What else is new in the FADP?
Sensitive personal data now includes not only health data, trade union membership or political views, but also biometric data such as DNA or fingerprints if they can uniquely identify a person.
The new Swiss DPA is based on two new data protection principles: Privacy by Design means, for example, that companies must systematically anonymise or delete data when it is no longer needed.
Privacy by Default means that only essential data may be processed and additional authorizations are required for the processing of other data.
If the processing of data is likely to pose a risk to users’ fundamental and personal rights, an impact assessment must be carried out under the new Swiss DPA.
The obligation to provide information has been strengthened. To ensure transparency, data controllers for private processing of data must inform users about the collection of all their personal data, not just sensitive data.
It is now mandatory to keep a register of all activities related to the processing of data. Only small companies with fewer than 250 employees are exempt, as their data processing operations do not pose a high risk of violations of personal or fundamental rights.
In the event of data privacy violations, the Federal Commissioner for Data Protection and Information must be notified immediately.
Unterschiede zur DSGVO
- Individual liability: Companies are only penalised in exceptional cases. As a rule, managing directors are liable
- Criminal liability is also possible
- Upper limit of fines: 250,000 Swiss francs
- Consent is required for the collection of sensitive data
How can companies comply with the new FADP?
Due to the new Data Protection Act, Swiss companies must have adapted their data protection measures by September 1, 2023, at the latest.
The necessary measures are similar to those required by the EU’s GDPR.
Website operators must inform their users about the purposes of the collection and processing of personal data, for example, and in many cases explicitly obtain consent.
Schrems II also has implications for Swiss companies. The Federal Data Protection and Information Commissioner (FDPIC) has removed the U.S. from its whitelist of countries with adequate levels of data protection. This means that transfers of personal data to the USA, for example using US tools such as Google Analytics, are taking place on an uncertain legal basis.
The FADP and Schrems II
The role model GDPR also offers a solution for the FADP: from the previous decisions of the data protection authorities of the EU member states, a recommendation crystallized for how US tools can be used in a GDPR-compliant manner, namely, via proxy.
Instead of transferring data directly to the US (or to US servers in the EU), the data first reaches a server in the EU. There, the data is pseudonymized to remove personal references. Only then is the data transferred to US tools such as Google Analytics. It is important that EU companies in the EU operate both servers and tracking software.
This way, website operators can continue to use their tools as usual. Companies can also use this approach to become FADP-compliant. JENTIS offers the simplest and most advanced solution for this.
Become FADP-compliant: The advantages of JENTIS
With the Data Capture Platform from JENTIS, companies can meet the requirements of the new FADP and tailor their tracking to the origin of their website visitors – depending on whether they come from the EU, Switzerland or third countries. At the core of the platform is sophisticated server-side tracking that captures first-party data with maximum quality.
JENTIS’ Privacy by Design approach allows for minimising privacy risk, differentiating between sensitive and non-sensitive data, and protecting sensitive data. In addition, the JENTIS Data Capture Platform offers maximum flexibility and other essential data protection features, such as the pseudonymisation of personal data.
This allows companies to capture their data in a privacy-compliant manner and pass it on to their existing MarTech setup without having to make major changes to the tech stack – even if the tools are US-based.
Any questions? We look forward to hearing from you!