Switzerland: Entry into force of the revised FADP in September 2023 - what you need to know
For several years, the Federal Act on Data Protection 1992 ('FADP') and the Ordinance to the Federal Act on Data Protection ('the Ordinance') have been under revision. On 25 September 2020, the Federal Parliament eventually adopted the revised Federal Act on Data Protection 1992 ('the Revised FADP'). However, uncertainties remained since the content of the Ordinance was for a long time unclear. Finally, on 31 August 2022, the Federal Council adopted the text of the revised ordinance ('the Revised Ordinance') and informed that the Revised FADP and the Revised Ordinance will enter into force on 1 September 20231.
Johanna Moesch, Associate at Baker & McKenzie Zurich, covers the changes introduced by the Revised FADP and the Revised Ordinance, as well as similarities and differences with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
In Switzerland, there are cantonal, as well as federal data protection laws. Each canton has its own data protection laws, while on the federal level the data processing is governed by the FADP and the Ordinance. The cantonal data protection laws apply to the data processing by cantonal and communal bodies, while the FADP and the Ordinance apply to the data processing by private persons and federal bodies (the term 'private persons' does include individuals, as well as legal entities). While certain cantons already have specific data protection laws in place since the late 1970, the first specific federal law protecting personal data, which is the still current FADP with the Ordinance, entered into force on 1 July 1993.
In addition, on the cantonal, as well as on the federal level certain laws, such as, in particular, health laws, contain sometimes stricter/different data protection provisions than the ones in data protection laws. If this is the case, then the applicable data protection law (either the cantonal or the federal one) still applies, but these stricter/different data protection provisions do override the corresponding more general data processing provisions.
The Revised FADP aims to ensure compatibility with European law and introduces significant changes compared to the current FADP. Therefore, it may be considered as a 'GDPR-like' legislation. For Switzerland as a business location and to maintain its international competitiveness, it is crucial that Switzerland continues to be recognised by the EU as a country with an adequate level of data protection so that cross-border data transfers remain possible in the future without additional requirements. Note that the EU did recognise Switzerland's level of data protection since 2000 as adequate, but that such recognition is currently under review.
The newly introduced changes mainly concern governance obligations, but do also impose new and particularly higher fines. Below is an overview of the relevant changes as recently introduced by the Revised FADP and the Revised Ordinance.
Changes introduced by the Revised FADP and the Revised Ordinance
New governance obligations
Much like the GDPR, the Revised FADP and the Revised Ordinance now provide for specific governance obligations:
Controllers or processors that have more than 250 employees, or that process personal data in a manner that poses risks to the personality rights of the concerned data subjects, must entertain a register of their processing activities (Article 12 of the Revised FADP and Article 24 of the Revised Ordinance, comparable to the register of processing activities under the GDPR).
- Controllers have a duty to report data security breaches to the Federal Data Protection and Information Commissioner ('FDPIC'), while processors have a corresponding duty to inform the controller (Article 24 of the Revised FADP and Article 15 of the Revised Ordinance). Note that the threshold for security breaches which need to be notified under the GDPR is lower than the one under the Revised FADP.
- Controllers have a duty to inform the data subjects concerned by a data security breach if the FDPIC demands so or in the event that such information is relevant for the data subjects' protection and no exception from such information obligation is given (Article 24 of the Revised FADP).
- The controllers have, under certain circumstances, an obligation to carry out Data Protection Impact Assessments ('DPIAs') (comparable to the DPIA under the GDPR, Article 22 of the Revised FADP, and Article 14 of the Revised Ordinance).
- According to Article 4 of the Revised Ordinance, controllers and processors have an obligation to keep specific records (Protokollierung) under certain circumstances.
- According to the Article 5 of the Revised Ordinance, controllers and processors have an obligation to provide a processing policy (Bearbeitungsreglement) under certain circumstances.
- Recently, a specific information obligation of the controller was introduced in case of automated decision taking (Article 21 of the Revised FADP) (slightly less strict than the provision under the GDPR regarding automated decision taking which also applies to profiling).
Further newly introduced similarities to the GDPR
- The Revised FADP now explicitly provides for an extraterritorial scope (Article 3).
- Foreign companies that act as controllers and process personal data of data subjects in Switzerland on a large scale must provide for a representative in Switzerland (Article 14 of the Revised FADP).
- Under the Revised FADP, a processor may only transfer personal data to a sub-processor with the prior consent of the controller. The Revised Ordinance clarifies that it is sufficient if the controller has a right to object (Article 9 of the Revised FADP, Article 7 of the Revised Ordinance, and Article 28 of the GDPR; processing agreements can be used under the Revised FADP with only minor amendments).
- The Revised FADP no longer protects the data of legal persons, but only the data of natural persons; in this respect, there is further alignment with the GDPR, which also protects the data of natural persons only.
Amendments compared to the current FADP
- The safeguards to ensure an appropriate level of data protection where personal data is transferred to countries with a lower data protection level than Switzerland have been slightly amended (Articles 16, 17, and 18 of the Revised FADP, as well as Article 8 et seq. of the Revised Ordinance; note, however, that these are not identical to the safeguards as set out in the GDPR).
- In addition, unlike under the current FADP, controllers must inform data subjects of any data processing (general notification obligation) - i.e. not only if sensitive data is being processed (Article 19 of the Revised FADP and Article 13 of the Revised Ordinance). There are certain exceptions from this information obligation (Article 20 of the Revised FADP). These exceptions, as well as the content of the information that must be provided, are not identical to the ones under the GDPR.
- The rights of the data subjects are somewhat broader (Article 25 et seq. of the Revised FADP and Article 16 et seq. of the Revised Ordinance), and they are again not entirely identical to the ones under the GDPR).
- The FDPIC is given additional and more extended powers under the Revised FADP: it now can issue processing bans and other rulings, and may also conduct investigations (Article 49 et seq. of the Revised FADP) (nevertheless, the FDPIC has less power than the supervisory authorities under the GDPR).
- The professional duty of confidentiality contained in the FADP, which punishes anyone who intentionally discloses secret personal data which it becomes aware of in the course of its professional duties, has been extended (Article 62 of the Revised FADP) (note that this is a Swiss specialty).
Main differences to the GDPR
- The basic principles of the Swiss data protection laws will not change; accordingly, even under the Revised FADP, the processing of personal data is generally permissible and does not require a legal basis (such as consent), unlike under the GDPR, where all data processing requires a legal basis.
- There is no necessity to appoint a data protection officer ('DPO') (Article 10 of the Revised FADP and Article 23 of the Revised Ordinance which differ from the GDPR where, at least under certain circumstances, a DPO must be appointed).
- Penalty provisions have been adapted under the Revised FADP and the fines have been increased rather steeply from CHF 10,000 (approx. €9,980) to a maximum of CHF 250,000 (approx. €249,460). Still, under the GDPR, the maximum fine is €20 million, and in the case of a company, it is up to 4% of its total annual turnover (worldwide) of the preceding business year or €20 million, whichever is higher. Unlike under the GDPR, fines under the Revised FADP continue to target the responsible employees - and not the company itself.
Transitional provisions and required actions
The Revised FADP does not really set out any meaningful transitional provisions which means that any controller or processor on whose data processing the Revised FADP applies must be compliant with the Revised FADP and the Revised Ordinance as per 1 September 2023.
Controllers and processors that are compliant with the GDPR are in a good position and are obliged to make only small adjustments in order to meet the new requirements of the Revised FADP and the Revised Ordinance.
However, controllers or processors that meet the requirements of the current FADP only are advised - particularly in view of the newly introduced governance obligations and the new, higher fines in case of non-compliance - to promptly familiarise themselves with the Revised FADP and the Revised Ordinance, and to undertake a compliance exercise in a timely manner in order to ensure that the new obligations will be observed.
Johanna Moesch Associate
Baker & McKenzie Zurich, Zurich
1. See at: https://www.admin.ch/gov/de/start/dokumentation/medienmitteilungen.msg-id-90134.html (only available in German, French, and Italian)