Important information on the Swiss Data Protection Act
The Swiss Federal Act on Data Protection (new FADP) has been revised: The new provisions have been in force since September 1, 2023. The rules on processing personal data have been tightened. For this reason, you as an entrepreneur should review your current guidelines and privacy policies and amend them as needed. MyRight provides answers to the most important questions regarding the new FADP.
What is the new FADP?
The Swiss Federal Act on Data Protection has been in effect since the 1990s and is outdated. The new digital world necessitates a revision of the act and it must also be adapted to data protection law of the European Union (GDPR). The goal is to ensure the cross-border exchange of data in the future as well as the protection of personal data.
What is important to know?
Several points will change. The two most important changes are:
- In the first instance, it will no longer be the company itself that will be the target of criminal proceedings, but also the person responsible (owners and employees). The maximum fine will increase from CHF 10,000 to CHF 250,000.
- Like the GDPR, the revised FADP confines itself to protecting the data of natural persons – rather than also covering the data of legal entities, as was previously the case.
You can find additional information on the subject of data protection here.
When was the new Federal Act on Data Protection (FADP) introduced in Switzerland?
The new Swiss Federal Act on Data Protection entered into force on September 1, 2023.
Can I wait until the new FADP comes into effect to take care of data protection at my company?
No. Many Swiss companies already face increased data protection requirements. For example, companies that have business activities in the EU. For all others, the need to act will arise when the new FADP is set to come into effect at the latest. There are no transition periods, meaning that the new law will enter into force and must be observed from the defined start date.
What does the new FADP mean for me as a company? What do I have to do to comply with the new law?
To be compliant with the new FADP, you must ensure that:
- the data of customers, employees, and other persons is managed and processed with modern – state-of-the-art – means
- employees are made aware and trained in the area of data protection and data security
- various obligations regarding information and documentation, such as the creation of a data processing directory or a privacy policy on your website, are met.
Are there consequences to a breach of the new FADP?
In addition to possible penalties from the Swiss Federal Data Protection Commissioner, a breach could result in fines of up to CHF 250,000 and criminal proceedings.
Important: The threat of punishment affects every employee (especially management employees) who intentionally breaks the law. This means that the fine will not be issued to you as a company owner, but rather to company employees who are responsible for breaching the new FADP. However, not every person directly responsible for action is considered responsible; the focus here is on those responsible for the organisation, i.e. primarily management personnel who are responsible for the implementation of effective internal company data protection.
If you do not take any measures on the subjects of information obligations, information requests, technical and organizational measures, and international data transfers, you are acting intentionally or at least accepting breaches of the law (recklessness) and can be punished.
When am I at risk of being prosecuted under the new FADP?
Penalties in accordance with the new FADP will generally only be issued in cases of intentional violations. But be careful: An intentional violation can be assumed if there is deemed to be so-called recklessness (meaning that you accepted the risk of a violation). This is the case if you do not take any measures after the new law comes into effect and, for this reason, break the law, even if due to ignorance.
Am I running a high risk with my company of violating the new FADP?
If you do not take any precautions, the chances are very high that you will outsource data or transfer it abroad in an illegal manner, issue illegal information, or take insufficient technical and organizational measures.
By when do I have to implement the new regulations on data protection?
On 31 August 2022, the Swiss Federal Council announced that the new FADP will come into force on 1 September 2023. This gives the economy one year to take the necessary precautions. This means that as of 1 September 2023, they must comply with the new FADP.
Are there transition periods?
No. The Federal Council has stipulated that the new FADP will apply from 1 September 2023. From that date, all companies must comply with the new provisions.
Will there be consequences if we have not yet implemented measures as of the start date?
Supervisory authorities take action if they detect irregularities themselves or if customers, employees, or competitors make them aware of such. In most cases, they first contact the company concerned with a questionnaire. However, they can also use so-called means of coercion to investigate the situation. From the time the new FADP is introduced, customers, employees, or authorities can launch an investigation, or in the worst case scenario, file charges..
How can I prepare for the new FADP and how can I protect myself?
To prevent a (recklessly) intentional violation, we recommend taking measures to implement the new FADP in good time.
Ideally, you should take measures now to meet the new law's requirements regarding information obligations or information requests.