New Swiss Data Protection Act: Changes under the new FADP

In contrast to the GDPR, the processing of personal data is generally permitted under the FADP. However, this principle is severely restricted, since according to Art. 30 FADP, processing must not constitute an unlawful violation of personality.

A violation of personality rights occurs if the principles of data protection law according to Art. 6 FADP are not observed in the processing, whereby these principles are similar to the principles of GDPR. The violation is unlawful if no exceptional circumstances apply, such as the existence of consent or an overriding interest. As a result, processing operations that are lawful under the GDPR should also be lawful under the new GDPR.

Just as the GDPR knows "special categories" of personal data, Art. 5 lit. c FDAP also enshrines “sensitive" personal data. It should be noted that the definitions are not identical. Thus, in deviation from the GDPR, data on social assistance measures and data on administrative and criminal prosecutions or sanctions are also subject to sensitive data.

Locally, the FADP applies to data protection matters that (only) have an effect in Switzerland, i.e. also if they are initiated abroad (Art. 3 (1) FADP). Accordingly, for example, EU companies that process data of Swiss citizens must also comply with the FADP.

The FADP applies to the processing of data of natural persons. While the old FADP also covered the processing of data of legal persons, an alignment with the GDPR is apparent in this respect.

Another new aspect is that there are now information obligations towards data subjects from the time the data is collected. In contrast to the previous version of the FADP, these obligations apply regardless of whether the data is sensitive personal data or whether the processor is a federal body. Which information exactly is covered by the information obligations is not conclusively regulated, in contrast to the GDPR. Rather, it is based on the open concept of "necessity". However, Art. 19 FADP contains some minimum information, although this is less extensive than that of the GDPR.

A fundamental innovation in the FADP is the introduction of a inventory of processing activities. For the first time in Switzerland, it is now necessary to list all data processing activities in an inventory. At the same time, the previous obligation of the owner of data collections to register his collections with the Federal Data Protection and Information Commissioner (FDPIC) no longer applies. The inventory is intended to provide a continuously updated overview of all data processing activities of the respective company. The information that must be included in the directory as a minimum is listed in Art. 12 (2) FADP. However, companies that have fewer than 250 employees and whose data processing activities pose only a low risk to the rights of the data subjects are exempt from the obligation to maintain the directory.

The requirements for processing (on behalf), which is equivalent to processing pursuant to Art. 28 GDPR, are still lower under the FDAP than under the GDPR: A contract for processing is not mandatory, but the controller must ensure in advance that the processor is able to guar-antee data security and that the data is only processed in the form permitted by the controller. Similar to the GDPR, sub-processors may now only be used with the approval of the controller.

If a data processing operation may involve a high risk to the personality or fundamental rights of data subjects, a data protection impact assessment must be carried out.
Accordingly, the risks of the processing must be determined and assessed and, if necessary, risk-minimizing countermeasures must be specified, implemented and documented. If the assessment shows that a residual risk remains despite risk-minimizing measures, the FDPIC must be consulted.

If a decision is based exclusively on automated processing and if this has legal implications for the data subject, the data subject shall be informed of this by the controller. In addition, the person may request that the decision be reviewed by a natural person.

Consent for the processing of personal data is still not required for profiling, unless a high risk is assigned to the type of profiling.

The data subject rights of the FADP are the same as those of the GDPR. Therefore, there is a right to information, correction and deletion, rights of objection as well as a right to data disclosure and transfer. The scope of information will possibly be greater than that enshrined in the GDPR, in that data subjects should receive the information required under the GDPR to assert their rights and to ensure transparent data processing. What information may be necessary to establish transparency is nevertheless not explicitly regulated.

Data security breaches must be reported to the FDPIC as soon as possible. Under certain circumstances, there is also a duty to inform the data subject. To ensure this, controllers must establish functioning processes within the company. If a data protection incident appears possible, there are duties to investigate, inform and mitigate damages. In contrast to the GDPR, however, no strict (72-hour) deadline applies. Rather, the law speaks of notification "as soon as possible". Also in contrast to the GDPR, notification is only required in the event of an identified high risk to the personality or fundamental rights of the data subject.

Similar to the GDPR, the principles of "privacy by design" and "privacy by default" are enshrined in law for the first time. Accordingly, data processing must be designed in such a way that data protection principles are observed, and default settings must be made that limit data processing to the extent necessary to fulfill the purpose of the data processing.

In addition, controllers and processors must implement suitable technical and organizational measures for the purpose of data security, whereby the measures are specified in Art. 3 FADP and are aligned overall with the GDPR.

Foreign companies that have customers in Switzerland or monitor Swiss users must appoint a representative in Switzerland if they carry out extensive and regular operations with a high risk for the data subjects. How far this obligation will extend remains to be seen in the wake of the open wording of Art. 14 FDAP. However, based on the character of an exception, a restrictive interpretation seems preferable, so that the appointment of a representative will only be necessary in exceptional cases.

Transfers abroad ("Cross-Border Disclosure of Personal Data") are possible if the Federal Council has determined that the recipient country has an adequate level of protection. If this is not the case, standard data protection clauses or own contractual clauses previously approved by the FDPIC, specific guarantees or Binding Corporate Rules can be used. SCCs are available here.

The sanctions are not linked to the responsible company as in the GDPR, but to the responsible natural person. Fines of up to CHF 250,000 can be imposed.

Finally, there is the possibility (not the obligation) to appoint a data protection advisor whose role is similar to that of the data protection officer within the meaning of the GDPR. The appointment facilitates high-risk data processing: instead of the FDPIC, the data protection advisor can be consulted and appropriate measures to compensate for the high risks can be requested with him/her.

In summary, Switzerland's new data protection law enshrines largely parallel, in some places more lenient requirements for the handling of personal data compared to the GDPR. In principle, it can therefore be assumed that companies that comply with the GDPR will also be able to meet the requirements of the FDPA. Nevertheless, it is necessary to address the special features of the GDPR in some places and to review any need for implementation in this regard.