Understanding the differences between GDPR and FADP

Data protection and privacy regulations play a crucial role in ensuring the online security and rights of individuals. Two significant privacy regulations, particularly for organizations operating in Europe, are the European Union’s General Data Protection Regulation (GDPR) and Switzerland’s Federal Act on Data Protection (FADP).

EU member states have to comply with the GDPR, and some also have their own national data privacy regulations. Switzerland is not an EU member, so the GDPR does not apply within the country, hence the need for its own such law. While both laws aim to protect personal data and privacy, there are key differences between them that businesses must be aware of, particularly if they do business in the EU and in Switzerland. In this article, we will explore the main distinctions between the GDPR and FADP and how organizations can achieve compliance with these regulations.

The General Data Protection Regulation (GDPR) is a comprehensive data privacy law implemented by the European Union (EU) on May 25, 2018. The GDPR consists of 99 Articles and governs the processing and protection of personal data, emphasizing transparency, consent, and individual rights concerning personal data. It applies to organizations that process the data of EU residents, regardless of whether the organization is located within the EU or not. Since 2018, the GDPR has been influential on data privacy laws passed around the world, and most follow its “opt in” consent model.

The Federal Act on Data Protection (FADP) is Switzerland’s data privacy law, which came into effect on September 1, 2023. The FADP replaces the previous Swiss Data Protection Act from 1992 and aligns Swiss data protection regulation with the GDPR and other European laws. The FADP is not quite the Swiss GDPR, however, and there are differences in legal basis and consent requirements, among other things.

The FADP aims to ensure data flow between Switzerland and the EU while safeguarding the privacy and security of personal data. It grants new rights to Swiss citizens and imposes responsibilities on organizations regarding data privacy and protection.

One of the primary differences between GDPR and FADP lies in their scope of application. The GDPR applies to organizations that process the data of EU and EEA residents, regardless of the location of the organization doing the processing, i.e. they could be headquartered outside the EU. FADP is similarly extraterritorial, but only applies to processing of the data of Swiss citizens.

The GDPR requires organizations that want to engage in data processing to have a valid legal basis to do so (Art. 6 GDPR). Legitimate interest has been a popular choice of legal basis in the past, as it enables organizations to avoid having to obtain user consent for data processing. However, newer laws are increasingly prohibiting legitimate interest as a legal basis and requiring explicit user consent.

Contractual fulfillment, compliance with legal obligation, and public interest are some other viable legal bases under the GDPR, however, organizations can be called upon by data protection authorities to prove the validity of their chosen legal basis.

The GDPR set the standard with its requirements for consent to be valid (Art. 7 GDPR), particularly that it is granted by a “clear, affirmative act” and is:

• freely given
• informed
• specific
• unambiguous

Many laws passed since have adopted this definition of valid consent, including the FADP, and data protection authorities increasingly frown on the use of dark patterns and other manipulations in order to increase user consent rates.

Under the FADP, individuals (natural persons), organizations (non-commercial entities) and businesses (commercial entities) are generally allowed to process personal data without a specific legal basis, unless the processing meets certain criteria.

Data processing for which prior consent is required under the FADP include:

• sensitive personal data
• high-risk profiling by a private person
• profiling by a federal body (government)
• data transfers to third countries where there is not adequate data protection (aka lack of adequacy agreement)

Both the GDPR and FADP, and pretty much all other data privacy laws around the world, do require data subjects (users, visitors, customers, players, etc.) be notified about data processing, with clear, accessible information about what data is collected, by whom, how it’s used, who may have access to it, what users’ rights are, how they can exercise them, etc.

The GDPR can impose significant penalties for noncompliance. While most headlines are about giant tech companies with fines in the hundreds of million or billions, smaller organizations have been found in violation and fined as well.

Under the GDPR, organizations can face fines of up to € 20 million or 2% of their global annual turnover, whichever is higher. Or, for repeated or severe violations, it can go up to € 40 million or 4% of global annual turnover.

The FADP, on the other hand, imposes fines of up to CHF 250,000 against responsible individuals (~CHF 265,000) or up to CHF 50,000 against a company (~CHF 53,000) if it’s too difficult to determine a responsible individual.

The GDPR does not have provisions for individual responsibility, and neither law, like in some other countries, includes potential criminal charges. Both the GDPR and FADP, however, enable for private right of action, so a consumer could sue a company in the event of a violation.

In the event of a data breach, the GDPR makes notifications mandatory to the relevant supervisory authority within 72 hours (Art. 33 GDPR). If that’s not done, reasons why must be provided, e.g. the breach is unlikely to result in a risk to the rights and freedoms of natural persons. However, the controller would need to be able to prove such a claim.

Victims of a data breach, i.e. those whose personal data may be affected, must be notified without “undue delay” (Art. 34 GDPR) in most cases, and communications must be in clear, plain language.

Under the FADP, in the event of a data breach — including accidental or unlawful loss, deletion, destruction, alteration, or unauthorized access of personal data — the Federal Data Protection and Information Commissioner (FDPIC) must be notified promptly. Generally, controllers must also inform the data subject if the FDPIC requires it, or if it’s necessary for the data subject’s own safety and protection. (Within 72 hours is a fairly commonly accepted time frame for prompt notification.)

Under the GDPR, organizations may be required to appoint a Data Protection Officer (DPO) if they meet certain criteria, such as processing large amounts of special categories or sensitive data or conducting regular and systematic monitoring of individuals on a large scale (Art. 37 GDPR).

The appointment of a DPO is recommended but not mandatory under the FADP. However, data controllers located outside of Switzerland must designate a representative within Switzerland if they regularly process large amounts of data in Switzerland/from Swiss citizens:

• in connection with offering goods or services
• with the purpose of monitoring behavior
• if the processing could involve high risk to data subjects

A representative is not the same and does not have quite the same responsibilities as a DPO, but is a central liaison for customers, employees, and data protection authorities.

As is nearly universal among data privacy laws, both the GDPR and FADP require that data subjects — those whose personal data would be collected and processed — be informed about the processing, who’s doing it, and what their recourse is. Typically, a privacy notice or policy is required to be displayed somewhere easily accessible, like on a corporate website. .

Under the GDPR, controllers are required to include the following information in a privacy notice (Art. 6 GDPR, Recital 39)

• identity of the data controller, whether the company or a third party
• contact details for the data controller
• identity of the data recipient and any other parties who may have access to the data
• recipient country if the data will be transferred cross-border
• purpose(s) of data collection and use
• duration of processing
• security measures taken to protect data
• categories of data collected, if relevant
• means of data collection, if relevant
• the legal basis for processing, if needed
• users’ rights regarding their personal data under the FADP, including the right to refuse or withdraw consent, and how to do so

Under the FADP, controllers are required to include the following information in a privacy notice:

• identity of the data controller, whether the company or a third party
• contact details for the data controller
• identity of the data recipient and any other parties who may have access to the data
• recipient country if the data will be transferred cross-border
• purpose(s) of data collection and use
• categories of data collected, if relevant
• means of data collection, if relevant
• the legal basis for processing, if needed
• users’ rights regarding their personal data under the FADP, including the right to refuse or withdraw consent, and how to do so

It is commonly recognized that not all countries take equal and appropriate measures to keep personal data secure and respect individuals’ privacy. Where two countries or regions recognize each other’s policies and procedures to be sufficient, they are deemed adequate and one will often see references to an adequacy agreement in place between them, like with the EU-U.S. Data Privacy Framework between the EU and United States. When there is mention of a “third country”, it is often in reference to a country without an adequacy agreement, which often requires additional safeguards or explicit consent before any data can be processed by or transferred to such a country.

Both the GDPR and FADP regulations address the issue of international data transfers. The GDPR requires organizations to ensure that personal data transferred to countries outside the EU has an adequate level of protection or falls under appropriate safeguards, such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR). Similarly, the FADP requires organizations to have adequacy agreements or obtain consent from data subjects for international data transfers.

The GDPR requires consent from users in more cases than the FADP. However, where consent is needed, requirements for both are clear and fairly stringent. Data controllers not only need to obtain consent compliantly with each regulation, but need to be able to securely store consent information, enable users to change or withdraw it in the future, or prove consent in the event of an audit by data protection authorities.

For consent management and the notification requirement (e.g. privacy policy), a consent management platform like Usercentrics CMP is an important tool. A CMP helps organizations collect and manage valid user consent, customize banners and privacy notices, and provide transparency to users about data usage. With geolocation functionality, it can also enable organizations to present the correct regulatory information to users depending on their location (and in their preferred language), to enable compliance with the GDPR and/or the FADP, for example.

A CMP also securely stores consent information so users can update their preferences or so it can be provided to users in the event of a data subject access request or audit by authorities.

The Digital Markets Act (DMA) applies directly to the six big tech companies that the European Commission designated as gatekeepers. However, to achieve compliance, the gatekeepers will apply compliance requirements to third-party companies that use their platforms and services, e.g. for advertising.

Parts of the regulation deal with data protection and user privacy, which align with the GDPR and FADP, particularly since the DMA applies to organizations with EU/EEA digital operations.

The DMA requires valid user consent to be obtained in many cases by controllers, which includes both the gatekeeper companies and third-parties that rely on their platforms and services. Valid user consent uses the model common to the GDPR and FADP.

This consent must also be signaled to gatekeepers that require it, like Google, to ensure consent has been obtained before users’ personal data is collected and they receive personalized advertising or targeting in certain cases. Usercentrics CMP enables consent signaling, e.g. with Google Consent Mode.

Because most of the gatekeeper companies (Alphabet, Amazon, Apple, Meta, and Microsoft) are located in the US, companies should also be aware of potential international data transfers when using these platforms and services, and ensure data privacy operations and consent management per GDPR and/or FADP requirements are in use.

Understanding the differences between GDPR and FADP is essential for organizations that operate in the EU/EEA and Switzerland or process the data of EU or Swiss citizens. While both regulations aim to protect personal data and privacy, they have distinct requirements and implications. While the GDPR is more strict in a number of ways and achieving compliance with that law will meet the requirements for many global privacy regulations, there are still specific requirements with the FADP that GDPR compliance operations will not meet, so good legal advice is important.

By implementing a consent management platform for robust consent management and adopting best practices for data protection and privacy, organizations can achieve compliance with GDPR and/or FADP, build user trust, and protect the rights of individuals.

Compliance with data protection and privacy regulations is ever-evolving and requires organizations to stay up to date with new and changing regulations and technologies. By prioritizing privacy and implementing robust consent management practices, organizations can navigate the complex landscape of data protection and privacy and build a foundation of trust with their users.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Learn more about the Federal Act on Data Protection (FADP)

Learn more about the General Data Protection Regulation (GDPR)