Switzerland’s Federal Act on Data Protection (FADP)

The Federal Act on Data Protection (FADP) was approved in Switzerland in fall 2020, and comes into effect September 1st, 2023 through the Data Protection Ordinance. It was originally scheduled to go into effect in the second half of 2022. This Swiss Data Protection Act is technically the new FADP (nFADP or revised FADP) as it replaces the previous 1992 Act.

Technology has changed significantly since the 1990s and has become both more ubiquitous and more demanding for user data. Smartphones, social networking platforms, cloud-based computing systems and more have proliferated, so an update to the law was due for better protection of data privacy.

The revised FADP introduces the concept of profiling, i.e. automated processing of personal data (Art. 5 lit. f), which is a good example of a new, technology-driven concern for the law to address.

The Federal Act on Data Protection (in German) has some differences from, but is largely compatible with the European Union’s General Data Protection Regulation (GDPR) and other European law. Ensuring flow of data with the EU and maintaining Swiss companies’ economic opportunities was a significant goal of the Act. The FADP provides Swiss citizens with new rights regarding personal data protection, and creates new requirements for companies wanting access to that data.

The Swiss constitution provides citizens with a right to privacy, and Swiss laws regarding data protection have foundations in these civil legal protections. The new FADP is a complete overhaul of the older Swiss Data Protection Act from 1992, though smaller updates were made in 2009 and 2019. The scope of the new Swiss Data Protection Act is covered in Art. 2.

The FADP is extraterritorial, so applies to organizations outside of Switzerland if they process the data of Swiss citizens. It doesn’t matter where the company is based or their website is hosted. The Act also applies to both the public and private sectors.

In good part, the FADP is meant to ensure continued, secure data flow between Switzerland and the EU and EEA, though it is not a member of either. It does prohibit transfers of personal data from Switzerland to countries with which they do not have an adequacy agreement, i.e. countries determined not to exercise an adequate level of data protection (Art. 16). However, such transfers can still happen if consent for them has been obtained from data subjects (Art. 17).

The FADP applies to both physical and electronic data/files. It protects Swiss citizens’ rights to data privacy and against infringement via excessive access to or use of their personal information.

Under the Act (Art. 5) “processing” is defined as: “any handling of personal data, regardless of the means and procedures used, in particular the acquisition, storage, keeping, use, modification, disclosure, archiving, deletion or destruction of data”.

The FADP also refers to data “controllers”, which refers to a “private person or federal body which alone or together with others decides on the purpose and means of processing”. Controllers are the ones collecting and processing data, directing its collection and processing, and responsible for compliant handling of it.

Personal data processing can be carried out by third parties (not the controller) if legally allowed, or by contractual agreement if (Art. 9):

1. the data is processed as the data controller themself would be permitted to do; and
2. no legal or contractual obligation of secrecy prohibits the transfer.

Additionally, third parties may claim the same justification (legal basis) for data processing as the instructing party.

The FADP introduces the principles of “privacy by design” and “privacy by default” into the law. This requires companies to take into account data processing principles in the planning and design states of applications, and not just seek to secure and protect data retroactively. They also cannot use default settings, e.g. of web technologies, to obtain data subjects’ consent for more processing than is absolutely necessary.

The FADP sets out several principles regarding data processing (Art. 4):

1. personal data may only be processed lawfully
2. processing must be carried out in good faith and must be proportionate
3. processing may only be carried out for the purpose indicated at time of collection as evident from circumstances or provided by law
4. collection of personal data, and particularly the purpose of processing, must be evident to the data subject
5. data will be deleted or anonymized once it is not needed anymore for the processing purposes
6. if the data subject’s consent is required for the processing of personal data, such consent is only valid if given voluntarily upon provision of adequate information
7. in the case of processing sensitive personal data or personality profiles, consent must be given expressly

In line with many other data privacy laws, the Swiss FADP defines personal data or information as “all information relating to an identified or identifiable person”. This can include obviously identifying information, like a name or email address, but also information like IP address, particularly since it can become identifying when combined with other personal data.

How does the Federal Act on Data Protection define sensitive personal data?

The FADP defines the sensitivity of personal data (Art. 5 lit. c) to include:

1. data relating to religious, philosophical, political or trade union beliefs or activities
2. data concerning health, privacy or racial or ethnic origin
3. data on administrative and criminal prosecutions or sanctions
4. data on social security measures
5. genetic data
6. biometric data which uniquely identify a natural person

The final two types of sensitive personal data listed were added to the new FADP; the preceding four types were already included in the old Act.

Users must be asked for and provide explicit confirmation that they have been informed about, and consent to, access to and use of their sensitive personal data, for example by mouse click to check a checkbox.

Legal basis or justification

The GDPR operates on a principle of “lawfulness of processing”, requiring a legal basis, or justification, for most processing of personal data. Consent is one such legal basis.

The FADP works a bit differently in that individuals (natural persons), organizations (non-commercial entities) and businesses (commercial entities) are generally allowed to process personal data without a specific legal basis, unless the processing meets certain criteria. Consent is required for:

• processing of sensitive personal data
• processing used in high-risk profiling by a privacy person
• processing used for profiling by a federal body (government)
• data transfers to third countries where there is not adequate data protection

Even when processing does not require obtaining consent, the FADP does require notification of data subjects. If a legal basis is required, the controller must communicate what it is. In all of these scenarios, a consent management solution enables compliance by providing the necessary notification and collecting valid consent.

Instances where consent is required can include if the data controller seeks justification for disclosure of sensitive personal data or “personality profiles” to third parties (other controllers only), or to process the data for additional purposes or for a longer period than stated (Art. 6).

Private persons can instruct third parties to process data on their behalf, as long as no obligations of secrecy are violated. Any legal basis/justification the controller asserts can be used by those third parties (Art. 9).

In addition to consent, other legitimate justifications for data transfers to third countries include:

• data collection in connection with the conclusion of a contract
• overriding private or public interest
• the establishment, exercise or enforcement of legal claims before a court or other competent foreign authority, or
• to protect the life or physical integrity of the data subject or a third party and it is not possible to obtain the consent of the data subject within a reasonable time

The FADP is an “opt in” law, so if a legal basis is required, organizations are required to obtain users’ valid consent before or at the point of (“prior”) data collection. Data subjects must be notified before or at the point of data collection regardless of whether legal basis is required.

Conditions for valid consent

As with the GDPR, Swiss users’ consent must also be informed and freely given. This applies to, among other things, the use of cookies and other tracking technologies on websites that Swiss citizens may visit, if the data collection and processing meets the requirements for consent under the FADP (sensitive personal data, profiling by a government body, etc.)

Organizations need to clearly communicate the following information, e.g. in a privacy policy page on the website (Art. 8, Art. 18a) whether or not a legal basis is required. However, these criteria are also required for consent to be valid:

• identity of the data controller, whether the company or a third party
• contact details for the data controller
• identity of the data recipient and any other parties involved with the data file
• recipient country if the data will be transferred cross-border
• purpose(s) of data collection and use
• categories of data collected, if relevant
• means of data collection, if relevant
• the legal basis for processing, if needed
• users’ rights regarding their personal data under the FADP, including the right to refuse or withdraw consent

Private persons or federal bodies responsible for processing the personal data of individuals in Switzerland are governed by the FADP, even if they use third-party vendors for the data collection and processing, e.g. for analytics, advertising, etc.

If processing the data of users outside Switzerland, in the EU, which is fairly common, companies must also take the requirements of broader European laws like the GDPR and ePrivacy Directive (ePR) into account when processing and protecting personal data. The ePR is most relevant when using electronic communications. Companies’ responsibilities under those regulations are fairly similar to those under the FADP, though more strict on a number of fronts (like requiring consent in more circumstances).

Upon going into effect in September 2023, the FADP does not provide a grace period for businesses before enforcement begins. Compliance is required from day one. Companies that are already GDPR-compliant will have few to no adjustments to make to policies or operations to comply with the FADP.

Companies must inform data subjects about every instance of collection of personal data about the data subject, even if the data is not collected from the data subject directly. They must also maintain a register of processing activities. However, for SMEs (companies up to 250 employees) whose data processing activities present a low or limited risk of harm to data subjects, there can be exemptions to this requirement.

Both first-party and third-party data controllers have responsibilities if they have control of the data file, e.g. the company on whose website data is collected, and a vendor using the data. If a third party is involved, they are obligated to provide information if they do not disclose the identity of the controller (first party) or if the controller isn’t domiciled in Switzerland.

Designated representatives and data protection officers

Companies based outside of Switzerland must designate a representative in Switzerland if they regularly process large volumes of data in Switzerland/of Swiss citizens:

• in connection with offering goods or services
• with the purpose of monitoring behavior
• if the processing could involve high risk to data subjects

For Swiss companies that process the personal data of EU residents, a data protection officer can always be appointed (regardless of risk level to data subjects). Companies required to comply with the FADP that do not already have a data protection officer (but that aren’t required under the GDPR or other law to appoint one) can do so voluntarily. Such a position provides a central point of contact for customers, employees, and data protection authorities.

Responsibility to ensure correctness and completeness

Any entity processing personal data has the responsibility to ensure that it is correct (Art. 6), and must take all reasonable measures to ensure that incorrect or incomplete data, within the scope of the purpose of its collection, is either corrected or destroyed.

Responsibility to ensure adequate security

Controllers must protect data against unauthorized access or processing via adequate technical and organizational measures (Art. 7). Detailed provisions on minimum standards for data security are issued by the Federal Council.

Responsibility to avoid harm to data subjects

It is a fundamental principle of the FADP that the collection of personal data by private persons must not harm the data subjects’ privacy or personality. Now, data can be made publicly available if its processing isn’t expressly prohibited, but doing so cannot be harmful, and, as noted, information about the collection and use of the data and purposes thereof must be communicated.

Data protection impact assessments

If there is a high risk to the privacy or rights of data subjects, the controller must conduct (and maintain) documented impact assessments regarding their data processing operations.

Data breach notification

In the event of a breach in data security, including accidental or unlawful loss, deletion, destruction, alteration, or unauthorized access of personal data, the FDPIC must be promptly notified. (Under the GDPR prompt notification is considered within 72 hours.)

Generally, controllers must also inform the data subject if the FDPIC requires it, or if it’s necessary for the data subject’s own safety and protection.

The FADP used to cover both natural persons and legal persons. With the new FADP it only covers natural persons and federal bodies. Under Swiss law a legal person is a human or non-human entity (which could be a company or other organization) treated as a person for limited legal purposes. This can include owning property, entering into contracts, suing or being sued, etc.

Any data subject can request to know if data about them is or has been processed, and can request access to the data. The data must be provided in writing (printed or photocopied) and must be provided free of charge. The right to information cannot be waived in advance.

Data subjects also have the right to request that their personal data be corrected if it is inaccurate or incomplete. However, under certain circumstances these requests can be restricted, refused, or deferred (Art. 32).

The FADP does not apply to:

1. personal data that is processed by a natural person exclusively for personal use and which is not disclosed to outsiders
2. deliberations of the Federal Assembly and in parliamentary committees

The FDPIC can initiate an investigation into a company on their own or upon notification. If a data breach is found to have occurred, it can order extensive measures, including adjustment to or suspension of data processing, or data deletion.

Noncompliance with FADP responsibilities, including breaches of obligation to provide information or exercise duties of care, can result in fines to the controller of up to CHF 250,000. Note that under the FADP private individuals can be fined, whereas the GDPR does not fine natural persons, but places the focus of financial penalties on companies.

Infringements under business operations can result in fines up to CHF 50,000 to the company if disproportionate effort would be required to identify the offending person within the organization.

The Federal Data Protection and Information Commissioner is responsible for monitoring compliance with the Federal Data Protection Act and has considerable investigative powers (Art. 4). The entity is also responsible for advising, educating, and ensuring protection of personal data in Switzerland. The Commissioner is appointed by the Federal Council (the executive body of the Swiss federal government) for a four-year term, which is approved by a vote of the Federal Assembly.

The EU-US Privacy Shield was struck down in July 2020. Following an evaluation by the FDPIC, the Swiss-US Privacy Shield was also declared inadequate due to the insufficient level of data protection by the United States. The transfer mechanism was invalidated for international data transfers on September 8th, 2020. Switzerland does still have an adequacy agreement with the rest of the EU, and progress is being made on a new EU-US Privacy Shield. The update to the FADP was an important step to ensure continued adequacy of data protection and transfers with the EU for economic and competitive benefit.

While it is not always necessary to obtain consent from Swiss users before collecting or processing personal data (though there are other legal bases under Art. 6 and 17), it is always necessary to inform them about the controller and processing. To comply with this, a consent management platform (CMP) is a valuable tool.

In circumstances where consent is required, like the processing of sensitive personal data or if the data will be transferred to a third country deemed not to have adequate data protection, a CMP enables collection and storage of valid consent as well as providing the required notification. For web properties and ecommerce enterprises that have EU visitors and customers as well as Swiss ones, a consent banner would be required for both notification and consent.

The Usercentrics Consent Management Platform (CMP) can easily be set for use in Switzerland and with Swiss users. Multiple configurations can be set up and managed with geolocation to ensure privacy compliance with the FADP, GDPR, or other regulations.

Get our Swiss FADP Checklist today and learn what you need to know for compliance.

The Federal Act on Data Protection (FADP) brings much needed modernization to Swiss privacy law, and positions the country to be engaged and competitive in the technology- and data-driven future. As its provisions are not quite the same as the GDPR or other regulations, it’s important to understand what the FADP requires and allows, and to obtain good legal advice on your specific compliance obligations. (Usercentrics does not provide legal advice, and information is provided for educational purposes only.)

Under the FADP, transparency and informing users remains of critical importance, whether or not their consent is required for data processing. However, like with the GDPR, when consent is required, it must also be granular and informed. A consent management solution helps with this, as well as with the requirement that consent be explicit and voluntary, and that users be equally able to opt out or change their consent preferences. Usercentrics’ Consent Management Platform (CMP) meets these needs, and provides the ease of use and flexibility to enable compliance with the regulations relevant to your organization, all from one user-friendly interface. Rely on our state of the art technology and legal expertise to maintain compliance and peace of mind while growing your business.

Do you have questions about what you need to do for FADP compliance or how to ensure your organization meets its responsibilities to users and with multiple regulations? We’re here to help.

Talk to one of our experts today.