In September 2020, the Swiss parliament adopted the new Federal Data Act on Protection ("FADP"). The law is expected to enter into force in September 2023, although the respective ordinance, which will provide for more details, was still being drafted at the time of publication of this article.
Although the basic data protection principles that apply today will not fundamentally change with the new law, there are some sticking points that need to be taken into account. As we all know, the devil is in the details.
Not only big corporations but also small and mid-sized enterprises (SMEs) should consider data protection from a governance and risk perspective, and the new FADP offers the ideal (and probably mandatory) opportunity to do so.
In particular, the new FDPA provides for more stringent information and documentation obligations, expands the rights of data subjects, creates reporting obligations in the event of data loss or data security breaches, introduces the obligation to conduct data protection impact assessments and provides for stricter criminal sanctions in case of violations. On the other hand, the personal data of legal entities will no longer be protected under the new FADP.
SMEs should consider implementing the following 12 action points in relation to the new law:
- Gap analysis: Where does the company stand in terms of data protection? (What kind of personal data is processed by the company? For what purpose? Is personal data processed automatically? Were precautions already taken following introduction of the GDPR? etc.);
- Draft a data inventory/list of processing activities;
- Draft or adapt data processing agreements (DPAs);
- Draft or adapt data protection notices for the purpose of fulfilling the obligation to provide information under data protection laws;
- Review data protection provisions in the company's general terms and conditions;
- Review or implement processes that ensure the processing of requests for information and deletion requests from data subjects (especially the creation of standard templates for responding to requests for information);
- Review cross-border transfers of data and, if necessary, adapt mechanisms to ensure an adequate level of data protection for transfers to countries with an inadequate level of data protection;
- Ensure data portability;
- Appoint a data protection officer (if necessary);
- Review internal data protection policies and training of employees;
- Draft standard templates for data breach notifications;
- Create awareness of stricter criminal sanctions, which primarily target the responsible employee (fines of up to CHF 250,000 for individuals such as members of the board of directors, the CEO or other employees with data protection responsibilities; sanctions for companies are only possible in special cases).
For those companies who have already implemented the GDPR, the effort required to implement the new FADP will be limited. Nevertheless, the FADP contains differences to the GDPR that must be taken into account, in particular with regard to the company's information obligations, the rights of data subjects and the obligation to report breaches of data security. What is certain is that the FADP will generate additional administrative work for those SMEs subject to it.
Finally, it is important for SMEs to act now because the new FADP does not provide for a transition period. This means that the necessary adjustments within the company must already be implemented by the time the law enters into force – there is therefore no time to lose.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.