologies or processing highly sensitive data on a large scale, you should do a data protection impact assessment beforehand.
Third-party contracts for data processing should be examined. A notification obligation should be included in the case of a data breach or when data is transferred to subcontractors. Specifically, Data security must also be maintained by the responsible party.
As soon as it is no longer important to handle personal data, make sure it is deleted or anonymized.
To guarantee that personal data is only released in countries with proper protection, specify which countries will get the data. Storage on foreign systems is likewise affected by this rule (cloud). A comparable list is published by the Federal Council (previously the FDPIC). However, data may still be sent to countries that aren’t included on this list that can’t export data.
Provide suitable technological and organizational safeguards to ensure the protection of sensitive data. A breach of security should be prevented at all costs. Right now, the Federal Council has not determined what the bare minimum is. Email encryption should be provided for sensitive personal data since data transfer through email is unsafe.
It’s important to ensure data portability when handled electronically, particularly when directly related to concluding or carrying out a contract comparable to the GDPR.
Notification of the FDPIC of a data protection adviser (data protection officer) appointment. The contact information for this adviser must be made public. The GDPR, on the other hand, makes it essential to notify a data protection officer.