Implications of new Swiss Federal Act on Data Protection

The revised Swiss Federal Act on Data Protection (revFADP) went into effect on September 1, 2023, marking a significant modernization of Switzerland’s data protection regulations, which was last revised in 1992.

Notably, these revisions align Swiss data protection laws more closely with the provisions of the General Data Protection Regulation (GDPR).

This alignment introduces more rigorous requirements for foreign companies conducting business in Switzerland, including the mandatory appointment of a Swiss representative.

Furthermore, there is an increased focus on data subject rights and the introduction of new requirements for reporting data breaches, all of which necessitate readiness from organizations.

What are the main changes?

The revFADP introduces the following major changes for businesses:

1. Only data of natural persons are now covered, excluding those of legal persons.
2. Genetic and biometric data are now categorized as sensitive data.
3. The principles of “Privacy by Design” and “Privacy by Default” are introduced.
4. Keeping a register of processing activities is now mandatory. However, exemptions are granted to SMEs engaging in data processing with limited risk of harm to data subjects.
5. Prompt notification to the Federal Data Protection and Information Commissioner (FDPIC) is required in the event of a data breach.
6. The legal framework now encompasses the concept of profiling, referring to the automated processing of personal data.

Appointment of a Swiss Representative

A notable change for organizations subjected to the RevFADP’s expanded scope is the new obligation to designate a representative in Switzerland. This requirement arises when an organization lacking a corporate presence in Switzerland, processes personal data of Swiss individuals linked to:

1. Offering goods and/or services to those individuals or monitoring their behaviors.
2. Carrying out data processing on a large scale, in a regular manner, and posing a high risk to data subjects.

Compared to the GDPR, the necessity to appoint a Swiss representative has some noteworthy distinctions:

• The type of organizational structure required to be considered a local controller. Specifically the distinction between a corporate seat under the RevFADP and establishment under the GDPR. The RevFADP mandates a corporate seat, whereas the GDPR allows for a broader range of stable arrangements, such as branches or offices, without the necessity of incorporation.
• Under the RevFADP, the criteria for determining data processing on a large scale regularly and posing a high risk serve as qualifying factors. In contrast, the GDPR approaches these criteria differently, formulating them as exemptions.

Expansion of Territorial Scope

The RevFADP significantly broadens the scope of Swiss data protection regulations, mirroring the GDPR’s principles to ensure that companies globally bear responsibility for safeguarding the personal data of Swiss individuals.

Notably, the RevFADP extends its reach beyond the GDPR in that it applies to activities having an impact in Switzerland, even if initiated from abroad.

This means that the Swiss supervisory authority, the Federal Data Protection and Information Commissioner (FDPIC), can enforce the RevFADP for any activity affecting Switzerland, regardless of its origin.

In practical terms, organizations offering goods or services to Swiss individuals or monitoring their behavior must now adhere to RevFADP requirements, and organizations storing personal data on servers within Switzerland fall under this new Swiss data protection law.

Role of the Representative

The role of the Swiss representative has evolved from the GDPR functioning as a local, accessible point of contact for Swiss data subjects and the FDPIC.

The RevFADP requires controllers to publicly disclose the name and address of their designated representative, enabling data subjects to exercise their rights through the representative.

The representative must assist data subjects in understanding how to exercise their rights and facilitate communication of such requests to controllers outside of Switzerland to preserve these rights for Swiss individuals.

Consequently, the representative must be a company established in Switzerland or an individual residing there. Therefore, post-box solutions will not suffice.

The representative is also responsible for maintaining the controller’s record of processing activities, which must be made available to the supervisory authority upon request.

New Provisions for Data Breaches

New data breach notification requirements mandate that controllers promptly inform the FDPIC when a breach is likely to result in a high risk to data subjects’ personal rights.

While the RevFADP lacks specific guidance regarding the timing of such notifications, as per the GDPR 72-hour timeframe, controllers must also notify affected individuals if necessary for their protection, enabling them to mitigate the breach’s impact.

Fines for Non-Compliance

The RevFADP does not introduce civil penalties for non-compliant organizations. Instead, individuals representing private controllers may face criminal sanctions for intentional violations of the revised Swiss law, including fines of up to CHF 250,000.

These fines are likely to target C-level executives and individuals responsible for an organization’s data protection program, such as Data Protection Officers (DPOs) for:

• Providing false or incomplete information at the point personal data is collected, in respect of automated decision-making and breach of privacy notice obligations
• Providing false information and/or failing to cooperate with the FDPIC investigation or to provide the FDPIC with the requisite information
• Disclosing personal data outside of Swiss borders in violation of the provisions on cross-border transfers and willfully failing to meet the requirements of Article 9 regarding the appointment of data processors
• Violating professional duty of confidentiality in respect of personal data
• Failing to comply with an order of the FDPIC

In cases where it is challenging to determine the individuals accountable for such failures or deliberate violations of the RevFADP, the organization itself could be subject to fines.

It’s important to note that fines for private controllers in such situations will be capped at a maximum of CHF 50,000.

In Conclusion

The implementation of the revised Swiss Federal Act on Data Protection (RevFADP) on September 1, 2023, marks a significant stride towards modernizing Switzerland’s approach to data privacy.

The RevFADP aligns Swiss data protection regulations more closely with the robust General Data Protection Regulation (GDPR) framework, underscoring the country’s commitment to safeguarding personal data in a rapidly evolving digital landscape.

Overall, the RevFADP reflects Switzerland’s commitment to aligning with global standards for data protection and privacy.

It presents both challenges and opportunities for organizations operating within Switzerland, requiring a proactive approach to compliance and data security in an era where data protection is paramount.