This article is about Swiss Federal Act on Data Protection.
Facts about the Swiss Federal Act on Data Protection
Switzerland acknowledging the advancements in technology since 1992, embarked on the development and adoption of a new regulation like the existing European legislation. The first Federal Act on data protection was established in July 1993. On September 2023 the new FADP came into force.[1] The new FADP codifies the rights of the data subject and governs the responsibilities of individuals who handle personal data. Additionally, it makes sure that data protection implemented on federal level, as well as on state level.[2] It also introduced several new principles and definitions, but most importantly revolutionized the process of DPIA under Art. 22.[3] Data controllers will be obligated to conduct a DPIA if the planned data processing presents a high risk to the rights and freedoms of individuals.[4] The modification of FADP aims to encourage data controllers to more self-regulation, as well, it includes the codes of conduct that make data controllers tasks easier to accomplish this.[5] Overall, the revisions bring Swiss data protection law closer in line with the GDPR while adding some additional requirements tailored to the Swiss context.[6] The underlying motive of DPIA listed under the FADP remained unchanged, aimed at safeguarding the increasing data flow pertaining to data subjects.
Under the new FADP a DPIA must be carried out by the data controller when the newly implemented technology or the data collection involved in the processing operations and might pose a high risk to the data subject. The DPIA must describe the planned processing, assess the risks to the personality or fundamental rights of the individuals concerned, and outline measures to protect personality and fundamental rights.[7] By the processing operations by the data controller all data collection processes should be documented, and data must be stored securely. Also, this entails establishing a competent legal department or hiring an external DPO, depending on the nature of the processed activities.[8] Another crucial procedural requirement is the prompt notification of the FDPIC in the event of unlawful data processing, like the procedural notice stipulated by the GDPR. Corresponding to the Art. 23 par. 1 in case DPIA indicates that processing might still reveal a risk despite the measures planned by the controllers then the data controller requires seeking the opinion from FDPIC before the start of the processing operations.[8]
Therefore, companies operating in Switzerland must understand their legal obligations and take appropriate measures to ensure compliance with the FADP. By doing so, they can protect individuals privacy, mitigate legal risks, and conduct the DPIA effectively. In addition to strengthening the rights of the persons concerned, the federal council emphasizes the so-called risk-based approach as guidelines for revising its dispatch. According to this approach, the state and companies should identify the risks to privacy and informational self-determination at an early stage and include data protection requirements in the planning stage of their digital projects. High risks, and organizational and technical measures taken to eliminate or mitigate them, must be documented with the great help of DPIA.[9]
There are multiple drafts of how the DPIA might be structured. For instance, the factsheet on the DPIA in accordance with Art. 22-23 of FADP proposed a possible way to conduct the DPIA which simplifies it is for the data controller. The data controller just needs to provide information, which is requested in the template. According to the Art. 22 par. 3 of the FADP the DPIA process shall consist of of description of the planned data processing, assessment of the risks to the fundamental rights of the data subject, identification of the measures to protect fundamental rights and assessment of the impact of the planned measures to assess whether there is a high residual risk, which can be identified as beginning of the DPIA process. [7]
Here at DGVM (Data Guard Consulting), we specialize in helping you achieve your privacy goals with the expert assistance of our seasoned professionals. Our team provides comprehensive and tailored solutions that address all aspects of data protection and privacy management. We can help you to achieve a clear DPIA process, in addition to this establishing a unique draft for your project, so you know in advance which risks you are facing as an entrepreneur.
Our Expertise about Swiss Federal Act on Data Protection
Comprehensive Data Protection Service
We offer a wide range of services designed to safeguard your organization’s sensitive information. Our services include:
– Data Privacy Impact Assessments (DPIA):We conduct thorough assessments to identify and mitigate risks associated with data processing activities, ensuring compliance with relevant regulations.
– Data Breach Management: Our experts develop and implement robust data breach policies, providing guidance on handling incidents and notifying relevant authorities.
– Regulatory Compliance: We help you stay ahead of data compliance requirements through proactive information management and risk mitigation advice.
Tailored Privacy Solutions
Our professionals are adept at designing, drafting, reviewing, implementing, and updating corporate privacy and security policies. We provide advice on a wide range of issues, including:
– Whistle-blowing policies
– Employee telephone, internet, and email use
– Customer data processing and consents
Incident Response and Cybersecurity
In the event of cyberattacks, our experts at DGVM provide the necessary guidance for dealing with customers, regulators, and the press. We help you navigate the complexities of cybersecurity, ensuring that your organization is prepared to respond effectively to any incidents.
Why Choose DGVM?
Expertise Across Disciplines
Our team includes experienced lawyers and IT experts from various disciplines, including regulatory, technology, corporate, contract, business sourcing, IP, competition, and employment law. This multidisciplinary approach ensures that we can address all aspects of data protection and privacy. We will help you to work with the Swiss Federal Act on Data Protection.
Strong Regulatory Links
Here at DGVM We maintain strong links with regulators, allowing us to act quickly when changes occur and providing valuable insights into upcoming regulatory developments. This ensures that your organization remains compliant and well-informed. Everything about the Swiss Federal Act on Data Protection
Personalized Service
At DGVM, we understand that every organization is unique. Our services are tailored to meet your specific needs, providing personalized and high-level assistance in the field of data protection and privacy.
Commitment to Excellence
We are committed to providing the highest level of service to our clients. Our team of professionals is dedicated to helping you achieve your privacy goals, ensuring that your organization is protected and compliant with all relevant regulations.
Here at DGVM, we are your trusted partner in achieving your privacy goals. With the help of our professionals, you can rest assured that your organization’s data is in safe hands.
Conclusion
The Swiss Federal Act on Data Protection (FADP) marks a pivotal step forward in Switzerland’s efforts to protect personal data and privacy in an increasingly digital world. By updating and expanding the scope of the original 1993 law, the new FADP brings Switzerland into closer alignment with international standards, such as the EU’s General Data Protection Regulation (GDPR). This alignment is crucial for ensuring that Swiss businesses and organizations can operate effectively on a global stage while maintaining the trust of their clients and stakeholders.
Under the Swiss Federal Act on Data Protection, companies are now required to adopt more stringent measures to protect personal data. The introduction of mandatory Data Protection Impact Assessments (DPIA) for high-risk data processing activities is a significant change. This requirement not only helps identify and mitigate potential risks but also underscores the commitment of the FADP to prioritizing the rights and freedoms of individuals. For organizations operating in Switzerland, understanding and adhering to these new obligations under the Swiss Federal Act on Data Protection is essential for maintaining compliance and avoiding potential penalties.
Furthermore, the Swiss Federal Act on Data Protection emphasizes the importance of transparency and accountability in data processing. Organizations must ensure that their data protection practices are clear, documented, and accessible to both regulators and the public. This shift towards greater transparency is designed to enhance trust between businesses and their customers, ensuring that individuals feel confident that their personal data is being handled with the utmost care and in accordance with the law.
In conclusion, the Swiss Federal Act on Data Protection is not just a regulatory requirement; it is a fundamental part of modern business operations in Switzerland. By fully understanding and implementing the provisions of the FADP, organizations can protect themselves from legal risks, build stronger relationships with their clients, and contribute to a culture of privacy and security. As data becomes an increasingly valuable asset in the digital age, the importance of the Swiss Federal Act on Data Protection will only continue to grow, making it essential for all organizations to stay informed and compliant.
Citations:
[1] nFADP (2024).
[2] FAQ-Datenschutzrecht (2023) 2.
[3] FADP (2020).
[4] nFADP (2024).
[5] FAQ-Datenschutzrecht (2023) 2 et seq.
[6] nFADP (2024).
[7] FADP (2020) Art. 22-23.
[8] nFADP (2024).
[9]EDÖB (2021) 4 et seq.
[10] https://dgvm.ch
[11] https://link.springer.com/chapter/10.1007/978-3-319-96229-0_10
[13] https://dgvm.ch/practice-area/
[14] https://www.lenzstaehelin.com/practices/advice-on-data-protection-and-privacy/