The new Swiss Data Protection Act (FADP)

by Martha Wanat
19 min read
10/14/24 9:39 AM

The new Federal Act on Data Protection in Switzerland (FADP) came into force in September 2023. It was adopted on 25 September 2020 and replaced the previous law from 1992, as the advanced digitalization of everyday life and the increasing use of technology since then made it necessary to revise and update it.

The new version of the DPA focuses on data protection at an individual level; on the protection of natural persons' data. This strategic shift underlines the relevance of strengthening data protection on a personal basis and ensuring individual rights and privacy more comprehensively.

In addition, the FADP should be aligned with EU law, the General Data Protection Regulation (GDPR), so that the free movement of data with the European Union can be maintained and Swiss companies do not have to lose competitiveness. This means, among other things, that the Swiss Data Protection Act now also stipulates the need to have an up-to-date privacy policy and to obtain consent in certain cases. We will go into this in more detail in this article.

Do you need help in dealing with Swiss data protection law? Then arrange a free initial consultation or download our free checklist here. 

 

I. What does the DPA contain? An introductory overview

The DPA applies to both physical and electronic data. It protects the rights of Swiss citizens to data protection and against a data breach caused by excessive access to or use of their personal data. In Switzerland, the Federal Data Protection and Information Commissioner (FDPIC) is responsible for monitoring companies and organizations and their compliance with the Federal Data Protection Act (FADP).

If you have users from Switzerland, you are obliged to comply with the new Swiss Data Protection Act. However, the good news is that if you already comply with the EU GDPR, you will almost certainly also comply with the Swiss DPA. Conversely, this also means that if your website is hosted in Switzerland but has visitors from the EU, you must also comply with the EU General Data Protection Regulation (GDPR).

The FADP is designed to ensure the continuous and secure flow of data between Switzerland and the EU and EEA, even though Switzerland is neither a member of the EU nor the EEA. It prohibits the transfer of personal data from Switzerland to countries with which there is no adequacy agreement, i.e. to countries that do not guarantee an adequate level of data protection (Art. 16). However, such transfers are still possible if the data subjects have given their consent (Art. 17).

The FADP lays down several principles for data processing (Art. 4):

  1. Personal data may only be processed lawfully
  2. Processing must be carried out in good faith and be proportionate
  3. Processing may only be carried out for the purpose stated at the time of collection, which results from the circumstances or is provided for by law
  4. The collection of personal data, in particular the purpose of the processing, must be recognizable to the data subject
  5. The data is deleted or anonymized as soon as it is no longer required for the purposes of processing
  6. If the consent of the data subject is required for the processing of personal data, this consent is only valid if it is given voluntarily and after appropriate information has been provided
  7. In the case of the processing of sensitive personal data or personality profiles, consent must be given explicitly
Data subjects must be informed about all instances of the collection and use of their personal data, regardless of whether it is collected directly or indirectly. Organizations must also keep a record of processing activities. In addition, both controllers and processors are responsible for data protection, particularly with regard to access to data by third parties, e.g. vendors.


The principles of privacy by design and privacy by default are also newly introduced: This obliges companies to take the principles of data processing into account when planning and designing apps, rather than trying to secure and protect data after the fact. They may also not use default settings, e.g. of web technologies, to obtain the consent of data subjects for more data processing than is absolutely necessary.

In addition, the concept of profiling, i.e. the automated processing of personal data (Art. 5 lit. f), now applies, which is a good example of a new, technology-driven concern that the law must address.

 

II. Core definitions and terminology of the DPA

The FADP defines some basic terms that are important for understanding one's own role as a data processing company:

Processing: According to Art. 5, “processing” is defined as: “any handling of personal data, regardless of the means and procedures used, in particular the acquisition, storage, retention, use, modification, disclosure, archiving, erasure or destruction of data”.

Controller: “private person or federal body which alone or jointly with others determines the purposes and means of the processing”. The “controller” is the person who collects and processes the data, who directs the collection and processing of the data and who is responsible for the correct handling of the data in accordance with data protection regulations.

Processing by third parties: Personal data may be processed by third parties (not by the controller) if this is either permitted by law or has been contractually agreed and if (Art. 9):

  1. the data is processed in the same way as the controller itself would be permitted to do; and
  2. no legal or contractual confidentiality obligation prohibits the transfer.

In addition, third parties can claim the same justification (legal basis) for the data processing as the client.

Personal data: In line with many other data protection laws, the Swiss DPA defines personal data or information (“personal data”) as “any information relating to an identified or identifiable natural person”. This can include obviously identifying information such as a name or an e-mail address, but also information such as the IP address, especially as it can have an identifying effect in combination with other personal data.

Sensitive personal data: Art. 5 lit. c defines this type of data as follows

  1. Data concerning religious, philosophical, political or trade union beliefs or activities
  2. data concerning health, privacy or racial or ethnic origin
  3. Data on administrative and criminal prosecutions or sanctions,
  4. Data on social assistance measures
  5. Genetic data,
  6. Biometric data that uniquely identifies a natural person

The last two types of sensitive personal data listed were included in the revised DPA; the previous four types were already included in the old law.

Users must be asked for explicit confirmation that they have been informed about and consent to the access and use of their sensitive personal data, e.g. by clicking a checkbox. More on this below.

When is the Swiss DPA not applicable? The FADP does not apply to:

  1. Personal data that is processed by a natural person solely for personal use and is not disclosed to third parties
  2. Deliberations in the Federal Assembly and in parliamentary committees

 

III. What innovations does the DPA bring?

The DPA introduces the following significant changes for companies:

In future, only the data of natural persons will be affected; the data of legal entities will no longer be affected.

Genetic and biometric data will be included in the definition of particularly sensitive data.

Extended powers and stricter penalties: Individuals have more options to restrict or refuse the processing of their personal data. The FDPIC has extended enforcement powers in the event of breaches of the law, and the authorities can impose stricter penalties.

The principles of “privacy by design” and “privacy by default” are introduced. As the name suggests, “Privacy by Design” means that developers must build the protection and respect of users' privacy into the structure of products or services that will collect personal data. The principle of “privacy by default” ensures that the highest level of security is already in place when the product or service is placed on the market by activating all necessary measures for data protection and the restriction of data use by default, i.e. without user intervention. In other words, all software, hardware and services must be configured in such a way that data is protected and the privacy of users is safeguarded.

The two principles require developers to integrate the highest data protection standards into products and services from the outset. This ensures that data protection is not only implemented retrospectively, but as a central pillar during development.

Increased requirements for consent: The updated law pays greater attention to raising awareness and educating data subjects about the collection and use of their personal data. Organizations must clearly inform their users about the data collected, the purpose of the collection, etc., as well as the rights of users and the options for exercising them. The requirements for consent will also be extended to more cases.

Impact assessments must be carried out if there is a high risk to the personality or fundamental rights of the data subjects.

The obligation to provide information will be extended: The data subject must be informed in advance each time personal data is obtained - and no longer only of so-called particularly sensitive data.

A list of processing activities will be mandatory. However, the Ordinance to the Act provides for an exception for SMEs whose data processing involves only a low risk of personal data breaches.

Notification of data breaches: Organizations are required to notify their users and other relevant stakeholders of a data breach or related breach as soon as possible. The FDPIC must also be notified immediately. There are clear and specific requirements regarding the information that must be communicated about the breach.

The term profiling (the automated processing of personal data) has been incorporated into the law. The integration of the term “profiling” into the Swiss Data Protection Act underlines the importance of the automated processing of personal data. The inclusion of this term highlights the need to ensure effective protection against unwanted or discriminatory profiling, for example in application processes.

More detailed information on the changes introduced by the FADP can be found on the FDPIC website (The new Data Protection Act). 

 

IV. The (new) rights of Swiss citizens

The FADP used to apply to both natural persons and legal entities. The revised FADP now only applies to natural persons and federal authorities. Under Swiss law, a legal person is a human or non-human entity (e.g. a company or other organization) that is treated as a person for certain legal purposes. This includes, for example, owning property, entering into contracts and suing or being sued.

Data subjects can more easily make requests for information in order to exercise their legal rights. The process by which individuals can request details of their personal data from any organization has been streamlined.

Right of access: Any data subject can request information about whether data relating to them is being or has been processed and any data subject can request access to this data. The data must be provided in writing (in printed or photocopied form) and free of charge. The right of access cannot be waived in advance.

Right to rectification: Data subjects also have the right to request rectification of their personal data if it is inaccurate or incomplete. Under certain circumstances, however, these requests may be restricted, refused or postponed (Art. 32).

 

V. What is the legal basis for the DPA and when is consent required?

Consent as a legal basis

The GDPR is based on the principle of “lawfulness of processing”, which requires a legal basis or justification for most processing of personal data. Consent is one of these legal bases.

The DPA works slightly differently in that individuals (natural persons), organizations (non-commercial entities) and companies (commercial entities) may generally process personal data without a specific legal basis unless the processing meets certain criteria.

Consent is required for:

  • the processing of sensitive personal data
  • processing for profiling with a high risk by a data protection officer
  • processing for profiling by a federal authority (government)
  • data transfers to third countries where there is no adequate level of data protection
  • processing for purposes other than those apparent
  • processing for a longer period than specified (Art. 6)
The DPA is therefore a law that uses an “opt-in procedure”, i.e. if a legal basis is required, organizations must obtain valid consent from users before or at the time of data collection.

It is important to note that even if consent is not required for processing, the data subjects must be informed in accordance with the DPA. They must be notified before or at the time of data collection, regardless of whether a legal basis is required. If a legal basis is required, the controller must communicate what it is.

In all of these scenarios, a Consent Management Solution (CMP) enables compliance by providing the required notification and obtaining valid consent. At the end of this article you will find more information on CMP solutions and how we can help you specifically.

 

Clear Communication

Companies must clearly communicate the following information, e.g. in the privacy policy on the website (Art. 8, Art. 18a), whether a legal basis is required or not. However, these criteria are also necessary for the validity of consent:

  • Identity of the controller, be it the company or a third party
  • Contact details of the controller
  • Identity of the data recipient and all other parties involved in the data processing
  • Recipient country if the data is transferred across borders
  • Purpose(s) of data collection and use
  • Categories of data collected, if applicable
  • Means of data collection, if applicable
  • The legal basis for the processing, if applicable
  • Users' rights in relation to their personal data under the DPA, including the right to refuse or withdraw consent

 

Legal basis for data transfers to third parties

Private individuals may commission third parties to process data on their behalf, provided that no confidentiality obligations are breached. Any legal basis invoked by the controller can be used by these third parties (Art. 9).

In addition to consent, there are other legitimate legal bases for data transfers to third parties:

  • Data collection in connection with the conclusion of a contract
  • An overriding private or public interest
  • For the establishment, exercise or enforcement of legal claims before a court or other competent foreign authority, or
  • To protect the life or physical integrity of the data subject or a third party and in this case it is not possible to obtain the data subject's consent within a reasonable period of time

 

VI. The validity of consents

As with the GDPR, the consent of users in Switzerland must also be obtained voluntarily and with prior provision of information on the processing of their data (i.e. informed). This applies, among other things, to the use of cookies and other tracking technologies on websites that Swiss citizens may visit if the data collection and processing meets the requirements for consent under the FADP.

Consent to cookies is only valid if it is a genuine decision, i.e. if the data subject consents without coercion, pressure or other external influences. This means that someone who refuses a cookie that requires consent may not be denied any services or benefits, such as access to the website.

Like the EU's GDPR, Switzerland's data protection law requires that consent to cookies must be specific, i.e. consent must be obtained for each type of purpose pursued with cookies. Consent cannot therefore be given for a general use of all cookies without specifying which data is collected via these cookies and for which purposes. Rather, the Swiss FADP requires a more detailed selection than a simple “all or nothing”, i.e. consent for each category of cookies.

Consent information must be visible, complete and conspicuous. It should be written in simple terms that every user can understand and be available in all languages of the website. For example, if the website is aimed at a French and German-speaking audience, the information on the consent banner should be written in both French and German.

This information is usually summarized in a website's cookie policy and should include the following

  • the identity and contact information of the controller(s) (first or third party),
  • the purposes of the cookies to be stored and/or read,
  • the recipients or categories of recipients of the data.
In addition, it may be necessary to specify the categories of data processed and the countries to which the data is transferred - in the event that the country does not have an adequate level of security or is considered a high-risk country. It may also be necessary to specify the guarantees on which the data transfer is based.

 

VII. Who is affected by the Data Protection Act (DSG)?

Companies that process the personal data of Swiss residents must comply with the DPA since September 2023, even if they use third-party providers for data collection and processing, e.g. for analytics purposes, advertising, etc.. In addition, the law applies to both the public and private sectors.

Companies that already comply with the GDPR do not have much additional work to do, but it is important that they familiarize themselves with the requirements of the DPA. There are also exemptions from some GDPR requirements for SMEs with up to 250 employees, which companies should be aware of and which we'll cover in a moment.

Extraterritoriality

Switzerland's new data protection law is extraterritorial, i.e. it applies to organizations based in Switzerland as well as those based outside Switzerland if they offer goods or services and process personal data of Swiss residents. It does not matter where the company is based or where its website is hosted.

Companies that are subject to the DPA and have their registered office outside Switzerland must appoint a Swiss representative. This person will liaise with the Swiss authorities and the data subjects.


Impact of the GDPR and the ePrivacy Directive in Switzerland

If they process the data of users outside Switzerland, in the EU, e.g. as website operators using cookies for web tracking purposes, companies must also take into account the requirements of broader European laws such as the GDPR and the ePrivacy Directive (ePR) when processing and protecting personal data. The ePR is particularly relevant when using electronic communications. The responsibilities of companies under these regulations are quite similar to those under the DPA, although they are stricter in some respects (e.g. consent must be obtained in more circumstances).

Third-party controllers are also obliged to provide information

Both primary and third-party controllers are responsible if they have control over the data, e.g. the company on whose website data is collected and a third-party provider that uses the data. If a third party is involved, it is obliged to provide information if it does not disclose the identity of the controller (first party) or if the controller is not based in Switzerland.

 

VIII. What are the implications and obligations for companies?

1. Transparency and documentation

As mentioned above, companies must inform data subjects of any collection of personal data, even if the data was not collected directly from the data subject. The FDPIC has published a guide on how you can use web tracking tools on your website to monitor user activity on your domain in compliance with the FADP.

The end users of your website must be informed in a transparent manner that their personal data is being collected, the purpose of the data processing, the analysis of the data and the user's options to object to the tracking.

In the case of sensitive personal data, end users must explicitly confirm that they have been informed and agree to web tracking, e.g. by clicking the mouse. The processing of a user's IP address is also subject to the DPA, as IP addresses are personal data.

They must also keep a record of processing activities. However, there may be exceptions to this requirement for SMEs (companies with up to 250 employees) whose data processing activities pose a low or limited risk to the data subjects.

2. Ensuring accuracy and completeness

Any organization that processes personal data is responsible for the accuracy of the data (Art. 6) and must take all reasonable steps to ensure that inaccurate or incomplete data are either rectified or destroyed within the scope of the purpose for which they were collected.

3. Ensuring an appropriate level of security

The controller must take appropriate technical and organizational measures to protect the data from unauthorized access or unauthorized processing (Art. 7). Detailed provisions on minimum standards for data security are issued by the Federal Council.

4. Avoidance of disadvantages for the data subjects

It is a fundamental principle of the FADP that the collection of personal data by private individuals must not impair the privacy and personality of the persons concerned. Now, data can be made publicly accessible if its processing is not expressly prohibited, but this must not be harmful and, as mentioned, information must be provided about the collection and use of the data and its purpose.

5. Data protection impact assessments

Where there is a high risk to the privacy or rights of data subjects, the controller must regularly carry out documented impact assessments of its data processing activities.

6. Notification in the event of data breaches

In the event of a data breach, including the accidental or unlawful loss, deletion, destruction, alteration of, or unauthorized access to personal data, the Federal Data Protection and Information Commissioner (FDPIC) must be notified immediately. (According to the GDPR, immediate notification must be made within 72 hours).

In general, controllers must also inform the data subject if the FDPIC so requests or if it is necessary for the security and protection of the data subject.

7. Appointment of a representative and data protection officer

Companies based outside Switzerland must appoint a representative in Switzerland in the following cases if they regularly process large amounts of data in Switzerland/of Swiss citizens:

In connection with the offering of goods or services

  • For the purpose of monitoring user behavior (monitoring)
  • If the processing could pose a high risk to the data subjects
For Swiss companies that process personal data of EU residents, a data protection officer can always be appointed (regardless of the level of risk for the data subjects). Companies that must comply with the DPA and do not yet have a data protection officer (but are also not obliged to do so by the GDPR or other laws) can do so voluntarily. Such a position provides a central point of contact for customers, employees and data protection authorities.

 

IX. What are the consequences for companies that fail to comply with the DPA?

The FDPIC is responsible for monitoring compliance with the FADP and has extensive powers of investigation (Art. 4). The office is also responsible for providing advice, clarification and ensuring the protection of personal data in Switzerland. The FDPIC is appointed by the Federal Council (the executive body of the Swiss federal government) for a term of four years and approved by the Federal Assembly.

The FDPIC can initiate an investigation against a company on his own initiative or upon notification. If a data protection breach is detected, the FDPIC can order far-reaching measures, including the adjustment or cessation of data processing or the deletion of data.

Failure to comply with the DPA and its obligations, including the breach of duties of disclosure or due diligence, can result in a fine of up to CHF 250,000 for the controller. It should be noted that a fine can be imposed on private individuals under the DPA, whereas the GDPR does not provide for fines for natural persons, but instead focuses on companies.

In the event of violations in the course of business activities, the company can be fined up to 50,000 Swiss francs if a disproportionate effort would be required to identify the offending person within the organization.

Failure to comply with the GDPR can not only result in fines, but can also damage a company's reputation and cause users to lose trust. GDPR compliance and clear, transparent communication with customers builds trust and demonstrates respect and commitment to the protection of personal data and the right to privacy.

DSG vs. DSGVO in law enforcement

A decisive deviation from the General Data Protection Regulation (GDPR) is that the sanctions mentioned here are not (only) directed against the affected company itself.

Rather, the fines under the DPA are imposed on the natural person who is responsible for compliance with data protection regulations. This also includes data protection officers, managing directors or members of the board of directors.

These fines are expressly imposed personally and cannot be insured or covered by the employer. This tough approach is intended to increase the effectiveness of the sanctions and emphasize personal responsibility for data protection.

The violations that can be punished under criminal law in accordance with the DPA are limited to seven conclusively named cases:

  1. Disclosure of personal data to recipients in countries without adequate data protection and without appropriate safeguards.
  2. Use of processors without appropriate agreements.
  3. Failure to comply with the minimum security requirements set by the Federal Council.
  4. Missing or incomplete information in data protection declarations.
  5. Incorrect or incomplete responses to requests from the FDPIC.
  6. Disclosure of secret personal data to unauthorized third parties.
  7. Non-compliance with orders of the FDPIC or court decisions.

In addition to the severe penalties, there is a second important innovation in the DPA. It concerns the liability of persons in the company who not only commit breaches of the Data Protection Act, but also contribute to them. This means that not only direct perpetrators will be prosecuted, but also their superiors and management.

Two groups of people can be prosecuted under the new criminal provisions:

  • Persons who have committed the violation themselves or have given the instruction to do so. This includes those who played a leading role in decisions that violate data protection obligations. This could include, for example, incorrectly responding to requests from data subjects, inadequate contractual agreements with processors or the unauthorized disclosure of data abroad.
  • Persons who are legally obliged to prevent breaches or mitigate the consequences. This refers to persons such as board members, managing directors and other board representatives who are responsible for ensuring that the company complies with data protection law. They must have the authority to give appropriate instructions or intervene to prevent or remedy breaches.‍

Insofar as responsibilities for processing are delegated to subordinate persons, the person responsible is liable for ensuring that the delegate is appropriately selected, instructed and monitored.

In particular, members of the Board of Directors retain the non-transferable and non-withdrawable ultimate supervision of management and compliance with the law. This responsibility is defined by law and should be taken into account as part of corporate governance.

 

X. How do I achieve DSG compliance? A summary

By complying with the DPA, you can ensure that your data processing is secure and responsible and that the use of personal data is lawful.

You should regularly review and update the following points:

Keep comprehensive data registers: Companies need to know what data they collect and store, including specific categorizations such as that of sensitive personal data.

Review DPA compliance requirements: Periodically review your business activities and data processing and DPA obligations and take the necessary measures to ensure ongoing compliance with Swiss data protection law.

Transparently disclose your processing activities: Clearly disclose data processing activities through formalized policies and privacy notices and ensure that your users are aware of data processing activities and their rights.

Establish a process for handling DSR requests: Establish and update procedures to handle DSR requests in a user-friendly and timely manner that complies with legal requirements, saves the organization time and resources, and promotes user trust.

Streamline your architecture for DSR requests: Establish and maintain a well-structured architecture for DSR requests to ensure timely and effective management and response to DSR requests and the exercise of data subjects' rights.

Implement a robust data breach notification system: Establish policies and processes that ensure a robust response to data breaches, including prompt notification as required by law and a good relationship with users.

Ensure data protection compliance for cross-border data flows: Catalog processes and familiarize yourself with cross-border requirements if operations involve international data flows.

Establish efficient reporting on all recorded processing activities: Establish procedures to ensure that your reports on all recorded processing activities are efficiently scanned, tracked and produced.

Strengthen your organizational security measures: Protect your processing activities by implementing autonomous and robust security measures across the organization.

Conduct data protection impact assessments: Conduct data protection impact assessments, as required by law under the DPA, to identify and mitigate potential risks associated with data processing activities.

Conduct qualified training: By properly training employees and management personnel, they can significantly minimize the risk of DPA violations and the associated penalties.

 

XI. GDPR compliance through a Consent Management Platform (CMP)

Compliance with the DPA helps to ensure that a lot of the work is already done in case you need to comply with further legislation in the future, which is increasingly likely given the expansion of data protection regulations globally.

Implementing compliance processes and mechanisms helps to ensure responsible and secure collection, storage and use of personal data and allows consumers to control access to and use of that data.

We are happy to help you with the implementation and thereby directly help you to remain competitive as you can demonstrate compliance with data protection requirements, enabling cross-border data transfer and other functions of doing business, especially in the EU.

 

QUELLEN (extern)

Gesetzestext: https://www.fedlex.admin.ch/eli/cc/2022/491/de

https://www.edoeb.admin.ch/edoeb/de/home/datenschutz/grundlagen/ndsg.html