Understanding the Federal Act on Data Protection (FADP)

The Federal Act on Data Protection (FADP) is Switzerland’s primary legislation governing the processing of personal data to protect the privacy and rights of individuals.

Initially enacted in 1992, the law was designed to provide data protection principles and guidelines. However, with advancements in technology and the increasing digitization of data, the need to modernize the FADP became evident.

In 2020, the Swiss Parliament approved the revised FADP to better align with global data protection standards, notably the European Union’s General Data Protection Regulation (GDPR). This overhaul ensures that Switzerland’s data protection framework remains robust, reflecting modern requirements for privacy and data security. The revised FADP, which officially took effect on September 1, 2023, introduced several significant changes that impact businesses and individuals alike. Below is a detailed overview of the key updates.

Key Updates to the FADP

  1. Enhanced Data Subject Rights:

The updated FADP grants data subjects greater control over their personal data. Individuals now have expanded rights to access their data, request corrections, and demand deletion if certain conditions are met. Moreover, there are new rights for data portability, where individuals can request their personal data in a structured format to be transferred to another entity.

  1. Stricter Consent Requirements:

The new regulations place stricter requirements on obtaining valid consent for data processing. Consent must be freely given, specific, informed, and unambiguous. This brings the FADP in closer alignment with GDPR standards, ensuring transparency and protecting individuals from unwanted data processing.

  1. Obligation to Maintain Records of Processing Activities:

Companies are now required to maintain comprehensive records of their data processing activities, particularly if the processing poses a high risk to the privacy of individuals. These records should include information on the purpose of processing, the categories of data involved, and security measures applied.

  1. Mandatory Data Breach Notifications:

One of the most notable updates is the introduction of mandatory data breach notifications. If a data breach occurs that poses a high risk to the rights and freedoms of individuals, companies must notify the Federal Data Protection and Information Commissioner (FDPIC) and potentially affected data subjects without undue delay.

  1. Data Protection Impact Assessments (DPIAs):

Similar to the GDPR, the revised FADP now requires organizations to conduct Data Protection Impact Assessments (DPIAs) when processing activities are likely to result in a high risk to the privacy of individuals. DPIAs help identify and mitigate potential risks in data processing, ensuring compliance with privacy standards.

  1. Stronger Accountability and Compliance Measures:

The updated FADP emphasizes the accountability of data controllers and processors. Organizations are expected to implement appropriate technical and organizational measures to ensure compliance. This includes appointing a Data Protection Officer (DPO) for entities that regularly process sensitive data or conduct large-scale data processing.

  1. Cross-Border Data Transfers:

The revised FADP introduces stricter regulations for transferring personal data outside Switzerland, particularly to countries that do not offer an adequate level of data protection. Organizations must implement appropriate safeguards, such as standard contractual clauses or binding corporate rules, to ensure cross-border data transfers are secure and compliant.

  1. Increased Penalties for Non-Compliance:

The revised law introduces higher penalties for non-compliance. Organizations and individuals can face fines of up to CHF 250,000 for violations. This serves as a strong deterrent and emphasizes the importance of adhering to data protection standards.

Aligning with International Standards

The revised FADP was designed to be largely compatible with the GDPR, thereby simplifying compliance efforts for companies operating across both the EU and Swiss markets. This alignment ensures that Switzerland remains a trusted partner in global data flows, maintaining the high level of data protection expected in international commerce.

Expert Guidance, Affordable Solutions, and a Seamless Path to Compliance

What do you think?

Related Insights