Navigating the New Swiss Data Protection Act: A Checklist for Compliance and Key Differences between the Swiss regulation and the GDPR
In the ever-evolving landscape of data protection regulations, Swiss companies are bracing themselves for a significant milestone – the implementation of the new Swiss Data Protection Act (revFADP). As of September 1st, 2023, businesses operating in Switzerland must ensure compliance with the new rules. While the revFADP draws inspiration from the Council of Europe’s Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data (Convention 108+) and is aligned with the General Data Protection Regulation (GDPR), it introduces important changes that require attention. In this article, we’ll give you an overview to help your businesses adapt to the new requirements and understand the key distinctions between the revFADP and GDPR.
Key Changes in Swiss Data Protection Regulation
What is covered?
The revFADP governs the processing of data of natural persons (legal persons have been excluded) and applies to processing activities that may have an ‘effect’ in Switzerland, even when they occur abroad.
New definitions
The revFADP introduces some new or updated definitions, as follows:
- it adopts a similar definition of data processor as in the GDPR;
- the scope of special categories of personal data now explicitly includes biometric and genetic data;
- the definition of a data security breach was added and is aligned with the GDPR definition of a personal data breach; and
- ‘high-risk profiling’ is defined separately to cover profiling that carries a high risk for the personality or fundamental rights of the data subject.
Transparency
Data controllers are required to inform individuals of any data processing. The current regulation provides that only profiling and processing of the special categories of personal data trigger the obligation to provide information to the data subjects concerned. In addition, any data security breaches must be reported to the supervisory authority.
Data Protection Impact Assessment (DPIA)
Although already known under the GDPR, the DPIA is now mandatory if a processing activity potentially poses a high risk to the rights of the people whose data is processed – for instance, in the case of large-scale processing of sensitive personal data or systematic surveillance of large public spaces.
The DPIA is to assess the risks of the processing activities and should be discussed with the supervisory authority. Private data controllers can review and discuss DPIAs with their data protection advisors (see more below).
Data Protection Advisor
Private businesses can appoint a data protection advisor (DPA). This has a major benefit: if companies choose to appoint a sufficiently independent DPA, they can rely solely on internal advice without the need to consult the supervisory authority in specific situations, such as when conducting a DPIA. While the appointment of a DPA is not mandatory, companies should consider this possibility and evaluate its advantages and disadvantages.
Swiss Representative
Where data processing relates to individuals in Switzerland, data controllers that do not have a local office or branch must appoint a Swiss Representative if they offer goods or services on the local market, process personal data systematically or on a large scale, or if their processing activities are of high risk to the fundamental rights of individuals.
Records of Processing Activities (ROPAs)
Another requirement is to maintain records of processing activities. Data controllers and processors must keep such records, unless (i) they employ fewer than 250 employees; and (ii) the processing activities pose a low risk to the personality and fundamental rights of the affected individuals. The ROPAs must detail the processing purpose, type of processed data, and data recipients.
Cross-border data transfers
Data transfer to foreign countries is only permitted if sufficient safeguards are in place to ensure an adequate level of data protection. The Federal Council regularly publishes a list of countries that guarantee sufficient data protection, which undergoes periodic reviews.
If a country is not listed, data transfers can still occur if alternative measures are taken to ensure sufficient protection, such as implementing standard contractual clauses (the EU standard contractual clauses may be used with Swiss-specific amendments). When data is transferred abroad, it is also recommended to include a list of these countries in the privacy notice. Finally, reviewing data processing agreements with external suppliers is also advisable to ensure they are aligned with the updated requirements.
Data security breaches
It is now mandatory to report personal data breaches to the supervisory authority. All incidents must be documented, and a thorough assessment must be conducted to determine whether the breach poses a high risk to the individuals affected. This represents a change from the GDPR, as even minor risks must be reported and notification must be sent as soon as possible.
Other changes
The revFADP introduces additional changes, such as privacy by default and privacy by design requirements, the data subject’s right to data portability, the data subject’s explicit consent for profiling and processing special categories of personal data, and the authorization of sub-processing. These concepts, however, are already defined in the GDPR.
revFADP vs. GDPR
Despite the similarities between revFADP and GDPR, there are several important differences. Check out the table below to understand how the laws differ in more detail.
revFADP | GDPR | |
Legal Basis | Generally, private persons do not need to have a legal basis to process personal data. | Personal data processing is prohibited unless there is a legal basis for such processing. |
Data Protection Officer (DPO) | Designating a Data Protection Advisor is not mandatory, but it is recommended. | Mandatory in accordance with article 37. |
Data Protection Impact Assessment | Private persons may consult with the supervisory authority OR their Data Protection Advisor in case of high risk. | Obligatory consultation with the supervisory authority in case of high risk. |
Cross-border data transfers | Based on adequacy decisions of the Federal Council.
Additional instruments: standard contractual clauses (amended for Switzerland) and binding corporate rules of the EU may apply. Additional exception: conclusion or performance of a contract between data controller and a third party in the interest of the data subject. |
Based on adequacy decisions of the European Commission.
Additional instruments: standard contractual clauses and binding corporate rules. |
Data breach notification | As soon as possible. | Within 72 hours. |
Sanctions | For private persons, up to CHF 250,000. | Up to EUR 20 million or 4% of the company’s worldwide annual revenue. |
How can Logan & Partners help?
While companies operating in Switzerland that are already GDPR compliant may have a head start, additional considerations are needed to align with the revFADP. Those that have yet to implement GDPR requirements must act even more rapidly to ensure compliance with revFADP before the September 1, 2023 deadline. There is no grace for the companies to bring their data processing practices in line with the revFADP, so companies must comply with data protection obligations within the next three months to avoid potential sanctions.
“Founded in 2010, Logan & Partners is a law firm focusing on Technology Law that delivers legal services like your in-house counsel.
Our team consists of experienced Technology Lawyers, who have all previously worked for highly reputable law firms and possess strong in-house experience, gained by working with local and international companies in Switzerland, the UK and the USA.”
Please visit the firm link to site