Switzerland: FDPIC's guidance on complying with revised FADP
The Federal Data Protection and Information Commissioner ('FDPIC') published, on 5 March 2021, a guide1 ('the Guide') on the revised Federal Act on Data Protection 1992 ('the Revised FADP') which was adopted on 25 September 20202 and is set to replace the FADP that is currently in force3. The referendum period, which provided voters with an opportunity to express their views on the Revised FADP4, ended on 14 January 2021 without the referendum right being used.
Currently, the Federal Administration is in the process of drafting ordinances for the Revised FADP. According to the FDPIC, the Revised FADP alongside the accompanying ordinances are expected to come into force in the second half of 2022 with the Federal Council set to determine the date of their coming into force. In light of which, the FDPIC issued the Guide to assist private and public entities with the process of adapting their data processing operations to the new data protection requirements. This insight will outline some of the key points highlighted in the Guide, focusing in particular on the provisions that are different from the FADP that is currently in force.
Scope of the revised FADP
According to the Guide, and as provided for under Article 2 of the Revised FADP, the revised law only applies to processing activities involving personal data of natural persons, whereas the current FADP applies to processing activities involving personal data of both natural and legal persons. In this respect, the Guide emphasises that businesses' privacy can be protected via Article 28 of the Swiss Civil Code5, and the protection of manufacturing and trade secrets under Article 162 of the Swiss Criminal Code6. In addition, the Guide notes that Article 5(c) of the Revised FADP extends the definition of sensitive personal data to encompass genetic and biometric data that unambiguously identifies a natural person.
New and extended requirements
As noted by the Guide, the Revised FADP includes some new requirements. These new requirements are aligned to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
Privacy by Design and by Default
The Revised FADP has introduced, in Article 7, a requirement to implement Privacy by Design and by Default. According to this requirement, which is also present in Article 25 of the GDPR, the data controller is responsible for taking, from the beginning of the processing operation, appropriate technical and organisational measures giving effect to the data protection principles and to the requirement of limiting the processing of data to what is required for the purpose behind the processing. In light of this, the Guide recommends that businesses take measures to adjust their processing activities and operate customer-friendly programs.
Data subject rights
As pointed out by the Guide, Article 25 of the Revised FADP provides for an extended list of information that the data subject can receive in respect to data processing, for instance the period for which the data is stored. In addition, Article 19 of the Revised FADP goes beyond the current law which outlines transparency requirements for processing which involves sensitive data or profiling and provides for a more extensive duty for businesses to provide information and ensure transparency. The Guide also notes that the duty to provide information is different to the requirement under the GDPR, as it also encompasses an obligation to provide information with respect to any third countries receiving the data, as well as the guarantees in place for such data transfer. In light of these obligations, the FDPIC recommended that businesses review their privacy policies and update them accordingly as well as take steps to ensure that the data processing occurs in a transparent manner.
Moreover, the Revised FADP introduces the right to data portability in Article 28 which means that the data subject should be able to receive their data in a commonly-used and machine-readable format, or request that the data controller transmits it to a third party. This is aligned with Article 20 of the GDPR.
Codes of conduct and certification
The Guide highlights that Article 11 of the Revised FADP provides an incentive for professionals, trade and business associations to develop their own codes of conduct and to submit them to the FDPIC for an opinion, noting however that adopting said codes does not absolve entities from being responsible for risks that are not addressed by the code. The Guide points out that codes of conduct present some advantages as they have been approved by the FDPIC and they mean that data controllers do not need to conduct their own Data Protection Impact Assessment ('DPIA') if they comply with a code of conduct that is based on a previous, and still-relevant, DPIA.
The Guide also addresses certification of systems and products by operators of data processing systems and manufacturers. Certification is addressed by Article 13 of the Revised FADP. The Guide points out that certification enables businesses to evidence their compliance with Privacy by Default as well as to indicate that they have an adequate management system for data protection in place. The Guide also notes that if a data controller, which is a private entity, deploys a system, product or service that is certified, they will not need to undertake a DPIA.
Data transfers are addressed under Articles 16-18 of the Revised FADP with the FDPIC noting that the Federal Council will publish a list compiled by the FDPIC which indicates the third countries that afford adequate guarantees for data protection according to the Federal Council's assessment. The Guide also notes that in case a country does not appear in this list, other mechanisms can be used for this transfer and that any Standard Contractual Clauses ('SCCs') that have been approved by the European Commission will be recognised by the FDPIC. Comparing the Revised FADP with the GDPR, the Guide notes that the Revised FADP goes further than the GDPR by obliging entities to indicate the countries to which data is planned to be disclosed, the data protection guarantees that will be relied upon, and any exceptions that the data controller will rely upon, such as the consent of the data subject or the direct link between the transfer and the fulfilment of a contractual obligation.
Even if the Revised FADP is not yet in force, the FDPIC's comprehensive Guide on the revised law indicates that companies operating in Switzerland or foreign companies with operations that have an effect in Switzerland (see Article 3 of the Revised FADP) will need to start taking steps to bring their operations in compliance with the Revised FADP requirements. According to the Guide, some key areas that companies need to be focusing on are data subject rights, Privacy by Design, and data transfers.
Suzanna Georgopoulou Privacy Analyst
1. Available at: https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2021/revdsg.pdf.download.pdf/revDSG_EN.pdf
2. Available in German here, in French here, and in Italian here
3. Available at: https://www.fedlex.admin.ch/eli/cc/1993/1945_1945_1945/en
4. Available at: https://www.ch.ch/en/demokratie/political-rights/referendum/
5. Available at: https://www.fedlex.admin.ch/eli/cc/24/233_245_233/en
6. Available at: https://www.fedlex.admin.ch/eli/cc/54/757_781_799/en