Welcome to life, FADP! The new privacy rules of Switzerland are about to start

Written By Stefania Quintaje

Switzerland had not yet comprehensively renewed its outdated privacy law since 1992, a decidedly distant era from our way of communicating, conducting business, and sharing relevant information in our daily lives.

Finally, the new Federal Act on Data Privacy has been approved, and after a series of back-and-forths, it has been decided to make it effective starting from September 1, 2023.

Despite the European model established by the GDPR continuing to be considered the most comprehensive and restrictive, the Swiss effort to formulate a more comprehensive law aligned with the new needs of contemporary society is clearly visible in this new formulation.

Some of the most significant innovations include:

Subjects of the law. The FADP exclusively addresses natural persons and not legal entities. This might seem obvious, but the distinction is quite clear.

 Privacy by design and privacy by default. For the first time, the concepts of privacy by design and privacy by default are introduced, in clear alignment with GDPR regulations. This also makes it easier for companies to take concrete actions in implementing privacy-related decisions, valid for both Swiss and European regulations. 

Access.Users have the right to request a series of information about the use of their personal data at any time. In particular, every company has the following categories of user-related information:

  • How they use it

  • Who they share it with

  • How they collect the data 

Penalties. There is a penalty prescribed for natural persons who violate the norm, but this penalty might appear much milder compared to that contained in the GDPR, and especially, directed towards individuals rather than directly at companies. Under the GDPR, companies that do not provide adequate protection face sanctions that impact their revenue proportionally, here the maximum penalty for a company is only 50,000 Swiss francs, while for natural persons, individual penalties can reach up to 250,000 francs.

Security breach. The consideration of blatant privacy violations, incidents occurring within a company that must be promptly communicated to the affected parties, is finally taken into account. While the GDPR establishes a maximum of 72 hours to notify about a security breach and take remedial action, Swiss authorities are more flexible in deeming a "timely communication" sufficient.

DPO, yes or no? In Swiss regulations, designating a Data Protection Officer is not obligatory, although once again, applying GDPR regulations in this field would allow a company with strong ties to the European Union, even if located in Switzerland, to more easily fulfill the pressing requests of surrounding territories.

Swiss Privacy has provided an interesting comparison table between GDPR and FADP obligations to better guide users in interpreting the path ahead.

Here the German official version of the new law.


Stefania Quintaje
Previous

Generative AI and its legal issues with hunger for data

Next

Cybersquatting: Hermes won against Mason Rothschild