Switzerland is of course famous for its picturesque mountains, delicious chocolate, and precision watches, but, lately, it has made quite some noise for another reason: the Revised Federal Act on Data Protection (“FADP”). The FAPD was first introduced in 1992 and has been updated several times to keep up with the ever-evolving digital landscape. Its latest is primarily a reaction to the adoption of the GDPR, with two objectives: transparency on data processing and the self-determination of the data subject.
Tik-tak tik-tak, the clock is ticking!
The Act is to enter into force on September 1st, 2023, so roughly eight months from now, and there will be no grace period, so it will be effective on the very first day. It is advised to be on time like a Swiss watch, so if if you haven’t already started to prepare, you better start thinking about it now!
Who will be impacted?
The revised FADP intends to protect the privacy of natural persons, about whom personal data is processed. This means that the data of legal persons, such as commercial organisations, associations, and foundations, is no included in the new Act, and on this point the scope of application of the revised legislation coincides with that of the GDPR.
It is noteworthy that businesses can continue to invoke the protection of privacy provided for under Art. 28 Swiss Civil Code, the protection of manufacturing and trade secrecy as set out under Art. 162.
Is the FADP stricter than the GDPR?
In some respects, the FADP can prove to set a higher level of obligations to its targeted audience than its European counterpart. This notably takes the form of additional information obligations and documentations having to be drafted up. We think for instance of the “Bearbeitungsreglement” or “processing rules” required by the Article 5 of the Act.
Another example is the possibility for the data subject to receive a “Bestreitungsvermerk” which is a notice of dispute, acknowledging a disagreement with the Processor on the way their data has been processed. This prerogative of the data subject has been designed as a mean for them to ensure proof of the existence of this conflict and therefore of their dissatisfaction and the fact that they expressed it at the time.
Our advice? Make sure to review your documentation as soon as possible. Indeed, much like the GDPR, the nFAPD does not discriminate and applies to all facts producing effects in Switzerland, even if they took place outside of the country’s territory.
New rights?
This revised version of the Act introduces two new rights to align itself with the GDPR, which are: the right to information on automated decision-making and the right to data portability (This right technically already existed in the previous version of the Act but it has been modified to correspond to its GDPR equivalent).
Out with the old, in with the new! What are the new rules under the swiss data prtoection act?
Cross-border transfers:
The cross-border transfers system is also heavily based on the GDPR. Any transfer of personal data from Switzerland abroad remains prohibited unless transfer is made to a country that provides an adequate level of protection of personal data, such as the EEA The list is already published In the absence of an adequacy decision by the Federal Council, the following transfer mechanisms are possible:
- International treaties
- Standard contractual clauses (SCCs) (more details hereafter)
- Binding corporate rules (BCRs) approved by the FDPIC (Federal Data Protection and Information Commissioner).
- A contract between the controller and the receiving party of which a copy must be communicated to the FDPIC.
The SCCs mentioned can be of different natures: they should either be the Swiss ones or be “pre-approved” by the Swiss Supervisory Authority, such as for example the European SCCs.
For the specific case of transfers to the USA, the current safeguards (? Which ones) will have to be applied for the time being, as Switzerland has chosen not to follow the upcoming EU-US Data Privacy Framework. It is expected that Switzerland will probably wait for this Framework to be applied by the EU and running smoothly before adopting it.
In addition to this, the previously known exceptions to allow for the transfer of personal data consent, fulfilment of a contract or legal obligation will remain applicable.
New duties:
many new duties have been imposed on companies and federal bodies to align the FADP to the GDPR. Those duties are very close to the ones set out in the European equivalent, among which:
- The duty of information,
- The duty to keep an inventory (equivalent to the GDPR’s ROPA))
- The duty to notify data security breaches, (or “ personal data breach” as named in the GDPR )
- Privacy by Default/Privacy by Design, (called “data protection by design” in the European Regulation )
- Necessity to carry out data protection impact assessments,
- The facultative duty to establish Codes of Conduct.
What happens to the DPO under FADP?
The designation of a DPO is not mandatory: it is voluntary but heartily recommended by the Act. Not only will it demonstrate your company’s good intentions and care for your data subjects’ privacy, but it will also bring a crucial gain in resources, time, and know-how!
In addition, though the designation of a DPO is not mandatory, the appointment of a representative in Switzerland is. At least, whenever an extensive, regular, and high-risk processing of personal data is involved, in the provision of goods or services to persons, in the country or when their behaviour is being monitored. This representative will then play the part of a contact point for the Supervisory Authority, the Federal Data Protection and Information Commissioner and the data subjects but it will not be fit to fulfil other tasks generally devolved to a DPO.
For these reasons, though the text does not explicitly say so, it is still more than advisable to elect a DPO who will be able to help your company with all privacy-related matters.
With new rules follow new sanctions.
Regarding its sanctions, the revised FADP presents a two-fold approach: an administrative enforcement on one hand and a criminal enforcement on the other.
Concerning the administrative side of the sanctions, the supervisory authority has now been given extended powers to act upon any violation of the text and issue binding decisions, for instance, beyond simply issuing recommendations as it used to, it can now demand for a particular activity to be stopped. However, no monetary fine has been set up.
For the criminal side of things, the revised FADP also introduces a new set of sanctions which are the violation of the information obligation, the data access request obligation or the duty of care, a breach of professional confidentiality or even a disregard of orders given by supervisory of the Swiss Courts of Appeal.
An interesting – and potentially painful – difference between the FADP and the GDPR is that whereas the latter focuses its sanctions solely on the companies that ignore their obligations, its Swiss equivalent chooses to also penalise responsible for failing to ensure an adequate level of data protection or for adhering to other information obligations set out under the rules.
However, this new sanction is slightly softened by the fact that it should only apply if the injured party files a criminal complaint, and that the existence of an intentional action (or “Vorsatz” element) is established.
Oh no: a data breach!
The definition of the data breach is very similar to the one laid out in the GDPR. Different from the GDPR, the Supervisory Authority only should be notified if the breach might induce a high risk for the personality rights of the data subjects.
The FADP and the GDPR are not twins though, and differences exist in the way the deal with a data breach. First, there is no definite deadline to realise such notification, the text using the cryptic expression that it should be done “as soon as possible”.
Second, the data subject only needs to get informed of the breach if this is necessary for their protection (for instance, if one of their passwords got hacked and they need to change it immediately) or if the Supervisory Authority specifically requests it (we do not know yet if this will be done through the publication of general guidelines or on a case-by-case basis).
What should be your next steps?
If you haven’t gotten started on your preparation for the Revised FADP, here is our recipe for you: adopt a GAP-analysis: analyse the current level of compliance of your organisation with the new FADP and compare it with the mandatory level of compliance. What needs to be improved?
Got it? Good. Now, let’s see what changes are priorities:
- The first thing to update is your use of SCCs or other instruments for data transfers as those will determine the level of protection of the personal data transferred.
- Ensure external compliance: privacy policies, data subject requests forms, information notices, etc. should be made available to the data subjects in priority. In particular, check that you are up to date with these new documentation requirements.
- Finish with the internal compliance: matters such as the permanent designation of a DPO can wait until you have the time to make a sensible decision.
- Start again at point 1 and keep improving.
For more information on this Act, please consult edoeb’s website.