All you need to know about the new Swiss data protection act (FADP)

The new Swiss data protection act is set to come into effect by 2022 - here’s what you need to know

After numerous years in the planning, a new data protection act has passed in the Swiss parliament. The Federal Act on Data Protection (FADP), or Datenschutzgesetz (DSG) as it is known in German, is expected to come into force in January of 2022 with no transition period. This blog post aims to help you prepare yourself in order to remain compliant and avoid any penalties the new law may impose.

What is the Federal Act on Data Protection (FADP)?

Before we get into the specifics of the act, how you can prepare, and what penalties exist for transgression, we need to outline what the FADP is and provide a little background on the law. If you’re more interested in the details, you can click here to go straight to that section.

Please note that while we may be experts in digital marketing, we do not claim to offer legal advice, and the information contained in this blog is no substitute for proper legal counsel.

The FADP, or referred to in German as “DSG”, is essentially the Swiss version of the GDPR regulations that went into force in May 2018. It aims to increase the transparency of how businesses deal with data and strengthen the rights of individuals whose data is used. While the FADP will ensure Swiss companies stay in line with the EU GDPR regulations, there are a few differences that Swiss business owners should take into account.

Whom will the FADP affect?

Similar to the GDPR, the FADP will affect every business that operates within Switzerland or deals with data of Swiss citizens. This includes companies that are established outside of Switzerland but who process personal data belonging to a Swiss citizen.

In other words, the FADP will affect every company that deals with Swiss personal data. However, there are a few additional requirements for those companies that do not have a registered office in Switzerland.

Companies that are not based in Switzerland

Companies that do not have a registered office in Switzerland have to abide by the same requirements set out for Swiss companies. In addition to this, they may also be obliged to appoint a representative in Switzerland if the company in question:

• Processes data related to the offering of goods or services
• Processes or possesses data related to the observation of the behaviour of Swiss individuals
• Processes the data in the previous two points substantially or regularly

What data will be regulated?

Not all data is equally protected under the FADP. Here are the primary notes on what information is regulated and what does not fall under the jurisdiction of the FADP.

Individual data

Like the GDPR, the FADP will regulate and protect the data of Swiss individuals requiring consent be given by data subjects and a record of which be kept. However, the FADP also identifies certain categories of data and profiling, in general, to be treated differently. In addition to this, the latest version of the FADP has expanded the scope of these definitions. We will review them shortly.

Sensitive personal data

One of the more regulated categories of data includes “sensitive personal data”, which covers a wide variety of data topics, including:

• Religious, ideological, political or trade union-related views or activities
• Health or intimate details
• Social security measures
• Administrative or criminal proceedings and sanctions

In addition to these, the new FADP has expanded the scope of what classifies as “sensitive personal data” to further include:

• Ethnicity
• Genetic data
• Biometric data

Unlike regular data categories, businesses must obtain the express consent of the data subjects in question and must furthermore notify the data subjects that their data has been obtained and for what purpose.

Profiling

Any form of automated processing of personal data used to assess or predict personal aspects of a person such as work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or whereabouts is classified as “profiling”.

While profiling was the subject of vigorous debate in parliament, for the time being, it is still permissible under the current and proposed FADP. However, any profiling that includes data from the “sensitive personal data” category outlined above will be known as “high-risk profiling” and will be subject to the same regulations as sensitive personal data.

This means that any profiling that includes “sensitive personal data” will have to be conducted with express permission, with the subject notified.

Company data processing is no longer protected by the FADP

It is important to note that the revised FADP is no longer applicable to data of legal persons. While this means that data processing regarding companies will not be under scrutiny, it does not extend to the processing of the data of natural persons, for example, those who work for the company (e.g. contact people, support staff, salespeople).

What are the rights of individuals protected under the FADP?

Individuals who are protected under the FADP and its revision may make demands that must be met by the businesses who possess, process or otherwise use their data. These rights have been expanded upon with the revised FADP and now include the following:

The right to information

All individuals have the right to request information from the controllers of their data as to whether their data concerning them is being processed and why. Individuals may not waive this right in advance.

The controller of the data must notify the subject:

• All available data concerning the subject, including the source of the data
• The purpose and (if applicable) legal basis for the processing of data
• Which parties are involved in the processing of data
• If the controller processes the data through a third party, the controller must disclose this information

In addition to the above information, the new, extended version of the FADP requires that the following is provided as well:

• The identity and contact details of the controller;
• The processing purposes;
• In the case of disclosure of data: the recipients or the categories of recipients;
• In the case of data being disclosed abroad, additionally: the state or international body and, if applicable, the safeguards of appropriate data protection or the exception, if no such safeguards are given;
• In the case of indirect data collection (i.e. data are not collected from the data subject themselves), additionally: the categories of personal data processed;
• The conduct of automated individual decisions, i.e. a decision based solely on automated processing which results in a legal consequence or substantial effects for the data subject.

The new FADP also does away with the “in-writing” requirement of a print-out or photocopy and instead simply states that an “appropriate” form must be used. However, it should be noted that a data privacy policy will not always be sufficient.

The right to withdraw consent and delete data

All individuals may withdraw their consent for the possession and processing of their data or request that their data be deleted at any time. Data controllers must honour this request and remove the data from the system accordingly and promptly.

The right to data portability

Under the new FADP, all individuals may request the handing over and transmission of their data. This data must be provided in a common electronic format or transferred to other providers upon request.

The right to object

In addition to the above, data subjects now have the right to object to automated individual decisions. Individuals may state their position on the matter and demand that automated decisions are reviewed by a natural person rather than a system or automated process.

What are the duties of companies under the FADP?

Companies who wish to process or possess the personal data of Swiss citizens have duties that they are expected to abide by. Should they fail to comply with these duties, they will be liable to a fine or criminal prosecution, as outlined below.

The duty to comply with private requests

Should a request be made by private individuals within their rights, companies or data controllers must respect their wishes and comply within a reasonable time frame.

The duty to keep a record of all data processing activities

Data processors and businesses must now, and into the future, keep a detailed record of all processing activities that are regularly maintained under Swiss law.

The minimum information required is:

• The identity of the controller
• The purpose of the processing
• A description of the categories of data subjects and the categories of personal data processed
• The categories of the recipients
• The period of retention of personal data or the criteria for determining this period, if possible.
• If possible, a general description of the measures taken to ensure data security (appropriate technical and organisational measures to prevent data security breaches).
• If the data is disclosed abroad, the details of the country and any safeguards by which appropriate data protection is ensured.

The duty of notification

Data processors that experience a data breach where there is a high risk to personal data or fundamental rights of data subjects must, without delay, notify the FDPIC and the affected data subjects.

The duty of assessments

If data processing involves a high risk of the violation of sensitive personal data or the fundamental rights of a data subject, the data controller must conduct an assessment of the risks of processing. In the cases of new technologies, extensive processing or systematic public monitoring, this risk is automatically assumed to be high.

The duty of privacy by design and privacy by default

As with the GDPR, the FADP explicitly states that the processing of personal data must be kept to the absolute minimum necessary for the intended purpose. Thus, appropriate technical and organisational measures must be taken to ensure that the default settings of applications or measures that acquire data adhere to this principle. All default user settings must also be set to “privacy-friendly” options wherever possible.

What are the penalties of non-compliance under the FADP?

The revised FADP has extended the sanctions that the FDPIC may impose upon transgressors of the FADP. These include fines, criminal proceedings and employee or managerial culpability.

Criminal procedures

Companies and individuals who do not comply with the FADP regulations are at risk of incurring criminal sanctions in the form of a fine of up to CHF 250, 000. Failure to pay the fine could result in jail time and further sanctions.

In addition to this, the FDPIC may open an administrative investigation and issue orders, which, if disregarded, may result in further criminal sanctions of the same amount.

Civil claims

Civil legal actions for the removal, injunction or damages are still possible by private individuals affected by companies who are in transgression of the FADP.

A note on prosecution

During the legislative process, it was noted that criminal sanctions and fines are primarily aimed at managers and not at the employees who carry out the work. However, it was also noted that in the case of companies who do not operate with managerial functions a fine of CHF 50, 000 or less could be used.

Finally, in the cases where an offender within a business would be too difficult to single-out the company can ultimately be ordered to pay the fine instead of a natural person.

What should businesses do to prepare for the new FADP?

The revised FADP does not have a transitional period, which means that companies must begin preparing for the new FADP immediately if they want to be ready for when it comes into effect in January 2022.

Here are a few actions businesses can take to prepare for the revised FADP.

Begin obtaining and recording consent now

The new FADP requires that a record of consent be provided upon request for each data subject. This means that businesses should take the time now to get their databases in order before the regulation comes into effect.

Businesses should thus begin to record consent from their data subjects and begin to use double-opt-in measures as well as reminder emails informing subjects on how their data is used.

Prepare a record of all data processing activities

Businesses must be able to provide a record of all data processing activities upon request. For this, they need to provide the following information, at a minimum:

• The identity of the controller
• The purpose of the processing
• A description of the categories of data subjects and the categories of personal data processed
• The categories of the recipients
• The period of retention of personal data or the criteria for determining this period, if possible.
• If possible, a general description of the measures taken to ensure data security (appropriate technical and organisational measures to prevent data security breaches).
• If the data is disclosed abroad, the details of the country and any safeguards by which appropriate data protection is ensured.

It would thus be a good idea to prepare this information in advance.

Assign representatives

Companies that are based outside of Switzerland but still possess or process the data of Swiss individuals must assign a representative based in the country. Businesses that do not will be liable for a fine and an order to delete personal information.

Ensure all electronic communications are treated with a high degree of confidentiality

Listening, intercepting, scanning and storing text messages, emails, and voice calls is not permitted without the user’s consent. The principle applies to current and future means of communication – including all devices connected to the Internet of Things.

Ask for consent at all touchpoints

User consent is required to assess, access or process any data on private devices. This means websites that use cookies or other technologies that access information stored on private devices must explicitly ask for consent to do so and provide information about the reason.

Prepare for the future of privacy

The FADP is not the only new privacy measure coming into effect. Countries around the world are beginning to take the data privacy of their citizens seriously and are imposing large fines and measures to counter companies that do not protect consumer privacy. It is better to get ahead of the trend and begin implementing privacy protection for your own business processes now rather than later.

One of the best ways to protect yourself and your customers is to ensure your policies are up to date and ready for the new influx of data protection regulations and laws. If you want to keep informed on what you need to do, the best and safest practices for digital business and the most effective way to digitally market your business, contact Demodia.

Demodia has helped hundreds of businesses and individuals survive and thrive online by providing them with the insights, guidance and support they need for success. As a digital marketing consultancy with decades worth of experience, Demodia should be your first and only choice for digital marketing and online business guidance.