Switzerland’s new Federal Act on Data Protection (FADP or nFADP) is a privacy law that controls how the personal data of its residents can be used.
Effective date: September 1, 2023
Official text: Bundesgesetz über den Datenschutz (in German)
What is FADP?
The new FADP (nFADP) is a significant legislative development in Switzerland aimed at enhancing the safeguarding of citizens’ personal data. Passed during the fall session of Parliament in 2020, this law introduces comprehensive improvements to the management of personal information and grants certain rights to Swiss individuals concerning their data privacy.
The first FADP was established in 1992. Since then, there have been many technological advancements, leading to challenges in data protection. A comprehensive revision of the law became imperative, diverging from partial updates in 2009 and 2019.
One of the pivotal aspects of the nFADP is its alignment with European regulations, particularly the European General Data Protection Regulation (GDPR). This synchronization is essential not only to ensure the harmonization of Swiss law with European standards but also to maintain the unhindered flow of data between Switzerland and the European Union (EU).
The Federal Data Protection and Information Commissioner (FDPIC) oversees federal data protection compliance but does not supervise certain exempted federal bodies like the legislature, executive, courts, or criminal prosecution authorities when processing data for judicial activities.
What is personal data under FADP?
Personal data under FADP includes any information about a person that can identify them. E.g. full name, address, phone number, social security number, etc.
Another category of personal data called sensitive personal data includes details about a person’s beliefs, health, race, biometrics, criminal records, and social assistance measures.
Who does FADP apply to?
The FADP applies to data controllers and processors who are:
- Private persons (individuals and companies) that process personal data
- Federal bodies that process personal data
It does not apply to:
- Personal data processed for purely personal use
- Data processing by Parliament and parliamentary commissions
- Data processing with immunity from jurisdiction in Switzerland
- Court proceedings and federal procedural laws
- Public registers with special regulations
Where does FADP apply?
FADP applies to private individuals and federal bodies processing the personal data of people in Switzerland even if they are processed outside the country.
What are the main principles of FADP?
The principles of FADP for processing personal data are:
- Lawful processing: Personal data must be processed in accordance with the law.
- Good faith and proportionality: Processing must be carried out in good faith and proportionate manner.
- Specific purpose: Personal data may only be collected for a specific, identifiable purpose, and processing must be compatible with this purpose.
- Data retention: Personal data should be destroyed or anonymized when it is no longer needed for processing.
- Data accuracy: Those processing personal data must ensure its accuracy and take appropriate measures to rectify, erase, or destroy inaccurate or incomplete data.
- Voluntary consent: If consent is required, it must be given voluntarily after receiving appropriate information, and it should be specific to the processing activities.
- Express consent: Express consent is required for the processing of sensitive personal data, high-risk profiling by private individuals, or profiling by a federal body.
What are data subject rights under FADP?
Right to information
Under the FADP in Switzerland, individuals have the right to request information about their personal data being processed. They should be provided with necessary details, including the data controller’s identity, processed data, purpose, retention period, data origin, recipients, and more. This right cannot be waived, and the information must be given free of charge within 30 days, except in cases of disproportionate effort.
Health data can be disclosed to the users with their consent through a designated healthcare professional.
Media can limit access to personal data if it reveals sources, exposes unfinished drafts, or jeopardizes public opinions. They can also refuse if the data is used solely for their personal work.
Right to access
Individuals can ask for their personal data in electronic format if it is processed automatically with their consent or in connection with a contract.
Right to transfer data
individuals can also request data transfer to another controller without undue effort, free of charge unless exceptions apply.
The right to information or to transfer information can be restricted or denied in certain situations, including when there are legal provisions for confidentiality, it interferes with others’ rights or data protection, or the request is unfounded. Private individuals with valid reasons for privacy and federal bodies safeguarding security or ongoing investigations can also restrict information. Clear explanations for these restrictions must be provided.
Right to correct
Individuals do have the right to request the correction of their inaccurate personal data. However, organizations can deny the request in the following situations:
- If a specific law or regulation prohibits the correction or change of the data.
- If the personal data is being processed for archiving purposes in the public interest.
Right to delete
individuals can request the controller to erase their personal data if the processing violates data protection provisions
Right to object
People can object to a data controller sharing their personal data if they have a valid reason. The agency can say no if they are legally required to share the data or if not sharing it would harm their responsibilities.
Rights related to automated decision making
If a decision that significantly affects individuals is made solely through automated processing, the individual must be informed about it. They can request to express their viewpoint on the decision and ask for a human review of the automated choice. However, these rights do not apply if the decision is connected to a contract or if the individual consents to automated decisions.
What are the obligations of data controllers and processors under FADP?
Data controllers must inform individuals whose personal data they collect, even if the data isn’t obtained directly from the individual. This information includes:
- Identity and contact details of the data controller
- Purpose of data processing
- Recipients or recipient categories of the data
- Categories of processed personal data
- If data is transferred internationally, the destination and applicable safeguards
This information must be provided within one month of data collection, or before disclosure if earlier.
The obligation to provide information doesn’t apply if:
- The individual already has the information
- Legal requirements mandate the processing
- The controller is legally bound to maintain secrecy
- Providing information is impossible or disproportionately difficult
Controllers may also delay or limit information if:
- Third-party interests override
- Disclosing information contradicts the processing’s purpose
- A private controller’s interests warrant it
- Public interests demand it for federal bodies
Automated decisions: Controllers must inform individuals of automated decisions significantly impacting them. The individual can express their view and request human review. This doesn’t apply if the decision relates to a contract or if the individual consents to automation.
Data Protection Impact assessment
Controllers must conduct a data protection impact assessment before processing data that poses a high risk to individuals’ rights. This assessment evaluates risks and outlines protective measures. Some private controllers are exempt if the processing is legally mandated or certified systems are used.
Consultation with FDPIC
If a data protection impact assessment identifies significant risks, the controller must consult the Federal Data Protection and Information Commissioner (FDPIC) for advice. The FDPIC reviews the plan and can suggest suitable measures to mitigate the risks.
Reporting data breaches
Controllers must promptly report data breaches likely to impact individuals’ rights to the FDPIC as soon as possible. This report should include breach details, consequences, and actions taken. Processors must also report breaches to controllers. Controllers inform affected individuals if necessary or as requested by the FDPIC, with specific exceptions for certain scenarios.
Privacy by design and default
Controllers must implement appropriate technical and organizational safeguards for data protection, starting in the planning phase. These measures should match technological advancements, processing types, and risks to rights and freedoms. Controllers must also use privacy-friendly default settings to minimize unnecessary data processing. Essential duties include integrating security measures into processes from the beginning and employing privacy-enhancing default settings to limit excessive data processing. This ensures that data protection principles are ingrained through technology and defaults.
Read more about Privacy by Design
Record of processing activities
Controllers and processors must keep a record of their processing activities. This must include the identity and contact information of the controller, the processing purposes, categories of data and recipients, retention periods, security measures, and details on international data transfers. Federal agencies must report their record to the data protection authority. Exceptions apply for small companies (less than 250 employees) with low-risk processing.
Cross-border data transfer
The FADP permits transferring personal data abroad to countries that ensure adequate protection. For countries without an adequacy decision, organizations can still transfer data by putting in place protections such as standard contract clauses, binding corporate rules, or specific guarantees approved by the authority. Exceptions allow transfers abroad even without protections in certain cases, including consent, contract necessity, or public interest. Controllers must notify the authority regarding transfers under specific exceptions. Publishing data publicly online does not constitute transfer abroad.
Appoint Data Protection Officer
Private controllers may appoint independent data protection advisors as contact points for people and authorities. These advisors should have expertise in data regulations. Their role is to provide guidance to controllers, assist in compliance, and help safeguard individuals’ rights. This is not a mandatory requirement but is recommended by the law.
What are the consent requirements under FADP?
The FADP requires consent from the data subject for certain types of data processing. Consent must be freely given, specific, informed, and unambiguous.
Explicit consent is required for:
- processing sensitive personal data like religious beliefs, health information, or data related to administrative/criminal proceedings,
- profiling that poses a high risk to the individuals, or
- any profiling by a federal body.
The data controller must inform the individuals about the purpose and means of data processing when asking for consent to enable transparent data processing. However, these details even when consent is not required.
There are some exceptions where consent is not required, like when processing is directly required by law or in the public interest.
Simplify cookie consent
Add a cookie consent banner and stay compliant with Swiss FADPTry for free
14-day free trialCancel anytime
What is the penalty for a violation under FADP?
The new legislation gives the FDPIC broader powers to impose tougher penalties on companies that don’t meet the new standards. However, unlike counterparts in Europe, the FDPIC can’t directly impose fines under this law. Instead, regional prosecution authorities impose fines on individuals found in violation.
The FDPIC can file grievances and participate in legal proceedings as a private plaintiff, but can’t initiate criminal complaints directly.
For data breaches, individuals can face fines of up to CHF 250,000, depending on the severity of the violation. Deliberate actions and breaches of obligations like providing information or confidentiality are punishable. However, negligence is not.
Normally the responsible individual is fined, but if identifying the specific person in a company is disproportionately difficult, the company itself can be fined up to CHF 50,000.
GDPR vs FADP [Infographic]
Checklist to comply with Switzerland FADP
- Determine if the law applies to your data processing activities.
- Process personal data lawfully, fairly, and only for specified purposes.
- Implement appropriate technical and organizational security measures.
- Inform users when collecting their data and about automated decisions affecting them.
- Allow users to access and transfer their data and respond to requests to rectify, delete or restrict processing.
- Conduct data protection impact assessments for high-risk processing activities.
- Report data breaches to authorities and affected individuals as required.
- Only transfer personal data abroad if adequate protection is contractually ensured.
- Document your data processing activities.
- Implement additional safeguards when profiling or processing sensitive data.
FAQ on Switzerland FADP
Does Switzerland have a GDPR?
No, Switzerland is not part of the European Economic Area (EEA). However, the rules of GDPR will apply to companies in Switzerland if they target users in the EU.
What is the Swiss version of the GDPR?
Switzerland has its own privacy law called Federal Act on Data Protection, which was first passed in 1992. However, there have been many updates due to significant advancements in technology. In 2020, a new updated version was passed which is now called the new Federal Act on Data Protection and it will come into force on September 1, 2023.