nFADP Switzerland 2023 – new Federal Act on Data Protection

Switzerland’s new Federal Act on Data Protection (nFADP) was officially put into effect on September 1, 2023, and with it has come a host of new rules and changes that every company doing business in the country should know. We’ll highlight the biggest updates as well as list out some best steps to take and resources to refer to when it comes to achieving compliance with the nFADP in this article.

Switzerland’s new Federal Act on Data Protection (nFADP) was officially put into effect on 1 September 2023

What Is the nFADP?

The new Federal Act on Data Protection, or nFADP for short, is a revised version of Switzerland’s original data protection law, the Federal Act on Data Protection. That legislation was first conceived in the early 1990s as a guardrail against data misuse in the country, outlining key responsibilities for companies and rights for consumers as it relates to data privacy.

In its fall 2020 session, Swiss Parliament passed the nFADP in an effort to improve the data privacy framework (FADP) for the country. These new regulations include a broader scope and more stringent requirements that organizations must adhere to when handling personal data, and were just recently implemented through the Data Protection Ordinance on September 1, 2023.

How the nFADP Came to Be

Just why is an update to the nFADP necessary, you may ask? Well, things have changed a lot since its original implementation in 1992. Not only are there more ways than ever to share and capitalize upon information, but consumers themselves have become increasingly sensitive to the idea of their data being sold. This has put pressure on lawmakers both in Switzerland and around the world to take stricter measures against online entities’ processing practices.

As an older piece of legislation, the original FADP was also somewhat out of line with other prominent data privacy laws in Europe, such as the General Data Protection Regulation (GDPR). This major overhaul, which comes after minor changes in 2009 and 2019, is set to bring things up to speed while making it easier for Switzerland’s businesses to work with those inside of the European Union.

What Data Controllers Need to Know About the nFADP

With the institution of the nFADP comes plenty of changes to what has been the status quo in Switzerland for so long. Across the board, you could say that this new law is effectively stricter and more far reaching than its predecessor, warranting the attention of organizations who may have taken a laid back approach to compliance up until now.

Here are the biggest updates to know about:

Processor and Data Processing Agreements (DPA)

Companies that work with third parties – like hosting providers – who process personal data on their behalf will now need to enter into Data Processing Agreements with those partners. This legal document essentially outlines the ground rules by which two companies play when handling sensitive data. It outlines both sides’ responsibilities in protecting the data, preventing unauthorized access and transfer of information, and security measures taken to protect the data while it is being transferred or processed.

Genetic and Biometric Data Protections

Countries like Switzerland are increasingly recognizing genetic and biometric data as sensitive data in their laws and policies. Under the nFADP, organizations are expected to treat things like fingerprints, retinal scans and DNA samples as they would any other confidential data.

Privacy by Design

Privacy by Design isn’t a new concept, but it’s just been added to Swiss law. The principle lays out seven key steps to ensure that personal data protection is baked into any product or service from the very beginning. Organizations must be able to show how they have built-in privacy safeguards and how their users can opt out of certain types of processing. Read more about this in our article: What is Privacy by Design?

Processing Activity Registry Requirements

Keeping a register of data processing activities is no longer an option with the nFADP – it’s mandatory. While the ordinance allows exemptions for SMEs with low-risk data processing activities, larger entities will need to prepare to record and report their processing activities on a regular basis.

Prompt Notification

Organizations must notify the Federal Data Protection and Information Commissioner (FDPIC) of data breaches as soon as possible. They’ll need to provide details on what happened, when it occurred, how many people were affected and what steps they have taken to address the breach.

Profiling Rules

The concept of profiling has been introduced into the legislation, putting processors of personal data under a legal obligation to ensure that automated decisions are not used to significantly impact people’s rights or freedoms.

Bigger Fines

Perhaps the most unwelcome of changes to the nFADP for businesses, Switzerland’s data protection authority is now empowered to levy large penalties upon organizations that break the law – up to CHF 250,000.

Achieving Compliance With the nFADP

The good news about Switzerland’s updated data privacy law is that because of its similarity to the EU GDPR, many organizations are either already compliant or close to compliant with the new rules. Even so, it’s important to review your website for glaring issues relating to:

Data Protection Declarations

Your data protection declaration must clearly explain to users exactly what data you collect, why and how it’s stored and processed.

Cookies

The nFADP does not require the use of a cookie banner in Switzerland. However, we still recommend implementing them for reasons of transparency and out of respect for your site’s website visitors. Solutions like the CookieFirst CMP are an easy and straightforward tool for managing cookie consent across your website.

Data Security

You must ensure that your website has sufficient security measures in place to protect users’ personal data, as well as stay on top of regular security and function updates. For WordPress websites, the key word here is a “maintenance contract”.

Contact Forms

If you use contact forms on your website, you must inform users what personal data you collect and why. Must also have the ability to revoke their consent to data storage and processing at any time.

More Resources and Best Practices

Data privacy laws are anything but straightforward – and the risks that come with breaking them are never worthwhile. We recommend delving deeper into the issue and ensuring your compliance via the following helpful resources and tools.

Condensed nFADP: Vischer.com offers a short and clear explanation of the nFADP. (in German)
Compliance Checklists: Datenrecht.ch has put together helpful checklists for small and medium-sized companies. (in German)

Medical Industry: Fmh.ch provides useful tools and sample documents for medical practices. (in German)

Creating a Data Protection Page: You can create your nFADP-compliant data protection page with VISCHER and Walder Wyss’ DSAT.ch tool. This tool is under a Creative Commons license and can be used free of charge. The only caveat is that you’ll need to explicitly mention it in your data protection declaration. Also, the template cannot be used as-is. It must be checked, adjusted and supplemented before publication.

For creating a cookie policy or a cookies table with descriptions (for in your privacy policy page) you can use the CookieFirst cookie policy generator.

The only constant thing in the data privacy landscape is change. Organizations can’t risk becoming complacent with the various laws and expectations put upon them, regardless of how complicated and arduous the process may seem. With that said, having a clear understanding of Switzerland’s new Federal Act on Data Protection (nFADP) is a good first step in ensuring your data privacy compliance today. If you’d like help maintaining it, take a look at CookieFirst’s suite of solutions. We’re here to help you stay on top of evolving standards with less time and effort.