Article published on April 15, 2021, updated on April 25, 2023
The new Swiss new Federal Act on Data Protection (nFADP) will come into force on 1 September 2023. It was time to give a facelift to the current text, introduced in 1992 – before the arrival of the Internet! This update is also necessary considering the standards established by the European Union (EU) with the General Data Protection Regulation (GDPR), which came into effect in 2018.
Companies have until the end of the summer to comply with the new law, as well as the accompanying ordinances on data protection (OPDo) and data protection certification (OCPD).
Don’t know where to start? This article reviews the goals of the federal law and gives you practical tips for implementing them.
Switzerland's new data protection requirements
The new data protection law introduces structural changes. The areas already covered in the current version are often treated more strictly, and several topics that were previously left out of the legislation are now included.
Rémi Pactat
Senior Manager Wavestone, Switzerland
This review suggests important challenges for companies that would have left the subject of data protection aside until now.
Mandatory record of processing activities
Companies with more than 250 employees that process personal data are now required to create, and keep up to date, a record of processing activities. The same obligation applies to smaller companies when they meet certain conditions: large-scale processing, high risk profiling, etc.
This register must describe in detail all processes involving personal data within the organization. It serves as a basis for identifying sensitive processing operations and for conducting a Data Protection Impact Assessment (DPIA). This detailed analysis is justified by the possibility that the processing operation creates a high risk for the rights and freedoms of the data subjects.
Priority to user protection
The new law introduces new requirements for personal data security and privacy: transparency obligations towards the data subjects, supervision of subcontracting, notification in the event of a data breach, logging and implementation of technical and organizational measures…
From their conception, data processing measures must reinforce the rights of the persons concerned, the protection of personal data but also the obligations of the data controllers. These are the principles of Privacy by Design and Privacy by Default.
Switzerland is approaching European data standards without fully complying with them
The points mentioned above reflect the Swiss legislator’s desire to come closer to European law. However, certain fundamental GDPR principles have been set aside.
Fewer data processing constraints
Unlike the EU regulation, the new Data Protection Act does not systematically require a legal basis for processing personal data. The appointment of a Data Protection Officer (DPO) will also remain optional after the entry into force of the new text.
Reduced penalties
Parliament has also decided to move away from the EU line by not relying on intimidating amounts. In Swiss law, unlike in European law, it is natural persons who are targeted – not organizations. Only the intentional violation of the law or failure to comply with a decision is punishable by (non-insurable) fines of up to 250’000 Swiss francs. It remains to be seen whether these sanctions prove to be as dissuasive as the 20 million euros or 4% of annual turnover that the administrative fines of the GDPR can reach.
Complying with the new Swiss data protection law: the essentials
The entry into force of the new Swiss text marks a turning point for Swiss and foreign companies that must comply with it. For those who already have the level of maturity required by the GDPR, few adaptations are to be expected. For the others… The process of compliance is more important. Although the level of requirement of the new Swiss regulation is lower than GDPR, the compliance costs are relatively similar.
We recommend compliance with the strictest text, i.e. the GDPR. Who can do more, can do less! Alignment with the practices of its European neighbors also facilitates collaboration.
To start, or continue, your alignment project serenely, we share with you three essential actions that we recommend to our clients.
Map your processing activities
Start by consolidating a single view of all processes involving personal data in your organization. This “per-process” view allows you to identify processes that are supported by multiple assets (applications, database, etc.) or which involve multiple third parties.
This initial mapping provides a global overview. You can then focus on the most risky processing activities, before launching any analysis or remediation. It will then be time to launch actions on the assets and third parties concerned (a contractual review can sometimes be more important than an access review!).
Create a CISO / DPO duo, to adapt your security strategy to privacy requirements
The CISO (Chief Information Security Officer) plays a key role in the protection of personal data: he supervises the technical and organizational protection measures. The DPO calls on him to secure the processing of personal data, through strategic and technological decisions.
In the other direction, the CISO ensures with the DPO that the security measures considered are in line with the regulatory requirements (logs retention period, data subject rights taken into account, etc.). He relies on him in the event of an incident involving personal data.
Educate your employees about personal data protection
One of the main challenges for the DPO is to be involved from the design phase of projects, in order to avoid the appearance of excessive compliance gaps. But how do you get employees to contact the DPO when personal data is concerned?
Set up awareness programs on privacy issues for your teams. By explaining what is at stake, you maximize the chances that the DPO will be called upon appropriately. He can then provide the necessary support on a case-by-case basis, while implementing reliable and permanent privacy-by-design and by-default processes.