Support Centre

Switzerland

Summary

Law: Federal Act on Data Protection 1992 ('FADP')

Regulator: Federal Data Protection and Information Commissioner ('FDPIC')

Summary: A revised version of the FADP was adopted on 25 September 2020 (only available in German here, in French here, and in Italian here), and it broadly seeks alignment with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The revised FADP, alongside the final ordinance on data protection and an ordinance on data protection certifications, entered into force on 1 September 2023, which constituted a one-year transition period for organisations to ensure compliance.

Beyond general data protection regulation, the financial sector in Switzerland presents special interest as it is subject to different layers of regulation including data protection laws. Switzerland has also been recognised by the EU as providing adequate protection of data, and has a data transfer agreement with the US in the form of the Swiss-US Privacy Shield. However, the FDPIC recently noted that the Swiss-US Privacy Shield does not guarantee adequate protection for transfers of data to the US.

Furthermore, following the adoption of new Standard Contractual Clauses ('SCCs') for international data transfers by the European Commission in June 2021, the FDPIC announced, on 27 August 2021, that the EU's SCCs could be used for transfers under Swiss law, subject to certain necessary adaptations and amendments.

Insights

For several years, the Federal Act on Data Protection 1992 ('FADP') and the Ordinance to the Federal Act on Data Protection ('the Ordinance') have been under revision. On 25 September 2020, the Federal Parliament eventually adopted the revised Federal Act on Data Protection 1992 ('the Revised FADP'). However, uncertainties remained since the content of the Ordinance was for a long time unclear. Finally, on 31 August 2022, the Federal Council adopted the text of the revised ordinance ('the Revised Ordinance') and informed that the Revised FADP and the Revised Ordinance will enter into force on 1 September 20231.

Johanna Moesch, Associate at Baker & McKenzie Zurich, covers the changes introduced by the Revised FADP and the Revised Ordinance, as well as similarities and differences with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

The Federal Data Protection and Information Commissioner ('FDPIC') published, on 5 March 2021, a guide1 ('the Guide') on the revised Federal Act on Data Protection 1992 ('the Revised FADP') which was adopted on 25 September 20202 and is set to replace the FADP that is currently in force3. The referendum period, which provided voters with an opportunity to express their views on the Revised FADP4, ended on 14 January 2021 without the referendum right being used.