The new Swiss data protection act is set to come into effect by 2022 - here’s what you need to know
After numerous years in the planning, a new data protection act has passed in the Swiss parliament. The Federal Act on Data Protection (FADP), or Datenschutzgesetz (DSG) as it is known in German, is expected to come into force in January of 2022 with no transition period. This blog post aims to help you prepare yourself in order to remain compliant and avoid any penalties the new law may impose.
Before we get into the specifics of the act, how you can prepare, and what penalties exist for transgression, we need to outline what the FADP is and provide a little background on the law. If you’re more interested in the details, you can click here to go straight to that section.
Please note that while we may be experts in digital marketing, we do not claim to offer legal advice, and the information contained in this blog is no substitute for proper legal counsel.
The FADP, or referred to in German as “DSG”, is essentially the Swiss version of the GDPR regulations that went into force in May 2018. It aims to increase the transparency of how businesses deal with data and strengthen the rights of individuals whose data is used. While the FADP will ensure Swiss companies stay in line with the EU GDPR regulations, there are a few differences that Swiss business owners should take into account.
Similar to the GDPR, the FADP will affect every business that operates within Switzerland or deals with data of Swiss citizens. This includes companies that are established outside of Switzerland but who process personal data belonging to a Swiss citizen.
In other words, the FADP will affect every company that deals with Swiss personal data. However, there are a few additional requirements for those companies that do not have a registered office in Switzerland.
Companies that do not have a registered office in Switzerland have to abide by the same requirements set out for Swiss companies. In addition to this, they may also be obliged to appoint a representative in Switzerland if the company in question:
Not all data is equally protected under the FADP. Here are the primary notes on what information is regulated and what does not fall under the jurisdiction of the FADP.
Like the GDPR, the FADP will regulate and protect the data of Swiss individuals requiring consent be given by data subjects and a record of which be kept. However, the FADP also identifies certain categories of data and profiling, in general, to be treated differently. In addition to this, the latest version of the FADP has expanded the scope of these definitions. We will review them shortly.
One of the more regulated categories of data includes “sensitive personal data”, which covers a wide variety of data topics, including:
In addition to these, the new FADP has expanded the scope of what classifies as “sensitive personal data” to further include:
Unlike regular data categories, businesses must obtain the express consent of the data subjects in question and must furthermore notify the data subjects that their data has been obtained and for what purpose.
Any form of automated processing of personal data used to assess or predict personal aspects of a person such as work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or whereabouts is classified as “profiling”.
While profiling was the subject of vigorous debate in parliament, for the time being, it is still permissible under the current and proposed FADP. However, any profiling that includes data from the “sensitive personal data” category outlined above will be known as “high-risk profiling” and will be subject to the same regulations as sensitive personal data.
This means that any profiling that includes “sensitive personal data” will have to be conducted with express permission, with the subject notified.
It is important to note that the revised FADP is no longer applicable to data of legal persons. While this means that data processing regarding companies will not be under scrutiny, it does not extend to the processing of the data of natural persons, for example, those who work for the company (e.g. contact people, support staff, salespeople).
Individuals who are protected under the FADP and its revision may make demands that must be met by the businesses who possess, process or otherwise use their data. These rights have been expanded upon with the revised FADP and now include the following:
All individuals have the right to request information from the controllers of their data as to whether their data concerning them is being processed and why. Individuals may not waive this right in advance.
The controller of the data must notify the subject:
In addition to the above information, the new, extended version of the FADP requires that the following is provided as well:
The new FADP also does away with the “in-writing” requirement of a print-out or photocopy and instead simply states that an “appropriate” form must be used. However, it should be noted that a data privacy policy will not always be sufficient.
All individuals may withdraw their consent for the possession and processing of their data or request that their data be deleted at any time. Data controllers must honour this request and remove the data from the system accordingly and promptly.
Under the new FADP, all individuals may request the handing over and transmission of their data. This data must be provided in a common electronic format or transferred to other providers upon request.
In addition to the above, data subjects now have the right to object to automated individual decisions. Individuals may state their position on the matter and demand that automated decisions are reviewed by a natural person rather than a system or automated process.
Companies who wish to process or possess the personal data of Swiss citizens have duties that they are expected to abide by. Should they fail to comply with these duties, they will be liable to a fine or criminal prosecution, as outlined below.
Should a request be made by private individuals within their rights, companies or data controllers must respect their wishes and comply within a reasonable time frame.
Data processors and businesses must now, and into the future, keep a detailed record of all processing activities that are regularly maintained under Swiss law.
The minimum information required is:
Data processors that experience a data breach where there is a high risk to personal data or fundamental rights of data subjects must, without delay, notify the FDPIC and the affected data subjects.
If data processing involves a high risk of the violation of sensitive personal data or the fundamental rights of a data subject, the data controller must conduct an assessment of the risks of processing. In the cases of new technologies, extensive processing or systematic public monitoring, this risk is automatically assumed to be high.
As with the GDPR, the FADP explicitly states that the processing of personal data must be kept to the absolute minimum necessary for the intended purpose. Thus, appropriate technical and organisational measures must be taken to ensure that the default settings of applications or measures that acquire data adhere to this principle. All default user settings must also be set to “privacy-friendly” options wherever possible.
The revised FADP has extended the sanctions that the FDPIC may impose upon transgressors of the FADP. These include fines, criminal proceedings and employee or managerial culpability.
Companies and individuals who do not comply with the FADP regulations are at risk of incurring criminal sanctions in the form of a fine of up to CHF 250, 000. Failure to pay the fine could result in jail time and further sanctions.
In addition to this, the FDPIC may open an administrative investigation and issue orders, which, if disregarded, may result in further criminal sanctions of the same amount.
Civil legal actions for the removal, injunction or damages are still possible by private individuals affected by companies who are in transgression of the FADP.
During the legislative process, it was noted that criminal sanctions and fines are primarily aimed at managers and not at the employees who carry out the work. However, it was also noted that in the case of companies who do not operate with managerial functions a fine of CHF 50, 000 or less could be used.
Finally, in the cases where an offender within a business would be too difficult to single-out the company can ultimately be ordered to pay the fine instead of a natural person.
The revised FADP does not have a transitional period, which means that companies must begin preparing for the new FADP immediately if they want to be ready for when it comes into effect in January 2022.
Here are a few actions businesses can take to prepare for the revised FADP.
The new FADP requires that a record of consent be provided upon request for each data subject. This means that businesses should take the time now to get their databases in order before the regulation comes into effect.
Businesses should thus begin to record consent from their data subjects and begin to use double-opt-in measures as well as reminder emails informing subjects on how their data is used.
Businesses must be able to provide a record of all data processing activities upon request. For this, they need to provide the following information, at a minimum:
It would thus be a good idea to prepare this information in advance.
Companies that are based outside of Switzerland but still possess or process the data of Swiss individuals must assign a representative based in the country. Businesses that do not will be liable for a fine and an order to delete personal information.
Listening, intercepting, scanning and storing text messages, emails, and voice calls is not permitted without the user’s consent. The principle applies to current and future means of communication – including all devices connected to the Internet of Things.
User consent is required to assess, access or process any data on private devices. This means websites that use cookies or other technologies that access information stored on private devices must explicitly ask for consent to do so and provide information about the reason.
The FADP is not the only new privacy measure coming into effect. Countries around the world are beginning to take the data privacy of their citizens seriously and are imposing large fines and measures to counter companies that do not protect consumer privacy. It is better to get ahead of the trend and begin implementing privacy protection for your own business processes now rather than later.
One of the best ways to protect yourself and your customers is to ensure your policies are up to date and ready for the new influx of data protection regulations and laws. If you want to keep informed on what you need to do, the best and safest practices for digital business and the most effective way to digitally market your business, contact Demodia.
Demodia has helped hundreds of businesses and individuals survive and thrive online by providing them with the insights, guidance and support they need for success. As a digital marketing consultancy with decades worth of experience, Demodia should be your first and only choice for digital marketing and online business guidance.