Switzerland's new data protection law: How to become compliant
Switzerland’s new Federal Data Protection Act – nFADP or FADP for short – aligns federal data protection law with the EU’s General Data Protection Regulation (GDPR). Companies in Switzerland must put their handling of personal data to the test and have found a solution by September 1, 2023, to protect this data.
As in the EU, the FADP also threatens severe penalties for the unlawful handling of personal data. However, it is not companies that are liable for compliance with data protection requirements (up to 250,000 Swiss francs), but the managing directors.
What is the new FADP?
The new regulation aligns Switzerland’s level of data protection with that of the EU, which is regulated by the GDPR, among other things. The new provisions only concern the protection of personal data of natural persons and no longer of legal entities such as associations, foundations or commercial companies.
For visitors from the EU on Swiss websites, the provisions of the GDPR already apply. For Swiss visitors on Swiss websites, the new data protection law has been revised and rewritten.
Opt-out is a general rule in the new FADP. This means that companies do not need to obtain consent as long as users are informed about the data processing activities and have the right to object to the data collection – unlike opt-in, where users must explicitly consent.
However, there are some very important exceptions.
For example, opt-in is required for:
- Data transfers to third countries without an adequate level of protection (for example, the US)
- The processing of sensitive data
- Automations (e.g., analytics to improve a personalised service).
What else is new in the FADP?
Sensitive personal data now includes not only health data, trade union membership or political views, but also biometric data such as DNA or fingerprints if they can uniquely identify a person.
The new Swiss DPA is based on two new data protection principles: Privacy by Design means, for example, that companies must systematically anonymise or delete data when it is no longer needed.
Privacy by Default means that only essential data may be processed and additional authorizations are required for the processing of other data.
If the processing of data is likely to pose a risk to users’ fundamental and personal rights, an impact assessment must be carried out under the new Swiss DPA.
The obligation to provide information has been strengthened. To ensure transparency, data controllers for private processing of data must inform users about the collection of all their personal data, not just sensitive data.
It is now mandatory to keep a register of all activities related to the processing of data. Only small companies with fewer than 250 employees are exempt, as their data processing operations do not pose a high risk of violations of personal or fundamental rights.
In the event of data privacy violations, the Federal Commissioner for Data Protection and Information must be notified immediately.
Unterschiede zur DSGVO
- Individual liability: Companies are only penalised in exceptional cases. As a rule, managing directors are liable
- Criminal liability is also possible
- Upper limit of fines: 250,000 Swiss francs
- Consent is required for the collection of sensitive data
How can companies comply with the new FADP?
Due to the new Data Protection Act, Swiss companies must have adapted their data protection measures by September 1, 2023, at the latest.
The necessary measures are similar to those required by the EU’s GDPR.
Website operators must inform their users about the purposes of the collection and processing of personal data, for example, and in many cases explicitly obtain consent.
Schrems II also has implications for Swiss companies. The Federal Data Protection and Information Commissioner (FDPIC) has removed the U.S. from its whitelist of countries with adequate levels of data protection. This means that transfers of personal data to the USA, for example using US tools such as Google Analytics, are taking place on an uncertain legal basis.
The FADP and Schrems II
The role model GDPR also offers a solution for the FADP: from the previous decisions of the data protection authorities of the EU member states, a recommendation crystallized for how US tools can be used in a GDPR-compliant manner, namely, via proxy.
Instead of transferring data directly to the US (or to US servers in the EU), the data first reaches a server in the EU. There, the data is pseudonymized to remove personal references. Only then is the data transferred to US tools such as Google Analytics. It is important that EU companies in the EU operate both servers and tracking software.
This way, website operators can continue to use their tools as usual. Companies can also use this approach to become FADP-compliant. JENTIS offers the simplest and most advanced solution for this.
Become FADP-compliant: The advantages of JENTIS
With the Data Capture Platform from JENTIS, companies can meet the requirements of the new FADP and tailor their tracking to the origin of their website visitors – depending on whether they come from the EU, Switzerland or third countries. At the core of the platform is sophisticated server-side tracking that captures first-party data with maximum quality.
JENTIS’ Privacy by Design approach allows for minimising privacy risk, differentiating between sensitive and non-sensitive data, and protecting sensitive data. In addition, the JENTIS Data Capture Platform offers maximum flexibility and other essential data protection features, such as the pseudonymisation of personal data.
This allows companies to capture their data in a privacy-compliant manner and pass it on to their existing MarTech setup without having to make major changes to the tech stack – even if the tools are US-based.
Any questions? We look forward to hearing from you!
Facebook Tracking declared unlawful under GDPR by the Austrian DPA
In a recently published decision, the Austria DPA finds Facebook's tracking practices violate GDPR and Schrems II.
EU Parliament: Why MEPs rejected the Data Privacy Framework in committee
Our analysis of the opinions voiced on the Data Privacy Framework and what they mean for the implementation process.
How to choose the right server-side tracking provider
What do you need to consider when choosing your server-side tracking provider to avoid surprises? Find answers in our buyer’s checklist.