The Ultimate Guide to Switzerland's Revised FDPA
In 2020, the Swiss Parliament passed a revised version of the Federal Act on Data Protection (Revised FDPA) that significantly overhauled the existing Federal Act on Data Protection (FDPA) in an effort to closely align data protection law in the country with the EU’s General Data Protection Regulation (GDPR).
The first Swiss federal data protection law was introduced in 1992 and 17 years later, in 2009, revisions were made to the original FDPA. A further ten years on and revisions to the FDPA were tabled and subsequently approved in 2020. The latest set of revisions to the FDPA represents the biggest overhaul of federal data protection law in the last three decades. They come alongside a range of revisions made to the Ordinance that implements the Revised FDPA.
The provisions of the newly revised FDPA will enter into effect in September 2023 following delays due to the Coronavirus pandemic. This guide aims to outline the new requirements you will need to meet and how they compare to the GDPR.
What is the Swiss Revised Federal Act on Data Protection?
The Revised FDPA is an amended version of the existing FDPA in Switzerland. Its aims are to closely mirror the requirements set out by the GDPR while enhancing the protection that Swiss data subjects have over their personal data.
The Revised FDPA adds to the existing FDPA in many areas – such as risk assessments, data transfers, and data security – and implements stricter requirements for businesses to adhere to. While monetary penalties are not as harsh as those found under the GDPR, they will still have a significant impact in the case of non-compliance.
Who does the Revised FDPA apply to?
The Revised FDPA outlines a personal, territorial, and material scope that details who the law applies to, where it applies, and what types of information it applies to.
The Revised FDPA applies to the processing of personal data by private persons and federal bodies that have an effect in Switzerland, regardless of whether the processing takes place in the country. A 'controller’ is further defined as “a private person who or federal body which, alone or jointly with others, determines the purpose and the means of processing personal data”, whilst a ‘processor’ is “a private person or federal body that processes personal data on behalf of the controller.”
For clarity, ‘personal data’ is defined as “all information relating to an identified or identifiable natural person”, while ‘processing’ includes “any handling of personal data, irrespective of the means and the procedures used, in particular the collection, recording, storage, use, modification, disclosure, archiving, deletion or destruction of data.”
There are some exceptions to the Revised FDPA’s scope including personal data that is processed purely for personal use, personal data that is processed by the Federal Assembly and parliamentary committees, and personal data that is processed by institutional beneficiaries.
What are the processing principles found under the Revised FDPA?
Much like the GDPR, the Revised FDPA defines a set of common processing principles that all organizations should adhere to when processing personal data. These principles include:
- Lawfulness - Personal data must be processed lawfully.
- Proportionate - Processing must be carried out in good faith and must be proportionate.
- Purpose specification - Personal data may only be collected for a specific purpose which is evident to the data subject, and can only be further processed in a manner compatible with this purpose.
- Storage limitation – Personal data shall be destroyed or anonymized as soon as it is no longer needed
- Accuracy - Anyone who processes personal data must ensure that the data is accurate.
- Transparency - If the consent of the data subject is required, it can only be deemed valid if it has been given freely and for one or several specific processing activities and after adequate information.
The Revised FDPA will grant data subjects further rights in addition to those already found under the existing FDPA. Under the Revised FDPA, data subjects will be afforded the right to data portability and will amend the right to access to outline the types of information that must be included when responding to an access request.
Under the Revised FDPA data subject will have the following rights:
- Right to access
- Right to rectification
- Right to erasure
- Right to object/restriction
- Right to data portability
- Right request that automated decisions are reviewed by a natural person
Requirements for compliance with the Revised FDPA
Organizations covered by the Revised FDPA’s scope will need to ensure their compliance programs meet new and amended requirements set out by the law.
Organizations must collect valid consent from the data subject to conduct certain processing activities, including:
- Processing sensitive personal data
- High-risk profiling by a private person
- Profiling by a federal body
When consent is required, it is only considered valid if it is explicit and has been given freely and for one or several specified processing activities. Data subjects must have also been provided with adequate information relating to what they are consenting to. The controller must provide the data subject with information about the collection of personal data in a precise, transparent, understandable and easily accessible form.
Data Protection by Design and Default
Similar to the GDPR, the Revised FDPA requires organizations to ensure that data protection is considered throughout the design of new products and services. Controllers must develop the technical and organizational measures for implementing Data Protection by Design, and these measures must be appropriate in particular with regard to the state of the art, the type and extent of processing, as well as the risks that the processing presents. Data controllers must also adhere to the concept of Data Protection by Default by ensuring that pre-defined settings are set to ensure that only personal data necessary for the defined purpose is being processed.
Data protection officer appointment
Like the GDPR’s requirement for data protection officer appointment, organizations under the Revised FDPA may appoint a data protection officer. The data protection officer must act as the point of contact for data subjects and competent data protection authorities. The data protection officer will have the following duties:
- Train and advise the data controller on data protection-related matters
- Support compliance with data protection regulations
The data controllers can be exempt from provisions relating to prior consulting with the FDPIC so long as the following requirements are satisfied:
- The data protection officer exercises their duties in a professionally independent manner and is not bound by any instructions
- They do not carry out any activities that are incompatible with their tasks as a data protection officer
- They have the required expertise
- The data controller publishes the contact details of the data protection officer and notifies the FDPIC with this information
Records of processing activities
The Revised FDPA contains requirements for data controllers and data processors to keep a record of their processing activities.
Data controllers must document the following information:
- Their identity
- The purposes of the processing
- A description of data subjects and the categories of the processed personal data
- The categories of any third parties
- The period that personal data will be stored, where applicable
- A general description of data security measures implemented
- Details of international data flows
Additionally, data processors must document further information including:
- Information relating to the data processor and the data controller
- the types of processing activities performed on behalf of the data controller
- There is an exception to the record-keeping requirements for companies with less than 250 employees and whose processing presents a low risk to data subjects, unless:
- Personal data that is particularly worthy of protection is processed on a large scale
- High-risk profiling is performed
Much like the GDPR, the Revised FDPA sets out specific conditions for the lawful transfer of personal data. These include:
- Adequacy decision adopted by the Swiss Federal Council
- Where the transfer is necessary for the performance of a contract between the data subject and the controller
- International treaty
- Standard data protection clauses
- Binding Corporate Rules (BCRs)
Data protection impact assessments
In the scenario where an organization’s processing activities may present a high risk to the data subject, the data controller must conduct a data protection impact assessment (DPIA). Under the Revised FDPA, a DPIA should include:
- A description of the processing activity
- An evaluation of the potential risk to the data subject
- Measures implemented to protect the data subject
If the data controller performs several similar processing activities, it may establish a joint DPIA. Regarding the documentation of a DPIA, Article 14 of the Revised Ordinance states that the person responsible must keep the DPIA for at least two years after the end of the data processing.
Data breach notification
The Revised FDPA contains data breach notification requirements for data controllers to follow when personal data is subject to unauthorized access.
Organizations must adopt adequate technical and organizational measures to ensure the security of the personal data that appropriately addresses the risk. The Revised FDPA highlights that these security measures must assist in the prevention of data security breaches.
In cases where a data breach has been established, the data controller must notify the FDPIC as soon as possible and include information related to the nature of the data breach, its impact, and the mitigation or recovery measures taken. Similarly, data processors must notify the data controller of a data breach as soon as possible. Data controllers shall inform the data subject if this is required for their protection or if the FDPIC so requests.
Enforcement and penalties
The Federal Data Protection and Information Commissioner (FDPIC) will oversee the enforcement and application of the Revised FDPA.
Under the Revised FDPA, private persons can be liable for maximum monetary penalties of up to CHF 250,000 for violations including failing to ensure there are sufficient safeguards for international data transfers or failure to comply with minimum data security requirements.