New Swiss Federal Act on Data Protection

The new FADP is very broad and will affect almost every company in Switzerland. We have summarised the most important changes to enable you to best prepare for the new legislation:

1. Sanctions

‍Contrary to the existing Federal Act on Data Protection, the new draft defines clear sanctions. It stipulates that individuals who intentionally breach the new Swiss Federal Act on Data Protection will face fines of up to CHF 250,000.

2. Reporting data protection breaches

‍In the event of a data protection breach, data controllers will have to report any increased risk to the personality or fundamental rights of affected individuals to the Swiss Federal Data Protection and Information Commissioner as soon as possible. If necessary, they must also inform the affected individuals.

3. Particularly sensitive personal data

‍The new Federal Act on Data Protection expands the list of data that fall under the category of sensitive personal data. The new list includes genetic and biometric data (e.g. fingerprints) that unequivocally identify a natural person.

4. Technical design and default settings conducive to data protection

‍Data controllers and those who process data are to receive more stringent, more precisely defined due diligence obligations. As per the “privacy by design” principle, they will have to take appropriate measures to reduce the risk of privacy breaches during data processing as early as the planning stage. They will also be obligated to ensure, by means of appropriate default settings, that any required personal data is processed solely for the relevant purpose as standard, termed “privacy by default”.

5. Data protection impact assessment

‍Data controllers and those who process data will be obligated to conduct a data protection impact assessment if ever the data processing in planning will involve an increased risk to the personality or fundamental rights of the affected individual. This has to address both risks and suitable measures.

Summary

Data protection is long since a topic for companies that exceeds the boundaries of IT, placing it firmly on the agenda for managers and decision-makers as part of a comprehensive compliance policy. The EU GDPR, the new FADP, the ePrivacy Regulation and future guidelines require companies to develop a new sensitivity towards the handling and protection of personal data. We believe the right time to do so is now.