The new Swiss Federal Act on Data Protection (nFADP) will come into force on September 1, 2023. In this blog post, we’ll show you how you can implement the most important measures in your company now.
We are not lawyers. Our recommendations are therefore based, but not limited to, opinions from the most renowned Swiss data protection attorneys. Our goal was to gather all the relevant information for companies in one place and make it as easy as possible to implement by means of checklists and templates.
Contents
Introduction
The current Swiss Federal Act on Data Protection (FADP) has become outdated. At its core, it dates back to 1992, when the web was three years old, Mark Zuckerberg was only eight and the technical possibilities for collecting and processing data were not comparable with today.
So firstly, it needs to be adapted to the current circumstances. Secondly, the new Data Protection Act (nFADP) also has a political dimension. Namely, the EU has recognized data protection in Switzerland as equivalent to that in the EU through a so-called “adequacy decision”. This enables companies in the EU and Switzerland to exchange and process data between them in a legally secure manner.
However, since the EU significantly increased privacy requirements with the General Data Protection Regulation (GDPR), data protection in Switzerland has lagged behind. So the country had to react and brought the Swiss level of protection in line with the EU standard. However, Switzerland would not be Switzerland if it did not go its own way to some extent after all. The nFADP gives more flexibility and fewer specific minimum requirements than the GDPR. It is somewhat stricter in the area of data transfers to foreign countries.
Overall, the nFADP gives individuals more control over their personal data, more rights in terms of transparent information and more protection against unwanted data use. At the same time, this means more obligations for companies to provide data security and data subjects’ rights.
Project planning
It’s important to be aware from the outset that implementing the new privacy rules will likely take several months and can’t be done on the fly.
A reasonable amount of time as well as human and financial resources are required to ensure that at least the essential measures can be implemented as soon as possible. (By now we have some experience in this and can offer support as external consultants).
Therefore, the first step of the process is project planning. This includes at least the following tasks:
- Get well informed about the new data protection law (you’re already doing that by reading this blog post 🙂)
- Define clear responsibilities and roles for the planning and execution of the project
- Allocate the necessary financial and human resources
- Identify the areas in your company that are relevant for data protection, i.e. the areas where personal data is processed
- Identify the necessary technical and organizational measures to achieve compliance with the nFADP
- Clarify the project process and plan the individual steps
- Set a realistic time schedule
By carefully preparing the project, your company will lay the foundation for a successful implementation of the new data protection rules, which we will explain to you below.
Processing directory
The Swiss Federal Act on Data Protection now requires companies to create a processing directory in which all processing activities of personal data are recorded. The processing directory is thus an inventory of all privacy-relevant processing steps of a company.
Such an inventory is also required by the European GDPR. If your company already has to comply with the GDPR, it is very likely that you already have an appropriate directory. Since the minimum contents for the processing inventory required in Switzerland are also included in the requirements of the GDPR, an inventory created for the EU can be adopted 1:1.
In Switzerland, the creation of a processing directory is generally only mandatory for companies with 250 or more employees. Smaller companies only need a processing directory if they process highly sensitive personal data on a large scale or if they carry out profiling with a high risk to personal privacy.
However, the creation of a processing directory is almost indispensable even if your company is not legally obligated to do so according to the Swiss nFADP. This is because a processing directory provides a comprehensive overview of all data processing within the company. That is why this point is listed here first. The processing directory provides a solid basis on which all subsequent measures can be reliably planned and implemented. It ensures that nothing is overlooked.
In any case, the processing directory is for internal use only and must be made available to the supervisory authorities only upon request. The exact format for the processing directory is not prescribed; we recommend an Excel spreadsheet.
The processing directory must first contain all the necessary information on the identity of the person responsible, i.e. details of the company with address and contact details. It makes sense to keep the actual inventory in tabular form and group it by departments. The table must contain at least the following mandatory fields:
- Description of the processing activity
- Purpose of processing
- Description of the category(ies) of data subjects
- Description of the categories of the personal data being processed
- Categories of recipients of personal data (internal and external)
- Data transfer to third countries with information on security
- Retention periods and deletion policy
- Description of technical and organizational measures to ensure data security
We have created an Excel template for you to use as a processing directory. It is based on a sample template created by the legal service of SWICO. You can download it for free (in German):
This is how you can approach the task of creating the processing directory:
- Create an appropriate file or download our template and check whether the mandatory fields are sufficient for your company or need to be expanded
- Identify the departments where personal data is collected
- Train your staff on how to fill out the Excel spreadsheet correctly and what information needs to be collected
- Have the departments record all processing activities
- Review the collected inventories to ensure accuracy and completeness
- Compile the results into a single spreadsheet: Collect all the information from the different departments and merge it into one central spreadsheet
- Implement a process for updates: determine at what intervals the spreadsheet will be updated to ensure that changes in data processing are incorporated on a regular basis. This must be done at least annually
Creating a processing directory allows you to identify what content your privacy policy must contain, with which data processors you must sign contracts, which cross-border transfers need to be secured, which data individuals can ask for in an access request, which data processing activities individuals must be informed about in advance, and where additional technical and organizational measures are required to adequately protect personal data – in short, the processing directory is the basis for the entire transition to the new data protection law.
Privacy Policy
The privacy policy is the shop window of your company’s data protection measures. As such, its purpose is not only to comply with legal requirements, but also to build trust with your customers and visitors. Therefore, try not to simply compile the mandatory content, but to design it in a good and appealing way. It is worth investing in this point in particular.
To revise your privacy policy, you need an overview of all processing activities of your company – i.e. a processing directory. The privacy policy is basically a much simplified version of this directory, bundled by category. It should primarily aim to be written in a comprehensible way and be clearly structured.
If you already have a GDPR-compliant privacy policy, you can adopt it almost 1:1, as the Swiss Federal Act on Data Protection specifies less mandatory content. The only important adjustment is that the nFADP requires the mention of all countries to which data is exported.
In general, you do not need a data protection officer under the nFADP, as required by the GDPR. However, you can optionally appoint an (internal or external) data protection advisor for your company. This person is the contact point for data subjects as well as for the Federal Data Protection and Information Commissioner (FDPIC). He or she trains and advises the company on data protection issues and assists in the application of data protection regulations.
To ensure that your privacy policy complies with the legal requirements of the nFADP, the following information should be included:
- Identity and contact details of the data controller: Provide your company name and, if applicable, the data protection advisor
- Information on how to exercise data subject rights: provide contact information by which data subjects can submit access requests
- Categories of collected data: such as address data, website usage data, cookies, and interests. Also explain the data sources
- Purposes of collecting personal data: such as the sale of products, entering into contracts, development of the website, marketing, logistics and financial accounting. If applicable, mention the software (category) used and the purpose of the processing with the respective software
- Third parties or categories of third parties with whom the data is shared: such as suppliers, government agencies, software and hosting providers. It is particularly important to name the countries to which data is exported
- Data retention policies: Explain how long the data collected will be retained and the criteria for deleting it
- If relevant: Information on carrying out automated individual decisions
You can find an excellent example (in german) of a transparent and trust-building privacy policy at the Nidwaldner Kantonalbank (not only because we are featured 😉). And the law firm Wicki Partners also provides text modules for the privacy policy among other helpful resources on the nFADP.
The following steps can help you revise your privacy policy:
- Collect and document all processing activities in your company
- Group processing activities by data category, processing purpose, processor, and retention criteria
- Revise your privacy policy. You can also include the affected departments
- Place references to your privacy policy on your website, in e-mails, and in apps
- Implement a process for updates. Determine at what intervals your privacy policy will be updated to ensure that changes are incorporated regularly. At least annual updates are recommended
If you have little capacity, it is also possible to use a service such as the privacy policy generator from Datenschutzpartner.ch (this one is only available in german). The generator creates a legally compliant privacy policy and takes into account the nFADP and the DSGVO. Among the more than 300 third-party services included you will also find Friendly Automate and Friendly Analytics. Note, however, that there too you must know and carefully enter all your processing activities. The time-consuming process of collecting and documenting all processing activities is therefore indispensable.
Last but not least, make sure you communicate your privacy policy. Be generous and place notices on your website, in the footer of your e-mails, in apps and wherever data processing takes place. Only when your customers and visitors are aware of the privacy policy, the effort has been worthwhile.
Data processing by third parties
If you as a company pass on personal data to external service providers, you are legally obliged under the nFADP to ensure comparable data security standards. You achieve this by concluding data processing agreements (DPAs).
It is important to note that you, as the data controller, are always liable for the security of the data you pass on. The conclusion of the DPAs is also your responsibility as controller, not the responsibility of the data processor. The data processor only acts on your behalf and is obliged to ensure an equivalent level of data protection.
If you are already subject to the GDPR and have concluded corresponding DPAs with your data processors, you only need to adapt them slightly: You only need to refer to the Swiss FADP in addition to the GDPR.
The nFADP does not prescribe any minimum content for the data processing agreement. It is recommended to follow the requirements of the GDPR. Based on this, we recommend the following content:
- Identification of the parties: Information about the contracting parties and their roles as data controller and data processor.
- Purpose of the data transfer/data processing: The purpose and type of data processing should be defined
- Obligation of the third party to follow instructions: the data processor acts exclusively in accordance with your instructions
- Confidentiality: Rules on the non-disclosure of the transferred data.
- Data security: Measures and standards for securing the data against unauthorized access, loss or theft
- Sub-processing: If the data processor wishes to pass on the data to third parties, your express consent is required to do so
- Breach notification requirements: Establish procedures and deadlines for reporting data breaches
- Support obligations: Regulations of responsibilities in the event of data security breaches or access requests
- Audit rights: agree on possible implementation of data protection audits
- Return/deletion of data: Regulations on how to deal with the data after the end of order processing
Here’s how to legally secure your third-party processing activities:
- Get an overview of all data processors with whom you share personal data
- Use sample contracts and adapt them according to your needs, or ask the processors whether they offer their own sample contract (here is our own DPA).
- Negotiate the exact contract content with each data processor individually.
- Conclude the contracts and keep them: After all the details are settled, sign the DPAs and keep them safe to prove your legal compliance.
Note that these regulations only apply to processors in Switzerland or in safe third countries. For transfers abroad, special precautions are necessary, which we explain in the next chapter.
Cross-border data transfers
When it comes to transferring personal data to foreign data processors, you must exercise particular caution. As a data exporter, it is your responsibility to ensure that the data importer abroad complies with security standards comparable to those required in Switzerland.
Right from the start: Data transfer to insecure third countries is possible under the nFADP under certain conditions, but always involves additional effort and risks. Consider therefore that there are alternatives, namely not sending the data abroad, but rather switching to Swiss or European providers.
The data transfer is unproblematic if it goes to a safe third country. Switzerland has defined a list of safe third countries, which mainly includes the countries of the EU.
Unsafe third countries include the USA, which can make cooperation with companies based there problematic. However, the European Commission recently recognized a new EU-US data protection framework that introduces new binding data protection safeguards. As a result, EU companies are now allowed to work with U.S. data processors without further safeguards.
Switzerland is also in discussions with the U.S. to establish a similar framework. So far, however, the list of safe third countries remains unchanged. So for data transfers to the U.S. (and other insecure third countries), you need to take special precautions.
What this means is that you have to sign a contract with the data processor that contains special data protection clauses. It is possible to draft these yourself, but this is not recommended, as you will then be subject to a special obligation to notify the Swiss data protection authority.
Instead, it is safer to use the so-called standard contractual clauses (SCC) developed by the EU and recognized by Switzerland. Note, however, that even these do not imply unrestricted clearance. The SCC require that you, as the data controller, perform your own risk analysis to check whether the legal situation in the third country makes access to the data by authorities possible and likely. If this is the case, the SCCs alone are not sufficient; the transmitted data must then be additionally secured, for example through encryption.
The Swiss data protection authority has published instructions for conducting such a risk analysis.
If your risk analysis concludes that the legal situation in the third country does not make adequate data protection impossible, you can use the standard contractual clauses by the EU. You do this by creating an agreement in which you incorporate the text of the SCC, taking it verbatim. However, there are some places where contextual adjustments can and must be made. These are marked accordingly.
If you use the SCC from Switzerland, you must supplement them according to the requirements of the FDPIC with an annex. In this annex, it must be made clear that the term “Member State” must be extended so that data subjects in Switzerland can also assert their rights under clause 18c. Furthermore, it must be clarified that references to the GDPR are to be understood as references to the nFADP wherever data transfers are subject to the nFADP.
In summary – here’s how you should go about securing your cross-border transfers:
- Make an overview of all your data processors abroad.
- Create an agreement with each data processor and include the SCC.
- Read the SCC carefully and adapt them to your context only where explicitly necessary.
- Finalize the contracts and keep them to prove your legal compliance.
Finally, you must inform the data subjects about the cross-border data transfer. Your revised privacy policy must contain this information. If data subjects submit an access request to you, you must also inform them about the countries to which you have transferred their data and how you have secured these data transfers.
Even if it is possible to transfer personal data abroad in this way, you should ask yourself whether it still makes sense in each particular case. Not only does it mean extra work and legal uncertainty, but your customers and visitors may not appreciate sharing their data with US corporations.
It’s safer and strengthens the Swissness of your business if you switch to Swiss providers instead. In most cases, there are suitable alternatives from Switzerland or Europe.
With Friendly we offer two software alternatives: Friendly Automate for Marketing Automation and Friendly Analytics for Web Analytics, both fully hosted in Switzerland (or Germany upon request).
Data subject rights
When you process personal data, data subjects have various rights. Generally, data subjects are entitled to all the information they need to assert their rights and ensure transparent data processing. Specifically, they have the right to:
- Information about any data processing
- Information about cross-border data transfer
- Access to their stored data
- data portability
- Correction and deletion of data
- Revocation of consent
- Complaints to the supervisory authority (FDPIC)
These rights can be divided into two groups:
- The first two rights are for information before any data processing happens and are already covered by the privacy policy. Data subjects have a right to transparent information about what personal data is collected and processed and when. This means that you must refer to the privacy policy every time you collect data.
- All further rights – the rights to request access, data portability, correction and deletion, revocation and the right of complaint – are rights that data subjects must exercise themselves. The right to complain only has something to do with you if a complaint about your company is received by the FDPIC. Hopefully, this will not be the case if you comply with the data protection obligations to the best of your knowledge. You should actively prepare for the other rights mentioned by implementing internal processes for inquiries.
In particular, you need to prepare for the rights of access and data portability, as some specific rules apply here.
The new Swiss data protection law states that data subjects have a right to know what personal data is stored in your company. When a person requests access to their data, you must first verify their identity, for example, through an ID, a known e-mail address, or a user account. This is because data subjects are only allowed to know what data is stored about them personally. If data contains information about other persons, it may not be disclosed.
The information must be provided in writing or electronically within 30 days. You must provide the information free of charge, unless the effort is disproportionately high or a request is made more than once a year.
In a few cases, you have the right to refuse to provide the information. This is the case if the disclosure violates professional confidentiality, if there are significant interests of third parties, or if the persons concerned pursue abusive purposes.
It is always the data controller who must provide the information, not other data processors. However, you can ensure the support of your data processors in providing information via the data processing agreement (DPA).
This is the required minimum content of the response to an access request:
- Identity and contact details of the data controller
- The personal data collected, e.g. name, address, e-mail address, date of birth, etc.
- Purposes of processing
- Criteria for storage and deletion of the data
- Information on the origin of those personal data that were not given by the person themselves
- Where applicable: third parties or categories of third parties with whom the data has been shared
- Where applicable: transfer of personal data to foreign countries, including the security measures taken
In addition to the right to access, data subjects also have the right to data portability. This means that, upon request, they can have their data handed over to them in a standard electronic format, for example in order to hand it over to another data controller. This type of request differs from pure information in that you are not allowed to transmit the data as a print letter or PDF document; instead, you must choose a data format that allows electronic, structured, automatic reading. The format depends on the data set and can be, for example, a CSV or XML file.
In this request, you must provide only certain data: on one hand, data that the data subject has voluntarily given to your company, and on the other hand, data that has been directly observed through the behavior of the person (for example, data from a fitness tracker or purchases in an online store). Information derived through data analysis and data from third-party sources do not have to be disclosed. Apart from that, the rules and restrictions are the same as for the right to access, such as that you have to hand over the data free of charge, or that you can refuse the request if there are relevant reasons.
Data subjects also have the right to have their data corrected and deleted, and the right to revoke any given consent. These two rights require little preparation. You just need to make sure that, in both cases, internal policies are in place to manage consents and delete or correct records.
Here’s how you can proceed to prepare for data subject requests:
- Identify all locations in the company where personal data is stored. This should be evident from the processing directory, if you have created one
- Make sure there is a way to export this data in a structured way
- Develop and implement internal processes to handle requests (a separate process for requests for access, data transfer, correction or deletion of data, and revocation of consent)
- Create sample letters for the various requests
- Define the responsibilities for responding to requests and train the employees involved
Data security through TOMs
The new Swiss Data Protection Act also contains regulations on data security. Your company must ensure that the processed data is protected as best as possible against unwanted access and that privacy is guaranteed in the most suitable way.
One challenge in the legislation is that the specific measures required to achieve this can change rapidly with technological developments and become outdated. Therefore, the law first establishes two general principles, Privacy by Design and Privacy by Default, and indicates that these must be implemented with appropriate up-to-date technical and organizational measures (TOMs). The law then leaves open what these measures might be.
In addition to the new Data Protection Act, however, the Swiss Data Protection Ordinance (DSV, not available in English) was also issued. It contains important detailed guidelines on the nFADP, especially on data security. They are intended mainly as a guide, and it is still unclear whether non-compliance with these regulations can be subject to criminal sanctions. But you can face complaints and conditions from the supervisory authority if you don’t make sufficient efforts to ensure data security.
The first principle for data security is Privacy by Design. This means that data protection must be ensured in the best possible way by the technology used. The measures must be proportionate to the state of the art. So you need to consider what has been proven effective in practice and incorporate these standards into your technical setup. This may include encryption, anonymization and access restrictions.
The second principle is Privacy by Default. This means that default settings for data processing must always be set in such a way that only data that is absolutely necessary for the intended purpose is processed, and that data is only passed on to third parties where absolutely necessary. No hidden default settings may be made to which users must give their tacit consent. The persons concerned must consciously and actively authorize further processing.
The guidelines for implementing these principles in the DSV first state that absolute security is not required. It is to be accepted that a residual risk remains and may even materialize in a data protection breach at some point. What is important is that a reasonable range of measures is taken at all.
What is considered appropriate depends on the degree of protection required for the personal data in question, the risk to the data subjects, the state of the art, and the financial and time resources required for implementation. In order to know what is appropriate, one can explicitly also be guided by the requirements of the European GDPR. Although Switzerland does not specify any concrete minimum requirements, companies should be able to assume that they are also adequately protected in Switzerland if they comply with the requirements of the GDPR in this regard.
In the assessment of the necessary measures, one can also be guided by the protection goals. The processed data should:
- be treated confidentially, i.e. only be accessible to authorized persons
- be available when it is needed
- protected from unauthorized or unintentional modification, and
- be processed in a traceable manner.
From this a list of control measures is derived, that the DSV intends to serve as a didactic aid. With this list, you can pragmatically assess and improve the level of protection in your company. It is important to mention that the measures mentioned here are not absolute requirements, but the effort of implementation may be considered and assessed in its relation to the risk. This means that data processing that entails a high risk for the personality or the fundamental rights of the data subjects requires a high level of data security, while personal data with a low risk also requires less protection.
Measures for confidentiality:
- Access control 1: authorized persons should have access only to those personal data that are necessary for the performance of their duties.
- Access control 2: Only authorized persons should have access to premises or facilities where personal data are processed.
- User control: Users of processing systems should be required to identify themselves and use by unauthorized persons should be prevented.
Measures for availability and integrity:
- Data carrier control: data carriers must be protected against unauthorized reading, editing, copying, deletion, and destruction.
- Memory control: Personal data in memory must be protected against unauthorized reading, modification, storage, deletion or destruction.
- Transport Control: Personal data must be protected from unauthorized reading, modification, storage, deletion, or destruction during transfer or transport.
- Recovery: The availability of personal data must be quickly restored in the event of an incident.
- Availability, reliability, and data integrity: personal data must always be available, system malfunctions must be reported immediately, and personal data must not be corrupted by system malfunctions.
- System security: Operating systems and software must always be kept up to the latest security standards and known critical gaps must be closed.
Measures for traceability:
- Input control: It should be made possible to check which person has entered or changed personal data at which point in time.
- Disclosure control: It should be possible to check which personal data is shared with which recipients.
- Detection and elimination of data security breaches: Data security breaches should be detected quickly and measures to mitigate or eliminate the consequences should be taken quickly.
As mentioned, the measures should be kept in reasonable proportion to the risk. In particular, traceability measures, i.e., the accurate tracking of data entries and the handling of data security breaches, are only relevant for your company if errors or losses in the data records can have potentially serious consequences for the data subjects. Therefore, perform a risk analysis and find out what level of protection is generally considered appropriate for this type of data processing.
These steps can then help you implement the appropriate TOMs:
- Identify a person in your company to coordinate the process of implementing the measures. This can be your data protection advisor, if your company has appointed one.
- Based on the list of measures, identify potential vulnerabilities and risks related to data processing in your company. Also check whether the principle of privacy by default is adhered to.
- Clarify with the relevant departments and IT specialists what measures can be taken to increase data security. On the technical side, these can include improved access controls, encryption, backups, data deletion and system updates; on the organizational side, processing regulations, training, emergency plans and documentation.
- Create a priority list and monitor implementation.
- Implement a process to regularly review and update TOMs to ensure they remain relevant to current threats and requirements.
In conclusion, it can be said that the implementation of the appropriate TOMs is always about improvement, not about absolutely achieving perfect protection. A residual risk, including the risk of a complaint, will always remain. As stated, to the best of our knowledge, it is still unclear whether and how you can be criminally sanctioned if you have not ensured adequate protection of data. In case of a complaint, you have the opportunity to comply with the demands within a set period of time. However, you should be able to prove that you have studied the guidelines and are continuously working on improving data security.
Extra: E-mails
With Friendly Automate we offer a Swiss software for marketing automation and newsletter sending. Therefore, we would also like to inform you about the requirements you need to be aware of when sending e-mails. The information in this chapter refers in part to other applicable Swiss laws, such as the competition law, in addition to the nFADP. To the best of our knowledge, they reflect the current legal status in Switzerland.
What has remained the same: You may always send transactional e-mails. These are e-mails (also automated ones) that refer to a specific correspondence or a specific request from your customers or leads.
According to the Swiss law against unfair competition (UWG Art. 3), you may send marketing e-mails without separate consent if a contractual relationship already exists – for example, through a purchase that has already been made – but only for similar offers.
Beyond that, you may only send marketing messages to recipients with explicit consent and clear information. This means that you cannot tacitly imply to your leads and customers that you will send them additional marketing messages when they enter data. Instead, the option to receive advertising messages must be actively selected by the recipients. The consent must also not be linked to other (possibly necessary) consents.
To ensure that a person has truly personally entered their own email address and actively consented to receive messages, double opt-in (DOI) has become the standard. When you use the double opt-in process, the interested person receives a confirmation email after entering their email address, which they must click on to confirm their subscription. This prevents a person from entering email addresses that are not their own. A weaker version is the Confirmed Opt-In (COI), in which a confirmation email is sent without a link. However, neither DOI nor COI are required by law in Switzerland, and Swiss courts recognize single opt-in (SOI) as sufficient evidence of consent. It is therefore up to you to decide whether you want to add an extra safeguard or whether higher registration rates through the simpler SOI are more important to you.
Prior to each data collection, you have to provide a reference to the privacy policy, e.g. if you use an online form for newsletter registration or participation in a raffle. The privacy policy is not a contract, but rather an information, and therefore consent is not required. The link to the privacy policy must be placed prominently when data is collected so that it is realistically possible for data subjects to learn about the company’s privacy policy before submitting data. Make sure the privacy policy addresses the sending of promotional messages as a processing purpose.
When sending e-mails, the majority opinion among legal experts is that the use of a sender address that cannot be contacted is not permissible. Instead, an actively attended e-mail address should be used. For this purpose, advertising messages must also contain complete and correct information about the sender and the contact options. It is also important that the possibility of a simple and free unsubscribe is offered in every newsletter.
If you use third-party services (such as Friendly Automate) to send marketing messages, you must ensure that they adhere to the same data protection rules as your company. In any case, you are responsible for the data you share with third parties. Therefore, conclude data processing agreements with these service providers as described above.
In summary, you can implement these steps to make your e-mailing privacy compliant:
- Make sure your CRM includes the ability to record consent for marketing messages.
- Add a consent option for receiving marketing messages to your data forms where necessary.
- Set up the double opt-in process for all e-mail sign-ups.
- Ensure that the privacy policy is referenced each time data is collected.
- Make sure your e-mails are sent from a sender address that can be written to, and that all promotional messages include sender and contact details and an unsubscribe option.
- Enter into a data processing agreement with your e-mail service provider.
Conclusion
The new Federal Data Protection Act is an important milestone for the protection of people in Switzerland, because data protection is ultimately the protection of individuals. You should keep this in mind, even if the implementation of the measures means a lot of work for your company. Despite the alignment with the GDPR, the nFADP leaves more room for maneuver, so you can proceed with moderation and common sense.
Lastly… after the game is before the game. Once you’ve completed the initial implementation of the nFADP in your company, it’s time to train your employees so that everyone involved has the necessary knowledge and skills to ensure data protection in practice. And keep the ball rolling: Schedule regular reviews and updates regarding your data protection compliance to ensure that you can respond to changes in both your company and in technological developments in a timely manner.
Checklist
We have compiled all the steps in this overview as a comprehensive checklist. Download it here:
How does the nFADP differ from the GDPR?
The nFADP is very similar to the GDPR, but there are some differences:
- Sanctions: The nFADP fines individuals with up to CHF 250,000; the GDPR fines companies with up to EUR 20 million or 4% of the company’s total annual global turnover.
- Information vs. consent: Under the nFADP, the information principle applies with respect to data collections: individuals must be informed about planned data collections and their purposes. Under the GDPR, individuals must actively consent to any data processing.
- Data protection officer: under the nFADP, the appointment of a data protection advisor is only recommended; under the GDPR, a data protection officer is mandatory.
- Minimum requirements: The nFADP specifies fewer minimum requirements, such as for the mandatory content of the privacy policy, data processing agreements (DPAs) and technical and organizational measures (TOMs) for data security. As a result, the Swiss law is more accommodating and open to future developments than the GDPR.
- Cross-border transfers: Here, the nFADP is stricter than the GDPR. When personal data is transmitted abroad, the specific countries must be specified in the privacy policy and in access requests.
Do Swiss companies also have to comply with the GDPR?
Yes, under certain conditions, Swiss companies must comply with the GDPR. These include:
- processing the personal data of individuals in the EU (and Liechtenstein)
- offering goods or services to individuals in the EU (and Liechtenstein)
- monitoring the behavior of individuals in the EU (and Liechtenstein)
Do you need a cookie banner in Switzerland?
Yes and no.
Under the nFADP, you don’t need the consent of data subjects to track them with cookies or process their personal data. However, you must inform them when you do so.
Unfortunately, it has not yet been clarified by the high courts how this information has to be provided in practice.
If the data processing is extensive and significant, then the requirements for information are high. In this case, you should make the information visible directly on the screen when the website is visited, for example by means of a banner that provides information and a link to the privacy policy. Unlike the cookie banner in the EU, however, this banner in Switzerland does not have to contain any options for consent or objection. It can be hidden either automatically after a certain time or by clicking on an OK button.
If the data processing is less extensive and impactful, some lawyers suggest that it is sufficient to provide the information via a link to the privacy policy, for example in the footer of the page, rather than “bothering visitors with a cookie banner”.
Of course, a specialist lawyer can best answer the question of where exactly the boundary lies between the two scenarios. When in doubt, provide your visitors with a cookie banner that is immediately visible.
Even if a cookie banner is not absolutely necessary in Switzerland – don’t you have to display a banner anyway if you are also targeting a European audience?
Yes, you must obtain consent from visitors from the EU via a cookie banner if you set cookies or track personal data. It is possible to use geolocalization to display such a banner only for visits from the EU. Depending on the use case, a reference to the privacy policy or a simple info banner without the option of consent is then sufficient for visits from Switzerland. However, you are of course free to go beyond the minimum requirements and always display a GDPR-compliant cookie banner.
What fines do you face under the nFADP?
The nFADP imposes fines of up to CHF 250,000. In contrast to the EU, in Switzerland the responsible natural person is fined, not the company. The company is also not allowed to pay the fine on behalf of the employee. This applies to the person in charge, not the person who merely carries out the work. However, it remains to be seen which organizational level will actually be targeted in practice.
There is one exception: if the fine is less than CHF 50,000 and the investigative effort to identify the responsible person seems disproportionate, the company can be fined instead. In the opinion of wickipartners.ch, this case could often be applied, especially in larger companies.
However, only intentional violations are fined. Negligent behavior is not fined. However, failure to take measures against one’s better knowledge is also an intentional act. It is important to note that prosecution will only be carried out if affected persons file a complaint.
The fines focus on intentional violations of the obligations concerning information, disclosure, cooperation and due diligence (nFADP Articles 60 and 61).
Examples include:
- intentionally false or withheld information in response to an access request
- intentionally false or withheld information about the processing of personal data in the privacy policy, in particular about cross-border data transfers
- Cross-border data transfers without adequate safety measures
- Transfer of personal data to processors without a data processing agreement (DPA)
What special measures must be taken in the case of high-risk data processing?
If the data processing carried out in your company may involve a high risk to the personality or fundamental rights of the data subjects, then you must implement special regulations, which we have not dealt with in detail in this article. This is the case when you process highly sensitive personal data on a large scale, when you carry out high-risk profiling, and when you systematically monitor public areas on a large scale. If this applies to your company, educate yourself on the additional measures you need to take. These include, as briefly mentioned in part above:
- compiling a processing directory despite a company size of less than 250 employees
- creating data protection impact assessments
- the obligation to report data security breaches
- the obligation to log all data processing activities, and
- the creation of a processing policy.
Does the nFADP also apply to associations and private persons?
Yes, the Swiss Federal Act on Data Protection applies to all persons and bodies that process personal data. It therefore applies equally to companies, federal bodies, associations and private individuals who operate a website, for example.
And what about Liechtenstein?
Liechtenstein has aligned itself with Switzerland in many areas of the law. However, unlike Switzerland, Liechtenstein is a member of the EEA – and is therefore subject to the GDPR. You should therefore regard visitors from Liechtenstein in the same way as those from the EU in terms of data protection.
Friendly in your inbox? Sign up for our newsletter.