Switzerland’s FADP: The Scope, 2023 Changes, and How to Comply

06.12.2023 twitter X safetica

Switzerland’s answer to the GDPR, the newly updated Federal Act on Data Protection (FADP), has been facelifted to suit the fast-paced world of ones and zeros we live in today. First introduced in 1992, this year, it has finally fully caught up to the challenges faced in a digital world.

What does that mean for you and your business? How has the FADP changed, and how is it different from EU’s GDPR?

The significance of the FADP for businesses

The FADP, Switzerland’s key data privacy regulation, has only gotten a couple of mild revisions since its inception in 1992—until now. The much more significant 2023 update echoes the importance of adapting to contemporary digital needs, complete with an unconventional system of consequences for data breaches.

For businesses venturing into Swiss territory, this means adhering to strict rules governing the processing of personal data. Much like the GDPR, the FADP mirrors the need to safeguard personal information. However, it upholds its unique principles tailored to Switzerland's distinct terrain.

In general, FADP grants individuals in Switzerland these basic rights over their personal data:

  • Right to information: Individuals have the right to know if their personal data is being processed, the purpose of processing, and who has access to it.
  • Right to access: Individuals can request access to their own personal data and details on how it's being used.
  • Right to rectification: Individuals have the right to request corrections or updates to inaccurate or incomplete personal data.
  • Right to erasure: Also known as the "right to be forgotten," individuals can request the deletion or removal of personal data when there is no compelling reason for its continued processing.
  • Right to object: Individuals can object to the processing of their personal data in certain situations, such as direct marketing.
  • Right to data portability: This right allows individuals to move, copy, or transfer personal data easily from one IT environment to another in a secure manner, without hindrance to usability.
  • Rights in Automated Decision-Making: Individuals have rights when decisions are made solely by automated means without human involvement.

The revised FADP introduces pivotal changes, emphasizing transparency, accountability, and responsibility for companies. For individuals, it promises enhanced data rights, ensuring control over the usage and retention of their personal information.

For companies already compliant with EU’s GDPR, the provisions in the new FADP won’t pose a huge problem. But it’s certainly a good idea to be aware of what’s new and how your company will need to adapt.

Exploring the key changes in the revised FADP

Let’s look at the key amendments to the FADP and understand the significance of these regulations for your business and the individuals whose data you handle.


Scope and application

There has been a pivotal change in the entities the FADP protects. Formerly safeguarding both the data of individuals and legal entities, it now exclusively shields the personal information of natural persons. By zeroing in on the protection of individual data, the new FADP ensures a more targeted approach to safeguarding personal information.

The revised FADP also broadens its scope to encompass the processing of personal data that “has an effect in Switzerland”, irrespective of the geographical location of the organization collecting the data. This extends to data processing activities conducted by foreign entities.


Privacy by Design and Default

The updated FADP puts a strong emphasis on Privacy by Design and Default, requiring that privacy protection measures be built into the design of products and services. It also mandates activating high-level security measures as the default setting, ensuring robust data protection from the get-go.


Recording data processing and notifying of breaches

Under the FADP, maintaining a record of processing activities is required, ensuring transparency about how data is processed. While certain exemptions exist for smaller businesses, the overall aim is to provide a comprehensive view of data processing practices.

Also, immediate notification to the Federal Data Protection and Information Commissioner is obligatory should a data security breach occur.


User consent and access requests

The FADP places an emphasis on ensuring that end users understand how their data is used and collected. When seeking consent, organizations must clearly communicate the rights and choices available to individuals.

It also streamlines subject access requests for individuals by removing the necessity for them to provide information regarding themselves. At any point, any individual can inquire about what information is gathered about them, why and how it is being used.


International data transfers and privacy assessments

Starting in September 2023, new stringent rules govern the transfer of data across borders, emphasizing the need for approval from the Swiss Federal Council. In addition, the revised FADP introduces Data Protection Impact Assessments (DPIAs) to assess high-risk processing, underscoring the crucial importance of privacy and security.


Profiling and sensitive data categories

The updated FADP requires explicit consent for high-risk profiling. It also broadens the scope of sensitive personal data, now including information related to administrative or criminal proceedings, sanctions, and social security measures. Genetic and biometric data are also under the umbrella of sensitive information.


Non-compliance fines

For non-compliance, responsible private individuals can face fines of up to CHF 250,000, whereas companies might face criminal liability and fines of up to CHF 50,000 if identifying responsible individuals involves disproportionate efforts.


Sanctions and penalties

And now the part that may raise some eyebrows: the new system of sanctions and penalties. Notably, responsible individuals in businesses—not the business itself, but the responsible person—may face fines of up to CHF 250,000 (approximately USD 270,000) for non-compliance.

In cases where identifying the responsible individuals within the organization poses disproportionate challenges, businesses may in fact face criminal liability instead. If this happens, entities can be fined up to CHF 50,000 (approximately USD 53,000), emphasizing the need for businesses to streamline accountability and clearly assign data protection roles.

How to comply with the new FADP

Now that you have a better understanding of the FADP and its recent changes, let’s talk about what you can do to ensure that your organization is compliant with its requirements. Start with these steps:

  1. Conduct a data audit: Start by assessing your data handling practices. Identify and document the types of personal and sensitive data collected, processed, and stored, along with the purposes for which they're used.
  2. Review and update privacy policies: Ensure that your privacy policies are clear, up-to-date, and aligned with the new FADP regulations. They should inform individuals about data usage, processing, and their rights regarding their information.
  3. Appoint a data protection officer: Though not mandatory, having a dedicated DPO can greatly assist in managing compliance, providing guidance, and acting as a liaison with the authorities.
  4. Implement data protection impact assessments: Evaluate the impact of high-risk data processing activities on individuals' privacy. This ensures proactive risk mitigation and compliance with the new law.
  5. Promptly address individual concerns: Be responsive to requests from individuals about their personal data, respecting their rights under the FADP.
  6. Stay informed: Keep updated with any further guidance or directives issued by the Swiss authorities for effective compliance.

Practical tips for adapting to updated FADP rules:

  • Education and training: Educate your employees on data security in general and the revised FADP's requirements and their roles in ensuring compliance specifically. Emphasize the importance of respecting individuals' privacy rights. Encourage a culture of privacy protection and respect within your organization.
  • Establish consent procedures: Develop clear procedures for obtaining and recording data subject consent. Ensure individuals understand what they are consenting to regarding data processing.
  • Enhance data security measures: Strengthen your data security protocols and ensure that these measures are activated by default, aligning with "Privacy by Design" and "Privacy by Default" principles.
  • Regular compliance checks: Conduct periodic reviews to your security systems and policies to ensure ongoing adherence to the FADP. If you discover any discrepancies or gaps, make prompt adjustments to your policies.

Comparing the FADP and GDPR

Both the FADP and EU’s GDPR prioritize data privacy, setting high standards for the collection, handling, and protection of personal information. They share the fundamental goals of safeguarding data privacy and upholding individual data rights. However, they don’t always align in how these principles are implemented. If that is the case, the new FADP is usually the stricter of the two.

These are the main differences between the updated FADP and the GDPR are:

  • Sanctions and penalties: Under FADP, responsible private individuals are subject to fines of up to CHF 250,000, while GDPR imposes penalties on organizations, potentially reaching 4% of their global annual revenue or 20 million euros.
  • Data protection officers: Unlike the GDPR, FADP doesn’t make the appointment of a Data Protection Officer mandatory, though it's highly recommended.
  • Data breach notifications: Both regulations mandate prompt notification to authorities in case of a data breach, ensuring transparency and swift action in case of a security incident. But unlike the GDPR that issues a 72-hour deadline on notifications, FADP doesn’t give an exact time limit, instead requesting that notification is given “without undue delay”.

How Safetica can help businesses comply with FADP

Safetica offers comprehensive data protection solutions that are designed to assist businesses in ensuring compliance with data protection regulations. With features covering data loss prevention, transparent data audits, and user activity monitoring, Safetica's software supports companies in adhering to the intricacies of data protection laws.

Whether it's maintaining a clear record of data processing activities, providing real-time security alerts, or preventing data leaks with data encryption and access controls, Safetica provides tools tailored to help businesses achieve and maintain compliance with the revised FADP. Our software is easy to use, easy to implement, and easy to understand.

We understand you may have hesitations; data protection is no joke. If you want the best solution for your organization, why not see what we can do for you on a demo call. What to expect from a demo call with Safetica?


Talk to us

Author
Petra Tatai Chaloupka
Cybersecurity Consultant

Next articles

Regulatory Compliance

SAMA’s Cyber Security Framework: The Scope, Purpose, and How to Comply

The Saudi Arabian Monetary Authority (SAMA) has introduced a Cyber Security Framework designed to fortify the nation's financial systems and critical industries against cyber threats. Throughout this guide, we'll explore the key components, while also providing tips and insights on how to achieve compliance with its requirements.
Read more
Regulatory Compliance

HITRUST framework: The Scope, Purpose, and How to Comply

This article will guide you through HITRUST's evolution, its current scope, and how it can be a game-changer for your organization's data protection strategy.
Read more
Regulatory Compliance

Understanding SOC 2: The Scope, Purpose, and How to Comply

Get started with your SOC 2 compliance efforts: what SOC 2 is, why it matters, and, most importantly, what steps you need to take if you want to get a SOC 2 report for your organization.
Read more