Data Protection Regulations in Switzerland

The New Swiss Data Protection Law

The Swiss Federal Act on Data Protection (FADP) was comprehensively revised and the new version entered into force in September 2023. The main objective of this revision is to align Switzerland’s data protection framework with the EU General Data Protection Regulation (GDPR). This alignment ensures that Switzerland continues to be recognized by the EU as a country with an adequate level of data protection, allowing for the unrestricted flow of personal data between the EU and Switzerland.

Below is an overview of the key changes introduced by the revised FADP and their implications:

Key Regulatory Changes in the Revised FADP
  • Equivalent Level of Protection Required:
    Switzerland must guarantee at least the same level of data protection as under the GDPR to maintain EU adequacy status.
  • No Regulation of Data of Deceased Persons (Art. 16 FADP)
    Unlike the previous version, the revised law no longer covers data of deceased individuals.
  • Active Duty to Inform (Art. 17, 54 para. 1b FADP)
    Companies now have a proactive duty to inform data subjects, based on a broad general clause.
  • Data Protection Advisor (Art. 9 FADP)
    Organizations may appoint a Data Protection Advisor (similar to a DPO under the GDPR), who supports internal compliance and acts as a point of contact.
  • Codes of Conduct (Art. 10 FADP)
    Industry-specific codes of conduct can be submitted to the Federal Data Protection and Information Commissioner (FDPIC) for review.
  • Record of Processing Activities (Art. 11 FADP)
    Companies must maintain a register of data processing activities. Exception for SMEs with fewer than 250 employees—this applies to ~99% of all Swiss companies.
  • Representation for Foreign Controllers (Art. 12a FADP)
    Foreign companies processing data of persons in Switzerland must appoint a Swiss-based representative.
  • Cross-Border Data Transfers (Art. 13 ff. FADP)
    Data transfers abroad are only permitted if the recipient country offers an adequate level of protection or safeguards are in place.
  • Automated Individual Decision-Making (Art. 19 FADP)
    Data subjects have the right to object to fully automated decisions that produce legal effects.
  • Data Protection Impact Assessment (DPIA) (Art. 20 ff. FADP)
    A DPIA is required where processing may result in a high risk to the privacy of individuals.
  • Mandatory Breach Notification (Art. 22 FADP)
    Data breaches must be reported to the FDPIC as soon as possible.
  • Data Portability Right (Art. 25 ff. FADP)
    Data subjects have the right to receive their personal data in a commonly used format.
  • Enforceable Legal Claims (Art. 28 FADP)
    Individuals can assert claims related to their data rights before civil courts.
  • Processing by Federal Bodies (Art. 30 ff. FADP)
    Special provisions apply to federal institutions processing personal data.
  • Role and Powers of the FDPIC (Art. 39 ff. FADP)
    The FDPIC now has enhanced powers, including investigative and advisory responsibilities.
  • Administrative Assistance (Art. 48 f. FADP)
    Establishes procedures for cooperation with foreign authorities.
  • Criminal Provisions (Art. 54 ff. FADP)
    Violations can result in fines of up to CHF 250,000, particularly for individuals responsible for willful misconduct.
  • Final Provisions (Art. 62 ff. FADP)
    Transitional arrangements and clarifications for entry into force.
  • Data Protection Regulations in Switzerland

    INSIGHTS

    5
    February
    2024
    FADP Audit in Switzerland: What Changes Are Relevant for Your Company or SME

    Here you can subscribe to our newsletter

    Vielen Dank! Ihr Beitrag ist eingegangen!
    Oops! Something went wrong while submitting the form.