The Swiss Federal Act on Data Protection of 1992 will be replaced with a new Data Protection Act, which has similar but also stricter rules in comparison with the General Data Protection Regulation (GDPR). The Revised Federal Data Protection Act (revFADP) comes into force on September 1, 2023, and there is no grace period for companies to become compliant. We will summarize the main rules brought by the revFADP that you and your business need to be aware of. The revFADP allows for a “risk-based approach,” requiring organisations to assess and mitigate potential adverse impacts of their data processing on individuals.
The definition of sensitive data will be extended to include genetic and biometric information that identifies a natural person. The revFADP generally requires consent for the processing of sensitive data; unlike the EU General Data Protection Regulation (GDPR), which provides a range of lawful bases for the processing of “special category data”.
The role and importance of an independent DPO were emphasized by the Swiss Federal Data Protection and Information Commission (FDPIC). It also recommends that the DPO speaks at least one of the languages spoken in Switzerland (French, German, Italian, and Romansh).
Now, all the data breaches shall be documented. When likely to result in high risks, the controller shall report the breach to the FDPIC as soon as possible. Data subjects shall be notified by the controller only when the breach imposes an “imminent danger” to them.
The revFADP fines responsible private persons up to CHF 250,000 (approximately 256,000 euros) for intentional or negligent acts. Breaching the duty to provide information, as well as violations of professional confidentiality are fined upon complaint. Criminal sanctions can be imposed for intentional violations.
Records of Swiss Processing Activities will be required for both controllers and processors, except in certain circumstances. Furthermore, the revFADP now contains a legal definition of “profiling” that corresponds to the GDPR, and it requires the explicit consent of the data subject for high-risk profiling.
Regarding data transfer, it is expected to be issued Swiss-specific SCCs for Swiss-only transfers. Nevertheless, the appropriate mechanisms to transfer personal data to and/or from Switzerland are the EU Standard Contractual Clauses (EU SCCs) and approved Binding Corporate Rules until further notice.
How can HewardMills help you?
With the introduction of the revised Federal Data Protection Act (revFADP) that will come into force in September 2023, non-compliance practices will result in more severe repressive measures for companies operating in or for Switzerland. The Swiss FDPIC emphasized the importance of having an independent DPO, preferably with Swiss language knowledge. Luckily, at HewardMills, we are not only well-equipped to assist with all DPO registrations and appointments across the globe, but we also have a diverse team who have a wide range of language-speaking capabilities.
If you are interested in how this Swiss legislation affects your business, or to get guidance on how to ensure that you have processes in place to cater to the requirements of the regulation, HewardMills will be at your disposal to help you to prepare for the regulatory landscape.
