The Swiss Federal Act on Data Protection (FADP) is the primary legal framework for data protection in Switzerland. Originally introduced in 1992, the law underwent a significant revision in 2020 to align it more closely with international standards, particularly the European Union’s General Data Protection Regulation (GDPR). It came into force on September 1, 2023.

The main aim of FADP is to safeguard the personal privacy of individuals and regulate the processing of their data. The 2020 amendment brought several improvements to strengthen privacy protection and ensure that Swiss businesses can continue to operate seamlessly in the global market.

Key Improvements in the 2020 Amendment

• Alignment with GDPR: The revised FADP ensures Switzerland meets the privacy protection standards of the European Union, facilitating international data exchanges.
• Stronger Consent Requirements: Businesses must now obtain clear and explicit consent from individuals before collecting or processing their data, with specific rules for children under 16.
• Enhanced Rights for Data Subjects: Individuals now have more robust rights to access, correct, and erase their data.
• Transparency in Data Processing: Businesses must provide more detailed information about data processing practices, including the purpose of data collection and retention periods.
• Stricter Provisions for Data Transfers: The amended law introduces stricter regulations governing the transfer of personal data outside of Switzerland, ensuring that the protection of data remains robust internationally.
• Breach Notification: In case of a data breach, businesses are required to notify the Swiss Federal Data Protection and Information Commissioner (FDPIC) within 72 hours if there is a risk to individuals’ rights and freedoms.

Who Does It Apply To?

FADP applies to all individuals and organizations that collect, process, or store personal data in Switzerland. This includes:

• Swiss Businesses and Organizations: Both private companies and public bodies operating in Switzerland that handle personal data.
• Foreign Entities: Organizations outside of Switzerland that process the personal data of Swiss residents.
• Public Sector Entities: Government bodies or agencies that handle personal data as part of their functions.

FADP applies to all sectors, including healthcare, finance, e-commerce, and more, ensuring that personal data is protected across various industries.

Enforcement Body and Penalties

The Swiss Federal Data Protection and Information Commissioner (FDPIC) is the main enforcement body responsible for overseeing compliance with FADP. The FDPIC ensures that both public and private entities comply with data protection standards, investigates complaints, and provides guidance on best practices.

Penalties for Non-Compliance

• Individuals found responsible for violations, such as deliberate actions or breaches of obligations like providing incorrect information or violating confidentiality, can face fines of up to CHF 250,000. However, negligence does not result in penalties under this law.
• In cases where the responsible individual within a company is difficult to identify, the company itself can be fined up to CHF 50,000.
• Additionally, the FDPIC has the authority to issue orders requiring organizations to halt or modify their data processing practices to comply with FADP.

It is crucial for businesses to understand and adhere to FADP requirements to avoid legal repercussions and ensure they are protecting personal data effectively.

FADP Solutions

Advoke International provides comprehensive solutions tailored to support your organization in achieving full compliance with the FADP.

• FADP Gap Analysis
• Privacy Framework Implementation
• FADP Readiness Assessment
• Complete FADP Compliance Review

Frequently Answered Questions

Does FADP apply to small businesses?

Yes, FADP applies to all businesses operating in Switzerland, regardless of size. However, small businesses may be subject to fewer obligations, depending on the volume of personal data processed and the nature of their activities. Businesses must still comply with fundamental principles like transparency, data minimisation, and security, even if they are smaller in scale.

How do I handle data subject access requests (DSARs) under FADP?

Under FADP, individuals have the right to request access to their personal data. When receiving a Data Subject Access Request (DSAR), your organization must:

• Respond within 30 days: Provide a copy of the personal data held, along with details on how and why it is being processed.
• Ensure transparency: Explain how the data is being used and whether it will be shared with third parties.
• Allow corrections: If the data is inaccurate, individuals have the right to request corrections.

Are there exemptions to FADP compliance?

Yes, certain exemptions may apply. For example, FADP compliance requirements may not apply to:

• Household data: Personal data processed in the course of household activities (e.g., personal contacts, family records).
• National security: Data processing related to national defence or security may be exempt from some obligations

Can I be fined for data breaches even if no one is harmed?

Yes, the Swiss FADP focuses on compliance with data protection principles, not just harm caused. Even if a data breach does not result in immediate harm, non-compliance with data protection laws (such as failing to implement proper security measures) can lead to fines of up to CHF 250,000 for individuals or CHF 50,000 for companies.