The New Swiss Federal Act on Data Protection
The European General Data Protection Regulation (GDPR) entered into effect five years ago on 25 May 2018. Data protection is a hot topic across the globe, with important unsettled questions, such as transfers of personal data from Europe to other jurisdictions. Just recently, Meta was fined a record €1.2bn ($1.3bn) by European privacy regulators over the transfer of EU user data to the United States. Countries worldwide are enacting or amending their data protection regulations, from post-Brexit Britain to Ecuador, Argentina and Chile.
On 1st of September 2023 Switzerland is enacting its New Federal Act on Data Protection (nFADP) with immediate effect.
The nFADP will not only be relevant to Swiss resident businesses, as it will apply to the processing of personal data with actual or potential adverse effect to the privacy rights of individuals in Switzerland even if initiated outside of Switzerland. It substantially revises the Swiss data protection law of 1992 by responding to recent years’ fundamental changes in the technological and social landscape, strengthening the rights of consumers, granting them stronger self-determination in relation to their data, and aligning Swiss law to the GDPR. This will allow Switzerland to be recognized as a third country with an adequate level of data protection, allowing free data transfer between Switzerland and Europe and helping Swiss companies to remain competitive.
The main changes introduced by the nFADP are that personal data of legal persons will no longer be protected by the new law, genetic and biometric data are added to the definition of sensitive data, the principles of privacy by design and privacy by default are introduced, keeping a register of processing activities (ROPA) will be mandatory in some instances, prompt notification to the supervisory authority will be required in some events of a data security breach, and the concept of profiling is being introduced.
The nFADP, its Ordinance and the Swiss Telecommunications Act (with cookie-related information obligations) apply to the processing of personal data by businesses and natural persons in all sectors of the economy (but not in the context of personal household uses). This article does not cover the requirements applicable to federal bodies.
The nFADP brings data protection standards close to the GDPR with some main differences (amongst others) as follows:
- Legal ground/legal bases (such as consent, a contract, a law etc.) is required under the GDPR in addition to the principles of fairness, transparency, purpose limitation, proportionality, accuracy and data security, whereas it is only required under the nFADP when processing sensitive data or to justify personality rights infringements.
- Sensitive data under the nFADP include two categories that the GDPR does not cover as sensitive data per se (data on administrative/criminal proceedings and sanctions/data on social security measures).
- Consent is required for any profiling under the GDPR but only in case of high risk profiling under the nFADP.
- The designation of a DPO (data protection officer) is mandatory in some instances under the GDPR whereas it is not mandatory (but recommended) under the nFAPD.
- Notification time for data breach is 72 hours under the GDPR and as soon as possible under the nFADP.
- Conducting a data protection impact assessment (DPIA) is mandatory both under the GDPR and the nFADP when processing poses a high risk to the rights and freedoms of individuals, but the duty to consult the supervisory authority in Europe in case of high risk despite measures taken to mitigate the risk can be replaced by consultation of the DPO (if there is one) under the nFADP and is only applicable in case of high risk despite the measures envisaged.
- Sanctions go up to EUR 20mn or 4% of the company’s worldwide annual revenue in Europe and CHF 250’000 against a responsible private person under the nFADP.
In addition to data protection laws, each industry, financial institutions included, may have additional sets of rules with data protection implications.
Banks are subject to the regulations of the Swiss Financial Market Supervisory Authority (FINMA) on client data (i.e. the FINMA OpRisk Circular 2008/21 Annex 3 with detailed measures with respect to the storing, processing and transferring of electronic Card Identification Numbers), Know-Your-Customer duties, record-keeping obligations or the Automatic Exchange of Information and the Foreign Account Tax Compliance Act in tax matters. Banks (including fintech licensees) are subject to banking secrecy according to the Banking Act.
Financial institutions (i.e. asset managers, trustees, managers of collective assets, fund management companies and securities firms) are also subject to a professional secrecy obligation under the Swiss Financial Institutions Act and according to the Financial Services Act, customers are entitled to receive a copy of all documents that the financial services provider holds about them (which corresponds to the right of access under the nFADP and which governs the right to information and therefore also the duty to provide information with regard to personal data).
The Swiss Civil Code, Criminal Code, Constitution and labour law also have provisions protecting personality and privacy rights.
If your firm is already GDPR compliant you should only have little work to do to be compliant with the nFADP. On the other hand, if your firm does not yet comply with the GDPR and your activity has an impact on personal data of data subjects in Switzerland, whether you are based in Switzerland or abroad, you will need to run a data mapping and data processing analysis in order to implement and comply with the new law.
Sandra Ezri is Founder at Ezri Consulting Ltd
© The Sortino Group Ltd
All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency or other Reprographic Rights Organisation, without the written permission of the publisher. For more information about reprints from AlphaWeek, click here.