In September 2020, Parliament passed the new Federal Act on Data Protection (nFADP) to comply with the European Union’s (EU) General Data Protection Regulation (GDPR). The nFADP will improve the handling of personal data and grant new rights to Swiss citizens. The nFADP will come into force on 1 September 2023 and will be similar to the RGPD in terms of principles and definitions. Its cantonal variation will be the same throughout Switzerland.
If you are a company that has already complied with the EU General Data Protection Regulation, you will have little to change.
Switzerland adapts to the RGPD with the nFADP to ensure data security and business competitiveness
As a third country in relation to the EU, Switzerland must regularly update its law to remain compliant with the GDPR and to maintain smooth data exchange with EU member countries.
Switzerland experienced a delay in the entry into force of its new data protection law due to the need to draft an implementing ordinance, which took longer than expected. However, Switzerland managed to publish the final version of this ordinance more than a year ago, allowing for a date of entry into force of the law for 1 September 2023.
This new law is essential to guarantee the Swiss population adequate protection of their data, taking into account technological and social developments such as the use of the Internet, smartphones, social networks, the Cloud or the Internet of Things. The compatibility of Swiss law with the RGPD is also a key issue to maintain the free flow of data with the EU and to avoid a loss of competitiveness for Swiss companies.
The amended FADP strengthens data protection in Switzerland
The DADP has therefore recently been amended to meet the new challenges of personal data protection and to be compatible with European standards. This revision includes several significant changes that strengthen the rights of data subjects and the obligations of companies.
The New Federal Act on Data Protection concerns all companies that process personal and sensitive data in the course of their business. It imposes strict obligations on companies with regard to consent, transparency, security and confidentiality of data.
With the advent of the law, the Federal Data Protection and Information Commissioner (FDPIC), the supervisory authority in Switzerland, has been given greater powers to make decisions. He will be able to decide that a company should suspend the processing of personal data and will have the possibility of imposing criminal sanctions. Companies must therefore comply with these new rules in order to avoid sanctions and fines and to ensure optimal data protection.
The 8 major changes brought about by the revision of the FADP
According to information available on the Federal Council website, the new Swiss data protection law will introduce eight major changes for companies:
- The law only applies to data of real people, not of companies or legal entities.
- Genetic and biometric data are considered sensitive data.
- There are two new measures for developers: (a) “Privacy by Design“: developers must include privacy safeguards in the design of their products or services that collect personal data. (b) “Privacy by Default“: products and services must be configured to protect users’ data and privacy from the outset.
- If the information collected may pose a high risk to the rights of the data subjects, an impact assessment must be carried out.
- Before any personal information is collected, data subjects must be informed (and consent).
- Businesses must keep a register of their data processing activities. Small businesses that present a low risk to the privacy of data subjects may be exempted.
- In the event of a data security breach, companies must promptly inform the Federal Data Protection and Information Commissioner (FDPIC).
- Profiling (i.e. the automated processing of personal data) is now included in the law.
Other less important changes include the appointment of a Data Protection Officer (DPO), which becomes mandatory for companies with more than 250 employees, and is recommended for companies with more than 200 employees.
DPIA, the Data Protection Impact Assessment
When the processing of personal data is likely to affect the rights and freedoms of data subjects, a data protection impact assessment (DPIA) is mandatory. This analysis is required in two situations: if the processing is included in the list of types of operations for which the Commission Nationale de l’Informatique et des Libertés (CNIL) has deemed it necessary to carry out a DPIA, or if the processing meets at least two of the nine criteria set out in the Article 29 of the Groupe de travail (G29) guidelines.
The CNIL is an independent French administrative authority, which complies with personal data law, and which Swiss companies can rely on to determine whether an impact assessment is necessary. The criteria set out in the G29 guidelines are as follows:
- Evaluation or scoring,
- Automatic decision with legal effect,
- Systematic monitoring,
- Collection of sensitive or highly personal data,
- Large-scale data collection,
- Cross-referencing of data,
- Processing of data of vulnerable persons,
- Innovative use of technology,
- Exclusion from a right or contract.
DPIA, when it is mandatory?
If you are a marketer and you collect geolocation data on a national scale for advertising purposes, this processing meets the criteria of large-scale collection and collection of sensitive data. An impact assessment is therefore necessary.
There are other examples where data processing requires a DPIA, it is important to be aware of these.
NFADP, consequences and risks of non-compliance
Swiss companies must comply with the nFADP to avoid the consequences and risks of non-compliance.
With the strengthening of the Commissioner’s competences, he will now be able to :
- Conduct investigations,
- Require access to internal information,
- Conduct audits and impose the modification or deletion of data in case of a breach.
Although this power is less than that of the EU, it is important to note that non-compliance with the law can result in criminal and administrative sanctions.
Swiss courts can impose criminal fines of up to CHF 250,000 on an individual for an intentional breach of the data protection law. Companies must therefore comply to avoid these criminal and administrative sanctions, which are on an individual basis. This means that managers can be held liable before the judge.
Finally, it is crucial that companies make their management aware of this legal obligation. By complying with the Swiss data protection law, companies can protect their customers and their reputation, while avoiding the negative consequences of non-compliance.
How can compliance with the FPDA be maintained in the long term?
To ensure long-term compliance after the nFAPD comes into force, it is important to assess the current situation and put a compliance plan in place. Here are some compliance issues to consider:
- Decide whether you need a data protection officer (DPO) to help you, depending on the size and nature of your business,
- Make a list of all the data processing you do, but note that some exceptions apply for small businesses or those that do not process sensitive data,
- Add active opt-ins or set up double opt-ins for newsletter sign-ups,
- Add opt-outs in the body of your emails,
- Make sure your suppliers’ and employees’ contracts contain data protection clauses,
- Train your employees on data protection rules and ensure that they comply with these rules,
- Apply data protection principles by design and by default to any new project or data processing (Privacy By Default),
- Be prepared to respond to requests from individuals regarding their rights to forget, erase, object, etc.
- Assess the risks associated with high-risk data processing and transfers and carry out impact assessments if necessary.
- Ensure the security of all personal data by respecting data confidentiality, integrity and availability.
- Prepare for data security breaches and establish a crisis management plan.
Once you have identified the most important compliance issues, it is essential to have a plan in place to implement them.
However, it is important to continue to comply with the regulations in the long term and to monitor developments regularly. This can be done by a data protection expert or a dedicated team within your company. By following these steps, you can ensure that your company is compliant with data protection regulations and avoid sanctions.
NFAPD, its impact on the Marketing department
Marketing teams are directly impacted by the new version of the Swiss Federal Act on Data Protection, which has brought about major changes for Swiss consumers with regard to the protection of their personal data. Inspired by the European Union’s General Data Protection Regulation (GDPR), the new version of the FADP imposes stricter rules on companies regarding direct marketing, digital consent, the right to be forgotten, etc.
These measures aim to ensure a higher level of protection for users’ personal data, giving them more control over its use and processing. Companies must therefore comply with these new rules in order to avoid sanctions and preserve the trust of their customers.
Companies must now obtain the free and informed consent of consumers before soliciting them with commercial offers. Consumers must give their explicit permission for their personal data to be used for direct marketing purposes.
Right to be forgotten
In order to build trust between businesses and Swiss consumers, it is essential to respect their privacy. For example, companies are obliged to respond positively to consumers’ requests for the deletion of their personal data, except in cases where such data is necessary for the performance of a contract or is mandatory in a specific sector. This shows consumers that their personal data is treated with respect and helps to build mutual trust.
Although these new rules can be complicated for businesses to implement, they are necessary to protect consumers’ privacy and give them more control over their personal data.
By complying with these rules, companies can build consumer trust and improve their relationship with consumers. In addition, it can become a real competitive advantage that your marketing teams can communicate to differentiate themselves from those who would take the risk of not complying with the law.
The new federal law on data protection in Switzerland will come into force on 1 September 2023 to comply with the EU’s GDPR. This new law aims to improve the processing of personal data and grant new rights to Swiss citizens. It expands the notion of sensitive personal data and strengthens the rights of data subjects. Companies must comply with these new rules to avoid sanctions and fines, while developing good practices and codes of conduct to ensure optimal data protection. The eight major changes in the nFADP for businesses concern consent, transparency, security and data privacy. In sum, the amended nFADP strengthens the protection of personal data in Switzerland and ensures the competitiveness of businesses in an environment where data protection has become a major concern for consumers.