Switzerland
Summary
Law: Federal Act on Data Protection 2020 ('FADP') (only available in German here, in French here, and in Italian here)
Regulator: Federal Data Protection and Information Commissioner ('FDPIC')
Summary: The revised version of the FADP was adopted on September 25, 2020 and broadly seeks alignment with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The FADP entered into force on 1 September 2023, which constituted a one-year transition period for organisations to ensure compliance.
Further to the above, the revised version of the Ordinance on the Federal Act on Data Protection (available in French here, in German here, and in Italian here) ('FODP') puts certain aspects of the revised FADP into more concrete terms. For example, it sets out the specifics of data security requirements, and the modalities of data breach notices as well as of the right of access and the right to data portability.
Beyond general data protection regulation, the financial sector in Switzerland presents special interest as it is subject to different layers of regulation including data protection laws. Switzerland has also been recognised by the EU as providing adequate protection of data, and has a data transfer agreement with the US in the form of the Swiss-US Privacy Shield. However, the FDPIC recently noted that the Swiss-US Privacy Shield does not guarantee adequate protection for transfers of data to the US.
Furthermore, following the adoption of new Standard Contractual Clauses ('SCCs') for international data transfers by the European Commission in June 2021, the FDPIC announced, on 27 August 2021, that the EU's SCCs could be used for transfers under Swiss law, subject to certain necessary adaptations and amendments.