Switzerland’s Federal Act on Data Protection (FADP)

The Federal Act on Data Protection (FADP) was approved in Switzerland in fall 2020, and comes into effect September 1st, 2023 through the Data Protection Ordinance. It was originally scheduled to go into effect in the second half of 2022. 

The Federal Act on Data Protection (in German) has some differences from, but is largely compatible with the European Union’s General Data Protection Regulation (GDPR) and other European law. Ensuring flow of data with the EU and maintaining Swiss companies’ economic opportunities was a significant goal of the Act. The FADP provides Swiss citizens with new rights regarding personal data protection, and creates new requirements for companies wanting access to that data.

Scope of the Swiss Federal Act on Data Protection

The Swiss constitution provides citizens with a right to privacy, and Swiss laws regarding data protection have foundations in these civil legal protections. The new FADP is a complete overhaul of the older Swiss Data Protection Act from 1992, though smaller updates were made in 2009 and 2019. The scope of the new Swiss Data Protection Act is covered in Art. 2.

This Swiss Data Protection Act is technically the new FADP (nFADP or revised FADP) as it replaces the previous 1992 Act.

Technology has changed significantly since the 1990s and has become both more ubiquitous and more demanding for user data. Smartphones, social networking platforms, cloud-based computing systems and more have proliferated, so an update to the law was due for better protection of data privacy.

The revised FADP introduces the concept of profiling, i.e. automated processing of personal data (Art. 5 lit. f), which is a good example of a new, technology-driven concern for the law to address.

The FADP is extraterritorial, so applies to organizations outside of Switzerland if they process the data of Swiss citizens. It doesn’t matter where the company is based or their website is hosted. The Act also applies to both the public and private sectors.

In good part, the FADP is meant to ensure continued, secure data flow between Switzerland and the EU and EEA, though it is not a member of either. It does prohibit transfers of personal data from Switzerland to countries with which they do not have an adequacy agreement, i.e. countries determined not to exercise an adequate level of data protection (Art. 16). However, such transfers can still happen if consent for them has been obtained from data subjects (Art. 17).

The FADP applies to both physical and electronic data/files. It protects Swiss citizens’ rights to data privacy and against infringement via excessive access to or use of their personal information.

Under the Act (Art. 5) “processing” is defined as: “any handling of personal data, regardless of the means and procedures used, in particular the acquisition, storage, keeping, use, modification, disclosure, archiving, deletion or destruction of data”.

The FADP also refers to data “controllers”, which refers to a “private person or federal body which alone or together with others decides on the purpose and means of processing”. Controllers are the ones collecting and processing data, directing its collection and processing, and responsible for compliant handling of it.

Personal data processing can be carried out by third parties (not the controller) if legally allowed, or by contractual agreement if (Art. 9):

1. the data is processed as the data controller themself would be permitted to do; and
2. no legal or contractual obligation of secrecy prohibits the transfer.

Additionally, third parties may claim the same justification (legal basis) for data processing as the instructing party.

The FADP introduces the principles of “privacy by design” and “privacy by default” into the law. This requires companies to take into account data processing principles in the planning and design states of applications, and not just seek to secure and protect data retroactively. They also cannot use default settings, e.g. of web technologies, to obtain data subjects’ consent for more processing than is absolutely necessary.

The FADP sets out several principles regarding data processing (Art. 4):

1. personal data may only be processed lawfully
2. processing must be carried out in good faith and must be proportionate
3. processing may only be carried out for the purpose indicated at time of collection as evident from circumstances or provided by law
4. collection of personal data, and particularly the purpose of processing, must be evident to the data subject
5. data will be deleted or anonymized once it is not needed anymore for the processing purposes
6. if the data subject’s consent is required for the processing of personal data, such consent is only valid if given voluntarily upon provision of adequate information
7. in the case of processing sensitive personal data or personality profiles, consent must be given expressly

In line with many other data privacy laws, the Swiss FADP defines personal data or information as “all information relating to an identified or identifiable person”. This can include obviously identifying information, like a name or email address, but also information like IP address, particularly since it can become identifying when combined with other personal data.

The FADP defines the sensitivity of personal data (Art. 5 lit. c) to include:

1. data relating to religious, philosophical, political or trade union beliefs or activities
2. data concerning health, privacy or racial or ethnic origin
3. data on administrative and criminal prosecutions or sanctions
4. data on social security measures
5. genetic data
6. biometric data which uniquely identify a natural person

The final two types of sensitive personal data listed were added to the new FADP; the preceding four types were already included in the old Act.

Users must be asked for and provide explicit confirmation that they have been informed about, and consent to, access to and use of their sensitive personal data, for example by mouse click to check a checkbox.

The FADP is not the GDPR in Switzerland, and so there are some differences regarding legal requirements for processing data, including consent. Like most data privacy laws around the world, however, the Swiss privacy law does require notification of data subjects.

The GDPR operates on a principle of “lawfulness of processing”, requiring a legal basis, or justification, for most processing of personal data. Consent is one such legal basis.

The FADP works a bit differently in that individuals (natural persons), organizations (non-commercial entities) and businesses (commercial entities) are generally allowed to process personal data without a specific legal basis, unless the processing meets certain criteria. Consent is required for:

• processing of sensitive personal data
• processing used in high-risk profiling by a private person
• processing used for profiling by a federal body (government)
• data transfers to third countries where there is not adequate data protection

Even when processing does not require obtaining consent, the FADP does require notification of data subjects. If a legal basis is required, the controller must communicate what it is. In all of these scenarios, a consent management solution enables compliance by providing the necessary notification and collecting valid consent.

Instances where consent is required can include if the data controller seeks justification for disclosure of sensitive personal data or “personality profiles” to third parties (other controllers only), or to process the data for additional purposes or for a longer period than stated (Art. 6).

Private persons can instruct third parties to process data on their behalf, as long as no obligations of secrecy are violated. Any legal basis/justification the controller asserts can be used by those third parties (Art. 9).

In addition to consent, other legitimate justifications for data transfers to third countries include:

• data collection in connection with the conclusion of a contract
• overriding private or public interest
• the establishment, exercise or enforcement of legal claims before a court or other competent foreign authority, or
• to protect the life or physical integrity of the data subject or a third party and it is not possible to obtain the consent of the data subject within a reasonable time

The FADP is an “opt in” law, so if a legal basis is required, organizations are required to obtain users’ valid consent before or at the point of (“prior”) data collection. Data subjects must be notified before or at the point of data collection regardless of whether legal basis is required.

As with the GDPR, Swiss users’ consent must also be informed and freely given. This applies to, among other things, the use of cookies and other tracking technologies on websites that Swiss citizens may visit, if the data collection and processing meets the requirements for consent under the FADP (sensitive personal data, profiling by a government body, etc.)

Organizations need to clearly communicate the following information, e.g. in a privacy policy page on the website (Art. 8, Art. 18a) whether or not a legal basis is required. However, these criteria are also required for consent to be valid:

• identity of the data controller, whether the company or a third party
• contact details for the data controller
• identity of the data recipient and any other parties involved with the data file
• recipient country if the data will be transferred cross-border
• purpose(s) of data collection and use
• categories of data collected, if relevant
• means of data collection, if relevant
• the legal basis for processing, if needed
• users’ rights regarding their personal data under the FADP, including the right to refuse or withdraw consent

The GDPR and FADP share a number of similarities that tend to be common among data protection laws, but there are also key differences.

Private persons or federal bodies responsible for processing the personal data of individuals in Switzerland are governed by the FADP, even if they use third-party vendors for the data collection and processing, e.g. for analytics, advertising, etc.

If processing the data of users outside Switzerland, in the EU, which is fairly common, companies must also take the requirements of broader European laws like the GDPR and ePrivacy Directive (ePR) into account when processing and protecting personal data. The ePR is most relevant when using electronic communications. Companies’ responsibilities under those regulations are fairly similar to those under the FADP, though more strict on a number of fronts (like requiring consent in more circumstances).

Upon going into effect in September 2023, the FADP does not provide a grace period for businesses before enforcement begins. Compliance is required from day one. Companies that are already GDPR-compliant will have few to no adjustments to make to policies or operations to comply with the FADP.

Companies must inform data subjects about every instance of collection of personal data about the data subject, even if the data is not collected from the data subject directly. They must also maintain a register of processing activities. However, for SMEs (companies up to 250 employees) whose data processing activities present a low or limited risk of harm to data subjects, there can be exemptions to this requirement.

Both first-party and third-party data controllers have responsibilities if they have control of the data file, e.g. the company on whose website data is collected, and a vendor using the data. If a third party is involved, they are obligated to provide information if they do not disclose the identity of the controller (first party) or if the controller isn’t domiciled in Switzerland.

Companies based outside of Switzerland must designate a representative in Switzerland if they regularly process large volumes of data in Switzerland/of Swiss citizens:

• in connection with offering goods or services
• with the purpose of monitoring behavior
• if the processing could involve high risk to data subjects

For Swiss companies that process the personal data of EU residents, a data protection officer can always be appointed (regardless of risk level to data subjects). Companies required to comply with the FADP that do not already have a data protection officer (but that aren’t required under the GDPR or other law to appoint one) can do so voluntarily. Such a position provides a central point of contact for customers, employees, and data protection authorities.

Any entity processing personal data has the responsibility to ensure that it is correct (Art. 6), and must take all reasonable measures to ensure that incorrect or incomplete data, within the scope of the purpose of its collection, is either corrected or destroyed.

Controllers must protect data against unauthorized access or processing via adequate technical and organizational measures (Art. 7). Detailed provisions on minimum standards for data security are issued by the Federal Council.

It is a fundamental principle of the FADP that the collection of personal data by private persons must not harm the data subjects’ privacy or personality. Now, data can be made publicly available if its processing isn’t expressly prohibited, but doing so cannot be harmful, and, as noted, information about the collection and use of the data and purposes thereof must be communicated.

If there is a high risk to the privacy or rights of data subjects, the controller must conduct (and maintain) documented impact assessments regarding their data processing operations.

In the event of a breach in data security, including accidental or unlawful loss, deletion, destruction, alteration, or unauthorized access of personal data, the FDPIC must be promptly notified. (Under the GDPR prompt notification is considered within 72 hours.)

Generally, controllers must also inform the data subject if the FDPIC requires it, or if it’s necessary for the data subject’s own safety and protection.

The FADP used to cover both natural persons and legal persons. With the new FADP it only covers natural persons and federal bodies. Under Swiss law a legal person is a human or non-human entity (which could be a company or other organization) treated as a person for limited legal purposes. This can include owning property, entering into contracts, suing or being sued, etc.

Any data subject can request to know if data about them is or has been processed, and can request access to the data. The data must be provided in writing (printed or photocopied) and must be provided free of charge. The right to information cannot be waived in advance.

Data subjects also have the right to request that their personal data be corrected if it is inaccurate or incomplete. However, under certain circumstances these requests can be restricted, refused, or deferred (Art. 32).

The FADP does not apply to:

1. personal data that is processed by a natural person exclusively for personal use and which is not disclosed to outsiders
2. deliberations of the Federal Assembly and in parliamentary committees

Regulatory compliance is not something organizations just achieve once and then they can ignore it. Data privacy and FADP compliance can be important and ongoing aspects of a company’s operations.

Some organizational best practices for FADP compliance include the following, which should be reviewed and updated regularly:

Maintain comprehensive data inventories: Companies need to know what data they collect and store, including specific categorizations like that of sensitive personal data.

Review FADP compliance requirements: Periodically reassess operations and data processing, as well as FADP obligations, and take necessary measures to ensure continuous compliance with the Swiss privacy law.

Transparent disclosure of processing activities: Clearly disclose data processing activities via formalized policies and privacy notices, ensuring users are kept informed of data processing activities and their rights.

Processes for data subject request handling: Set up and update procedures to manage data subjects’ requests in a user-friendly and timely manner, which meets legal requirements, saves corporate time and resources, and also fosters user trust.

Streamline data subject request architecture: Set up and maintain well-structured data subject requests architecture to ensure timely and effective management of and response to data subjects’ requests and exercising of their rights.

Robust data breach notification system: Establish policies and processes to ensure a robust response to any data breach, including prompt notifications as legally required and for good user relations.

Determine cross-border data flow compliance: Catalog processes and be familiar with cross-border requirements if operations include international data flows.

Efficient RoPA (Record of Processing Activities) reporting: Establish procedures to ensure RoPA reports are scanned, tracked, and produced efficiently.

Strengthen organizational security measures: Safeguard processing activities by implementing autonomous and robust security measures throughout the organization.

Conduct Data Protection Impact Assessments: Conduct data protection impact assessments as legally required under the FDPA to identify and mitigate potential risks associated with data processing activities.

The FDPIC can initiate an investigation into a company on their own or upon notification. If a data breach is found to have occurred, it can order extensive measures, including adjustment to or suspension of data processing, or data deletion.

Noncompliance with FADP responsibilities, including breaches of obligation to provide information or exercise duties of care, can result in fines to the controller of up to CHF 250,000. Note that under the FADP private individuals can be fined, whereas the GDPR does not fine natural persons, but places the focus of financial penalties on companies.

Infringements under business operations can result in fines up to CHF 50,000 to the company if disproportionate effort would be required to identify the offending person within the organization.

The Federal Data Protection and Information Commissioner is responsible for monitoring compliance with the Federal Data Protection Act and has considerable investigative powers (Art. 4). The entity is also responsible for advising, educating, and ensuring protection of personal data in Switzerland. The Commissioner is appointed by the Federal Council (the executive body of the Swiss federal government) for a four-year term, which is approved by a vote of the Federal Assembly.

The EU-US Privacy Shield was struck down in July 2020. Following an evaluation by the FDPIC, the Swiss-US Privacy Shield was also declared inadequate due to the insufficient level of data protection by the United States. The transfer mechanism was invalidated for international data transfers on September 8th, 2020.

The EU and US enacted a new adequacy agreement, the EU-U.S. Data Privacy Framework, on July 10, 2023. Additionally, the Swiss-U.S. Data Privacy Framework came into effect on July 17, 2023, and companies can begin the self-certification process as of that date. US companies that self-certify with that Framework must comply with the Swiss-US DPF, which includes a requirement to update privacy policies by October 17, 2023.

In addition to accruing fines for violations, failure to comply can result in reputational data to an organization and loss of user trust. Compliance and clear, transparent communications with customers builds trust and shows respect for and commitment to protecting personal data and privacy rights.

Implementing compliance processes and mechanisms helps to ensure responsible, secure collection, storage, and use of personal data, and enables consumers to be in control of access to and use of that data.

Compliance with at least one privacy law, like the FADP helps ensure a fair bit of work is done in case a company has to comply with additional laws in the future, which is increasingly likely as data privacy regulation expands globally.

Demonstrating compliance also enables Swiss companies to remain competitive as they can prove they meet privacy compliance requirements, thus enabling cross-border transfer of data and other functions of doing business, particularly in the EU.

While it is not always necessary to obtain consent from Swiss users before collecting or processing personal data (though there are other legal bases under Art. 6 and 17), it is always necessary to inform them about the controller and processing. To comply with this, a consent management platform (CMP) is a valuable tool.

In circumstances where consent is required, like the processing of sensitive personal data or if the data will be transferred to a third country deemed not to have adequate data protection, a CMP enables collection and storage of valid consent as well as providing the required notification. For web properties and ecommerce enterprises that have EU visitors and customers as well as Swiss ones, a consent banner would be required for both notification and consent.

The Usercentrics Consent Management Platform (CMP) can easily be set for use in Switzerland and with Swiss users. Multiple configurations can be set up and managed with geolocation to ensure privacy compliance with the FADP, GDPR, or other regulations.

Get our FADP Checklist today and learn what you need to know for compliance.

The Federal Act on Data Protection (FADP) brings much needed modernization to Swiss privacy law, and positions the country to be engaged and competitive in the technology- and data-driven future. As its provisions are not quite the same as the GDPR or other regulations, it’s important to understand what the FADP requires and allows, and to obtain good legal advice on your specific compliance obligations. (Usercentrics does not provide legal advice, and information is provided for educational purposes only.)

Under the FADP, transparency and informing users remains of critical importance, whether or not their consent is required for data processing. However, like with the GDPR, when consent is required, it must also be granular and informed. A consent management solution helps with this, as well as with the requirement that consent be explicit and voluntary, and that users be equally able to opt out or change their consent preferences. Usercentrics’ Consent Management Platform (CMP) meets these needs, and provides the ease of use and flexibility to enable compliance with the regulations relevant to your organization, all from one user-friendly interface. Rely on our state of the art technology and legal expertise to maintain compliance and peace of mind while growing your business.

Do you have questions about what you need to do for FADP compliance or how to ensure your organization meets its responsibilities to users and with multiple regulations? We’re here to help. Run a free data privacy audit to see how well your website is managing privacy compliance requirements.

Do you have specific questions about regulations or your organization’s responsibilities? We’re here to help. Talk to one of our experts today.