On September 25, 2020, the Swiss Parliament approved revisions to Switzerland's data protection law, the Federal Act on Data Protection of June 19, 1992 or FADP ("Revised FADP"). On August 31, 2022, the Swiss Federal Council decided that the Revised FADP will be brought into force on September 1st, 2023 (with no transition period).

The Revised FADP aims to strengthen data protection obligations for relevant businesses that process personal data (or "controllers" and "processors" in the law's parlance) and to align with the European General Data Protection Regulation ("GDPR"). It also aims to ensure that the European Commission will retain its adequacy finding for Switzerland.

Below, we describe some of the key elements of the law that companies should be aware of as they prepare for its implementation.

Scope

The Revised FADP has a far-reaching scope of application. It applies to all processing of personal data that "has an effect" in Switzerland, even if it occurred abroad (for example, a company outside Switzerland that provides services to consumers in Switzerland or conducts clinical trials enrolling study subjects in Switzerland).

Controllers established outside Switzerland must appoint a data protection representative based in Switzerland to function as a point of contact for data subjects and the data protection authority. For non-EU controllers subject to the GDPR, the data protection representative concept will be familiar. Unlike the GDPR, the requirement to appoint a representative under the Revised FADP does not apply to processors.

Transparency

The Revised FADP increases controllers' duty of transparency, by requiring businesses to provide detailed privacy notices to data subjects. Businesses are required to inform data subjects regarding the controller's and its representative's identity and contact details, the purposes of processing, the parties or categories of parties to whom the data will be disclosed, the countries to which the data will be transferred, and related safeguards implemented for the transfer, among other information.

Privacy By Design and By Default

The Revised FADP enshrines the principles of privacy by design and privacy by default. These principles require implementing the Revised FADP's principles from the planning stage by putting in place appropriate technical and organizational measures.

Personal Data Breaches

Controllers must report a data breach to the Federal Data Protection and Information Commissioner ("FDPIC") only if it is likely to lead to a "high risk" for data subjects. This is a higher threshold for notification than the GDPR, which requires reporting a breach to the data protection authority if it is likely to result in a "risk" for data subjects. The FDPIC must be notified without undue delay (unlike the GDPR, the Revised FADP does not set a maximum reporting timeline). Controllers must also inform the affected data subjects if needed to protect the data subjects or if requested by the FDPIC.

As is the case under the GDPR, processors must notify controllers of data breaches without undue delay.

Processor Contracts

Unlike the GDPR, the Revised FADP does not mandate specific data processing provisions for controller-processor contracts. It is expected that GDPR-compliant data processing agreements will comply also with the Revised FADP. Further, the Revised FADP now expressly provides that a processor's appointment of sub-processors requires the controller's approval, which can be specific or general as under the GDPR.

DPIAs

The Revised FADP introduces an obligation upon controllers to perform and document a data protection impact assessment (DPIA) if their intended processing may result in a high risk for data subjects, which is comparable to the corresponding obligation under the GDPR. Controllers must consult the FDPIC if the DPIA shows that the risks for data subjects will remain high despite the measures taken or to be taken.

Records of Processing Activities

The Revised FADP introduces a requirement to keep a register or record of processing activities that aligns with the GDPR's documentation requirement. There is a limited exemption for small and medium-sized organizations.

Cross-border Transfers

Under the Revised FADP, personal data can be transferred outside Switzerland only if the Federal Council has ascertained that the legislation in the country concerned provides adequate protection. The Revised FADP includes a list of countries that have been recognized by the Federal Council as adequate (these include all EU member states and most of the whitelisted countries as per the European Commission's adequacy findings).

If a country has not been found to provide an adequate level of protection, the Revised FADP nevertheless permits transfer of personal data to controllers and processors if adequate data protection can be guaranteed by other means, including Standard Contractual Clauses approved by the European Commission under the GDPR (see Europe OPTS for Pragmatism with New SCCS and ICO Opens Consultations on UK SCCS — What Companies Need to Do Next).

Fines

Non-compliance with the Revised FADP may trigger fines of up to CHF 250,000 (approximately $270,000) that will be issued against responsible individuals (e.g., directors or managers). The Revised FADP also introduces criminal liability of businesses (controllers or processors), who may be held liable for a fine of up to CHF 50,000 (approximately $53,000) if determining who in the business is responsible for the violation would require disproportionate investigative efforts.

Takeaways for Businesses

Companies that are already compliant with the GDPR will likely have to make minimal adjustments to their business practices and compliance programs to prepare for the Revised FADP's implementation. Companies should still be proactive in reviewing the Revised FADP's requirements and should be on the lookout for any guidance that the FDPIC will issue regarding the Revised FADP's practical application.

Finally, it is expected that in the near future and most likely once the EU draft adequacy decision on the EU-US Data Privacy Framework is adopted (see EU Commission Publishes Draft Adequacy Decision on Privacy Shield 2.0), a Swiss-U.S. agreement will also be negotiated to facilitate Swiss-US data transfers. Companies should keep an eye on guidance that the FDPIC may issue regarding its data transfer strategy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.