The Swiss Federal Act on Data Protection – the FADP – will be undergoing some changes this year to better align with the GDPR. The amendments will become effective in early 2022, so organizations must adjust their privacy and data collection processes to align with the new requirements.
Keep reading to learn more about what the changes to the FADP mean for businesses in Switzerland in 2022.
FADP – the Swiss Federal Act on Data Protection what changes to expect Mid-2022
The Swiss FADP | Federal Act on Data Protection
Before we get into the revisions made to the FADP, let’s start with the basics: what is it?
The Federal Act on Data Protection is a data privacy law in Switzerland. It created a framework to protect citizens’ rights regarding data collection, third-party tracking, and other privacy concerns. However, the original law is no longer up to par with the European standard – the GDPR.
As such, Swiss regulators are revising the law to match the GDPR. Although it will still have the original concepts in place and will deviate slightly in certain areas, the idea is that it will uphold a similar standard of privacy and security as the rest of the EU.
These changes expand the obligations regarding informing users about data privacy and allowing for stronger sanctions against organizations that do not comply.
The revisions are broad, so they will likely affect almost all businesses in Switzerland. Similarly, it does not appear to allow for a transition period – instead, they will enforce the new changes as soon as summer 2022.
While this may not necessarily come as a surprise, since most countries are working to create laws that match the GDPR, it does mean that companies will need to adjust processes as soon as possible to remain in compliance.
Here are some of the changes you can expect to see later this year:
Privacy by Design
The revised FADP introduces privacy by design, which means greater due diligence requirements for data processors and organizations who are storing private information. It is no longer acceptable for companies to consider privacy after their processes are designed – instead, they must be created with compliance in mind.
It is one of the main principles of the GDPR, so it makes sense that the FADP incorporated it into the revisions. The law also addresses privacy by default – or the fact that companies should limit data processing to the minimum needed to accomplish the business purpose.
One of the ways organizations can achieve privacy by design is through pseudonymization. This process involves adding encryption or replacing personal data with artificial identifiers to limit access to only authorized users.
Another revision to the Swiss Federal Act on Data Protection involves enhanced disclosure requirements. Organizations were already required to give users information before these changes – however, the obligation was only limited to sensitive personal data.
The data protection law now requires companies to inform users every time they obtain personal information. While there are some exceptions listed in the act, there are not many. As such, organizations should prepare to meet this requirement before the end of 2022.
At a minimum, data subjects must be given details about the purpose of the data processing, information about who will receive the information, and the contact details for the person responsible for this process.
The enhanced disclosure requirements also have significant IT implications. You will not be able to satisfy this revision of the FADP if you do not have a defined process for transmitting and storing the data you collect.
Think about it this way – you can’t inform data subjects about where their information is going and who is managing it if you have unstructured data processes!
The revised FADP also requires organizations to keep a list of data processing activities in a director. This rule is part of the GDPR, but Swiss officials have provided an exception to companies that process low-risk data and have less than 250 employees.
This requirement will also affect your IT strategy, as you will need to have systems in place to create the directory and continuously update it as things change. The directory should include how the information is processed, why it was collected, and what data is being examined. Similarly, it will need to include who the data is disclosed to.
The FADP also requires data controllers to report a data breach as soon as possible, especially if it will put data subjects at high risk of being compromised. The GDPR requires this report within 72 hours, so it is expected that Swiss regulators will align to this timeframe too.
Clearly Defined Sanctions
You can also expect to see stricter sanctions as the new changes to the FADP roll out. The revised law expands the power of the FDPIC – the Federal Data Protection and Information Commissioner – to ensure that they can appropriately enforce the regulations.
Not only does the revision allow for stricter sanctions, but it also defines them more clearly. For example, willful omissions and acts will be punishable under the FADP, but negligence is not. Those who violate the obligation to inform data subjects or fail to cooperate will be fined up to 250,000 CHF.
This penalty can also be applied to anyone who breaches a duty of care, violates confidentiality, or disregards a specific order by the commission.
What About Consent?
You may have noticed that consent was not one of the topics included in the FADP revisions. Per the GDPR, consent for data collection must be freely given and informed. That means you can only justify collecting or disclosing private information if the user gave you express consent to do so.
While the revised FADP does establish the fact that consent needs to be specific, freely given, and informed to be valid, it does not expand the requirements for obtaining it. Although there were many parliamentary debates around consent and its implications, there was no additional requirement added for consent.
In other words, the FADP only requires consent if an organization needs to justify high-risk profiling that does not align with the fair processing principles. A legal obligation or overriding interest may be another valid justification here as well.
It does not introduce a general obligation to obtain consent for high-risk profiling.