The revised Federal Act on Data Protection
- The referendum deadline has expired unused: the revised Swiss FADP is expected to come into force in mid-2022.
- The revised FADP introduces various new obligations for data controllers and processors, such as a comprehensive duty to provide information or a duty to record data processing activities.
- Intentional non-compliance with certain data protection provisions can be punished by a fine of up to CHF 250,000. This penalty is not imposed on the company, but on the person responsible for the data protection violation.
- As there are hardly any transitional periods, implementation of the new provisions requires planned and immediate action: (i) adapt your privacy policies and GTCs; (ii) adapt your DPAs; (iii) check whether data transfers to third countries without adequate data protection levels are based on sufficient guarantees; (iv) create a record of processing activities; (v) create standard templates for reporting data breaches; (vi) create standard templates for responding to requests for information.
1. Revised FADP is a done deal
After a legislative process lasting more than four years, the deadline for calling a referendum against the revised Federal Act on Data Protection (reFADP) expired unused on 14 January 2021. The reFADP and the new data protection regime it introduces will therefore likely come into force by mid-2022 at the latest.
2. Comprehensive obligations for data controllers and processors
The good news first: the regulation concept of the reFADP remains the same. In contrast to the EU's General Data Protection Regulation (GDPR), the processing of personal data in the private sector still requires neither consent nor any other justification. A justification is only necessary if the processing principles are not complied with; the data subject has objected to the processing; or a third party is to be provided with sensitive personal data.
Nevertheless, with the reFADP, the legislator introduces various new obligations for both data controllers (controllers) and processors (processors). These new obligations and the reFADP in general may also apply to companies based abroad, in particular if they process personal data and this data processing has an impact in Switzerland.
The most important of the new obligations and the resulting need for action for controllers and processors are listed below:
Comprehensive obligations for data controllers and processors
Need for action
Obligation to provide comprehensive information:
Obligation to keep records of processing activities:
Obligation to obtain prior consent for sub-processing:
Obligation to secure personal data:
Obligation to carry out a data processing impact assessment:
Obligation to notify data security breaches:
Obligation to appoint a representative:
3. Non-compliance may result in fines of up to CHF 250,000
The reFADP not only introduces new obligations but also provides for increased penalties in case of non-compliance. In future, the intentional infringements of certain data protection provisions,for example, non-compliance with the information obligations, will be punishable by fines of up to CHF 250,000.
4. No transition periods – immediate action required
As the FADP provides for hardly any transitional periods, companies subject to the reFADP will be obliged to comply fully with the newly introduced obligations as soon as it enters into force. Companies affected should therefore take a forward-looking approach and begin the process of implementing the new provisions today. The following steps are recommended:
In a first step, companies should establish their starting position under data protection law: Whose data do we process, which types of personal data, and for which purposes? What is the potential justification for our data processing? Do we disclose personal data to third parties? Do we disclose personal data cross-border to countries without an adequate level of data protection? On what guarantees do we base such cross-border data disclosures.
In a second step, companies should define the gaps between the actual and target status and the resulting need for action. The concrete need for action and the time needed for its implementation depend to a large degree on the extent to which the company concerned already complies with the GDPR provisions today.
As it is unlikely that the measures necessary to meet the need for action can be implemented simultaneously, it will be necessary in a third step to set priorities for the realisation of these measures. In this context, it might be useful for a company to implement measures that protect it from possible sanctions under the reFADP in advance. Priority should be given to the following actions: (i) adaptation of privacy policies and GTCs to meet the information obligation; (ii) adaptation of DPAs; (iii) review and, if necessary, adaptation of guarantees to ensure an adequate level of data protection in case of data transfers to third countries (keyword: Schrems II); (iv) creation of records of processing activities; (v) creation of standard templates for reporting data breaches; and (vi) creation of standard templates for responding to requests for information.
With our long-standing and proven professional expertise, Pestalozzi Attorneys at Law is at your disposal during both the evaluation and implementation process.
Contributors: Michèle Burnier (Partner), Nando Lappert (Associate)
No legal or tax advice
This legal update provides a high-level overview and does not claim to be comprehensive. It does not represent legal or tax advice. If you have any questions relating to this legal update or would like to have advice concerning your particular circumstances, please get in touch with your contact at Pestalozzi Attorneys at Law Ltd. or one of the contact persons mentioned in this Legal Update.
© 2021 Pestalozzi Attorneys at Law Ltd. All rights reserved.