The Essentials of Switzerland’s Digital Law. Part 3: The Swiss Federal Act on Data Protection

Data protection is a cornerstone of business operations in today’s digital age. Compliance with Switzerland’s Federal Act on Data Protection (FADP) is crucial for businesses. The FADP sets the framework for handling personal data and ensuring privacy. Small companies without in-house legal teams must ensure their practices are compliant. Legal professionals can advise and guide companies through the legal landscape of data protection. Online marketing companies must balance effective marketing strategies with the stringent requirements of data protection laws. Understanding the FADP is essential for their operation.

Enactment of the FADP

The Federal Parliament enacted the FADP in 1992 when commercial Internet use had not commenced, and the digital landscape we navigate today was beyond anticipation. Today, digital tools play a central role in both professional and private spheres, offering advancements while posing threats to individual freedoms and rights, mainly due to the increasing demand for personal data. The Federal Office of Justice (FOJ) reviewed the Federal Act of Data Protection (FADP) of 1992 in response to these challenges and the fast-paced evolution of technology. This evaluation resulted in a report which was approved by the Federal Council. The Federal Council drafted a comprehensive revision of the 1992 Act for consultation in 2017. Considering the Federal Council’s dispatch and based on the Federal Constitution, the Federal Parliament adopted the Swiss Federal Act on Data Protection (FADP), which came into force in September 2023, replacing the previous 1992 Act. The amendment enhances data protection and aligns with the EU General Data Protection Regulation (GDPR) standards. This revision aims to simplify the adherence of Swiss companies to the GDPR provisions relevant to controllers or processors outside the EU. Additionally, it seeks to maintain the EU’s recognition of Switzerland as a jurisdiction offering adequate data protection.

The Purpose and Scope of Application of the FADP

The Federal Act on Data Protection (FADP) aims to protect individuals’ privacy in processing their personal data. It sets out the rules that companies, organizations, and government bodies must follow when collecting, processing, and storing personal data. The FADP applies to all individuals and organizations who process personal data in Switzerland, regardless of whether they are based in Switzerland. It also applies to individuals and organizations who process personal data on behalf of other parties.

Furthermore, the FADP mandates that private entities based outside Switzerland appoint a representative within the country if they handle the personal data of individuals in Switzerland and if the data processing meets all these criteria: it is related to the provision of goods or services in Switzerland or to observing the behavior of individuals within Switzerland; the processing is large-scale; the processing occurs regularly; and the processing poses a significant risk to the privacy of the individuals involved.

Definitions Under Art. 5 of the FADP

Personal data is any information about an identified or identifiable natural person. In contrast to the 1992 version, the FADP no longer covers personal data related to legal persons.

A data subject refers to a natural person whose personal data undergoes processing.

Processing means handling personal data, irrespective of the means and procedures used, such as the collection, storage, keeping, use, modification, disclosure, archiving, deletion, or destruction of data.

Sensitive personal data is defined as data relating to religious, philosophical, political, or trade union-related views or activities; data relating to health, the intimate sphere, or the affiliation to a race or ethnicity; genetic data; biometric data that uniquely identifies a natural person; data relating to administrative and criminal proceedings or sanctions; data relating to social assistance measures.

Profiling means any form of automated processing of personal data that involves using such data to evaluate certain personal aspects relating to a natural person to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

High-risk profiling means profiling that poses a substantial risk to the data subject’s personality or fundamental rights by matching data that allows an assessment of essential aspects of a natural person’s personality.

Breach of data security means any breach that leads to the accidental or unlawful loss, deletion, destruction, modification, or unauthorized disclosure of or access to personal data.

A controller is a private person or a federal body that, alone or jointly with others, determines the purpose and the means of processing personal data.

A processor is a private person or federal body that processes personal data on behalf of the controller.

Principles of Data Processing

The Federal Data Protection Act (FDPA) lays out fundamental principles for the proper management of personal data; they include:

  • Lawfulness and Good Faith: Data processing should be lawful and done in good faith. Businesses must have a legitimate purpose for processing personal data and be transparent with individuals about their data usage.
  • Purpose Limitation: Personal data can only be processed for the specified purpose at the time of collection, and this purpose must be evident to the data subject.
  • Proportionality: The processing of personal data must be necessary and proportional to the purpose for which the processor or controller collects. This means businesses should not collect more data than they need and should only retain it for as long as necessary to satisfy the specified purpose.
  • Data Security: Adequate technical and organizational measures must be taken to ensure the security of personal data, protecting it from unauthorized access, alteration, or disclosure.

Additionally, the FADP mandates that controllers adhere to specific obligations, including the obligation to notify the data subject about gathering personal data, like the GDPR requirements. However, the FADP extends beyond the GDPR by demanding the disclosure of all countries to which personal data is transferred or accessed and providing additional relevant information. In certain situations, an obligation is to inform the data subject regarding decisions made entirely through automated processing that carry legal ramifications or affect the data subject (automated individual choices).

Rights of Individuals (Data Subjects)

The FADP ensures that your privacy is not compromised and your personal data is kept confidential. It gives you the power to control the information you share and how it is used. By following the FADP guidelines, organizations are required to obtain your consent before using your personal data for any purpose. This means you can rest assured that your sensitive information is safe. The FDPA grants rights to individuals concerning their data, including:

  • Right to Information: Individuals have the right to be informed about collecting and using their data.
  • Right to Access: Individuals can request access to their data to understand what information is being processed and for what purpose.
  • Right to Rectification: If personal data is inaccurate or incomplete, individuals have the right to correct it.
  • Right to Erasure: Under certain conditions, individuals can request the deletion of their data.
  • Right to Object: Individuals can object to processing their data for specific purposes, including direct marketing.

Breach Notification and Enforcement

The FADP outlines three distinct obligations for notifying parties in the case of a data security breach:

  1. The controller must promptly inform the Federal Data Protection and Information Commissioner (FDPIC) about any data security breach that could significantly risk the data subject’s privacy or fundamental rights.
  2. The controller must notify the impacted individuals of any data security breach if it is necessary for their protection or if requested by the FDPIC.
  3. The processor shall notify the controller of any data security breach immediately. The FADP does not provide for a threshold in this respect. Therefore, a notification is required regardless of the specific risk involved.

The FDPIC has the authority to commence an investigation against a federal entity or an individual if there is ample evidence suggesting a potential breach of data protection laws. Should it be found that data protection regulations have been breached, the FDPIC can implement administrative actions. For example, it may mandate the alteration, halting, or cessation of data processing activities, order the erasure of personal data, or delay or forbid international data transfer.

Under the FADP, individuals can face criminal charges and penalties of up to CHF 250,000. These penalties are aimed at the accountable persons rather than the companies themselves, contrasting with the GDPR’s approach. The appropriate cantonal prosecuting body must launch criminal actions. Additionally, within the framework of Swiss civil law, the data subject has the right to seek injunctive relief and may pursue claims for damages, satisfaction, and the relinquishment of profits derived from violating their privacy.

 Data Protection Best Practices

For online marketing companies and departments, adapting to the FDPA’s requirements means reevaluating and often modifying how you handle customer data. While this may present challenges, it also offers an opportunity to differentiate yourself by demonstrating a solid commitment to privacy and data protection, ultimately fostering greater customer trust. To comply with the FDPA while engaging in online marketing, businesses should adopt the following best practices:

  • Privacy by Design: Incorporate data protection measures from the initial design phase of your marketing campaigns and systems. This approach ensures that privacy and data protection are considered at all stages of development.
  • Regular Audits and Assessments: Conduct regular audits of marketing practices and data processing activities to ensure ongoing compliance with the FADP. This includes reviewing consent mechanisms, data storage practices, and the overall effectiveness of data protection measures.
  • Data Protection Training: Educate your marketing team about the importance of data protection and the specific requirements of the FADP. A well-informed team is crucial for maintaining compliance and protecting customer data.
  • Secure Data Storage and Transfer: Implement secure methods for storing and transferring personal data, using encryption and other security measures to protect against data breaches and unauthorized access.
  • Anonymization and Pseudonymization: When possible, anonymization or pseudonymization reduces the risks associated with processing personal data. This can be particularly useful in analyzing marketing data and trends without compromising individual privacy.

Small businesses might find the FADP’s compliance requirements daunting, particularly those without dedicated legal or compliance teams. However, it is also an opportunity to build customer trust by demonstrating a commitment to protecting their data. Compliance not only avoids potential penalties but also positions a business as responsible and trustworthy in the eyes of its customers. Here are some specific considerations and strategies that can help:

  • Simplification and Focus: Small businesses should focus on the core data they need for their operations, simplifying data processing activities to minimize compliance complexity.
  • Utilizing Templates and Tools: Various organizations and regulatory bodies offer templates and tools for compliance, such as data processing agreements and privacy policy templates, which can be customized for the business’s needs.
  • Seeking Professional Advice: While hiring an in-house legal team might not be feasible, small businesses can seek advice from external legal professionals or consultants specializing in data protection laws to ensure compliance.
  • Employee Training: Educating employees about the importance of data protection and the basics of the FADP can go a long way in preventing data breaches and ensuring compliance.

Take-Home Message

The Federal Act on Data Protection (FADP) emphasizes the crucial role of data protection in today’s business landscape, especially as digital platforms become central to marketing, sales, and customer engagement. Businesses operating in or with Switzerland must understand and comply with the FADP to protect individual privacy and ensure the security of personal data. This legislation, updated to address modern digital challenges and align with EU GDPR standards, applies broadly to entities that process the personal data of individuals within Switzerland, regardless of the business’s location.

Key points include that businesses, particularly small ones and online marketing companies, must adapt their practices to meet FADP requirements. This involves incorporating privacy by design, conducting regular data protection audits, and training employees on data security. Compliance with the FADP helps avoid legal penalties and builds customer trust by demonstrating a commitment to protecting personal information.

For small businesses without in-house legal teams, focusing on essential data processing activities, utilizing compliance tools and templates, and seeking professional advice to navigate the complexities of the FADP warrants consideration. Online marketing companies face specific challenges under the FADP and must balance effective marketing with stringent data protection laws.

In conclusion, the FADP sets a high standard for data protection, requiring ongoing vigilance, adaptation, and a commitment to privacy principles. Compliance offers benefits beyond avoiding penalties, such as enhancing customer trust and securing a competitive advantage in the data-driven marketplace.

References:

SR 235.1 – Federal Act of 25 September 2020 on D… | Fedlex (admin.ch)

Law in Switzerland – DLA Piper Global Data Protection Laws of the World (dlapiperdataprotection.com)

New Federal Act on Data Protection (nFADP) (admin.ch)

Livio di Tria, (2020, September 28). Switzerland (finally) adopts a new Federal Data Protection Act – Chronology of a breathless legal-political saga – swissprivacy.law

Please also see Part 2:  

And please follow me in: 

                

wakikomb

Dear Readers, I am Mwanarusi Kikombe from Kenya, residing in Switzerland for quite a while now. Holding a bachelor’s degree in law, I am currently pursuing a master's degree in business administration, focusing on Online Business and Marketing. Having a deep passion for both Law and Business I am delighted to share with you the essentials of Switzerland Digital Law, enlightening how businesses, consumers, online marketers, and legal professionals may navigate through these provisions. Thank you for accompanying me through this digital legal landscape.

View all posts by wakikomb →

5 thoughts on “The Essentials of Switzerland’s Digital Law. Part 3: The Swiss Federal Act on Data Protection

  1. Mwanarusi, your articles are very informative. Indeed it is true that business people are keen on data privacy and they will be more comfortable when they are assured of data security. Thank you once again

  2. Mwanarusi, your articles are very informative. Indeed every business people are keen on data security and will comfotable doing business in a secure digital platform. So its very true that most people doing business on digital space will participate when they are assured of information and data safety and security. Hence digital law to regulate this is key. Thank you once again

  3. This is a very helpful article. The knowledge of Data protection is very essential in today’s world. People click “ok” and allow companies and businesses to access their personal data without knowing the impact of it. Companies need to comply and strictly abide by the rules in order to avoid misusing of information.

    1. Thank you Tima, It is very true, data-driven technologies have brought both opportunities and
      challenges. If it is left unchecked, personal and sensitive data can be easily misused.

Leave a Reply

Your email address will not be published. Required fields are marked *