The new Swiss Data Protection Act (nFADP) will come into force on September 1st in Switzerland. In this article, we review the key points of this reform with Bettina Barjon, Data Protection Advisor at KHEOPS Technologies.
First, why was a revision of the Swiss Data Protection Act necessary?
The current Swiss Data Protection Act (DPA) dates back to 1992. Since then, the emergence and widespread use of the Internet have led to the mass collection of personal data. A revision of the law was therefore necessary to take these technological and societal developments into account, in order to better protect individuals’ privacy and personal rights.
The compatibility between Swiss and European law is also a key reason for this revision. In order for personal data to be processed across borders without legal complexity, Switzerland must benefit from an adequacy decision—meaning that its level of data protection is considered equivalent to that of the European Union.
Switzerland currently benefits from such a decision, but it is under review by the European Commission. The adoption of the new Swiss Data Protection Act is therefore also part of this broader context.
What are the main changes introduced by this new law?
In broad terms, the new Swiss Data Protection Act (nFADP) adopts a risk-based and compliance-oriented approach and strengthens transparency requirements.
We are moving from a system in which certain data files had to be declared to the Federal Data Protection and Information Commissioner (FDPIC) to a system where organizations that process personal data must be able to demonstrate their compliance, similar to the approach taken under European legislation.
It will therefore be the responsibility of data controllers and processors to prove that their data processing activities are compliant. This requires, as a first step, mapping data processing activities in order to assess their compliance.
In practical terms, it becomes mandatory to:
- Provide detailed information prior to any collection of personal data. Only data relating to natural persons is now concerned;
- Maintain a record of processing activities (with an exception for companies employing fewer than 250 people whose data processing presents limited risk);
- Delete or anonymize data when it is no longer necessary;
- Apply the principles of privacy by design and privacy by default;
- Carry out data protection impact assessments when processing presents high risks;
- Notify data security breaches (including accidental breaches) to the FDPIC as soon as possible when there is a high risk to the personality or fundamental rights of the data subject. The data subject must also be informed if necessary or if required by the FDPIC;
- Take into account certain rights that are newly introduced or strengthened under the new law, such as the right to data portability and the right of access.
The concept of profiling is also formally introduced into the legislation.
