How to navigate the Swiss Federal Act on Data Protection
As of September 1 2023, Switzerland has taken a significant step forward in data protection with the implementation of the revised Swiss Federal Act on Data Protection (revFADP). This updated legislation replaces the older 1992 law, and more closely aligns Switzerland's data privacy standards with the European Union's General Data Protection Regulation (GDPR).
Rooted in the Swiss Constitution, Article 13 guarantees privacy in private life, homes, mail, and telecommunications. This long-standing commitment is now extended through the revFADP, addressing the complexities and demands of the digital age.
Bridging with the EU
Switzerland, though not an EU member, has made a strategic move by aligning its data protection laws with the GDPR. It is more than legal conformity; it’s a bridge facilitating smoother data exchange and compliance for businesses operating both in Swiss and EU jurisdictions.
Some of the key revisions of the revFADP include:
Expanding the legal horizon: the law now stretches to activities impacting Switzerland, regardless of their geographical origin.
A Swiss representative for global players: non-Swiss companies operating in their jurisdiction/ using their citizens’ data must now appoint a local representative, anchoring their accountability in Swiss jurisdiction.
Empowering the individual: the revFADP enhances individual rights. For example, it extends the sensitive data definition, introduces mandatory data processing records, and enhances consent requirements for profiling.
Data breach notification changes: in the event of data breaches, a swift notification to the Federal Data Protection and Information Commissioner (FDPIC) and affected individuals is not just good practice - it is now a mandate.
The cost of non-compliance: imposes hefty fines of up to CHF 250,000 for violations.
How does this affect visual data?
The revFADP brings a focused approach to video privacy and visual data. Consent, transparency, and data minimisation are pivotal. The law mandates explicit consent for video recordings and ensures that individuals understand the purpose of data collection.
The rights to access and request deletion of personal visual data are strengthened. Organisations must implement robust security measures for video data and conduct DPIAs for extensive surveillance systems, balancing technological advancements with privacy considerations.
Swiss-EU data adequacy
The revFADP is expected to maintain Switzerland's adequacy status with the European Commission, granted in 2000. This status indicates that Swiss data protection levels are equivalent to those in the EU, and facilitates seamless data exchange between Switzerland and EU countries. The revFADP's alignment with GDPR reinforces this status, ensuring ongoing ease of data flow across borders.
Looking ahead, businesses with Swiss connections must acquaint themselves with the nuances of the revFADP. While there are parallels with the GDPR, distinct attention and compliance strategies are essential. Data protection officers are tasked with regularly reviewing processing activities and updating privacy notices in line with the revFADP.
In embracing the revised Swiss Federal Act on Data Protection, Switzerland reaffirms its commitment to robust data privacy standards. This development not only adapts to the current digital environment but also sets a precedent for the future of data protection, balancing individual rights with technological progress.