The Swiss Data Protection Act, also called the revised Federal Act on Data Protection (revFADP), is a recently updated set of data protection laws that came into effect on the 1st of September, 2023, in Switzerland. These laws are a result of the existing data protection laws in Switzerland being updated to reflect the current data protection trends and realities.
This article will provide a detailed overview of this data privacy legislation, with a particular focus on data residency and cross-border data transfers. We will also compare the revFADP with the European Union’s General Data Protection Regulation (GDPR).
Who needs to comply with Swiss data protection law?
The following are mandated to comply with the provisions of the revFADP:
- Companies in Switzerland that process private data: Every company in Switzerland that is involved in collecting, processing, and or storing the personal information of Swiss residents is mandated to comply with this policy.
- Companies outside Switzerland that process private data: All companies outside the Swiss borders that collect, process, or store the private data of Swiss residents are also expected to comply with this revised data protection policy.
- Government Institutions that handle private data: All government institutions in Switzerland that collect the personal information of Swiss residents are also mandated to comply with the revised policy on data protection.
In summary, every organization in or outside Switzerland that uses, collects, processes, or stores the personal information of Swiss residents, such as names, addresses, email addresses, phone numbers, health data, financial data, etc., is mandated to comply with the revFADP.
What Swiss data protection laws do you need to know?
While the Swiss Data Protection Act serves as the foundational law for data protection in Switzerland, there are also additional legislations that are crucial and must be adhered to. We will discuss them in this section.
Swiss federal act on data protection (FADP) 1992
The most important data protection law in Switzerland is the Federal Act on Data Protection (FADP), which was enacted in 1992 to safeguard the data of Swiss residents from potential data threats. Over time, this law has undergone several revisions, with the most recent being the revFADP, which was implemented on September 1st, 2023. In this context, we will take a closer look at some of the provisions of the original Swiss Federal Data Protection Act of 1992.
- Scope and purpose
It applied to all organizations involved in collecting, processing, and storing the personal information of Swiss residents, both private and public institutions.
- Legal basis for processing data
It set out a legal basis for processing the personal data of Swiss residents, such as
- clear consent from the data subject,
- as part of the requirement of a contract,
- in compliance with legal obligations,
Or in the performance of tasks carried out in the interest of the public or some other legal basis.
- Data subjects rights
Although very old, this Swiss data privacy law grants some rights to data subjects, just as most recent data privacy laws do. These rights include the right to access your data, edit it, restrict access to it, or demand its deletion.
- Data security measures
It mandated controllers to implement necessary measures to ensure adequate security for the private information of their clients, as well as prevent authorized access.
- Enforcement and penalties
The Federal Act on Data Protection (FADP) is enforced by the Federal Data Protection and Information Commissioner (FDPIC). This Swiss Data Protection Authority is empowered to investigate complaints, issue recommendations, and impose sanctions for violations of the Swiss data protection laws.
Swiss criminal code
The Swiss criminal code also contributes to data protection in Switzerland in the following ways:
- Protection against defamation:
It protects the rights of individuals from the defamation of their reputation in the way of slander or libel. This principle automatically controls how a Swiss resident’s personal information can be used to avoid any potential harm.
- Protection against identity theft
This puts enormous pressure on organizations to protect the private data of clients and prevent data breaches that can result in identity theft.
- Unauthorized recording of Private Conversations:
The Swiss criminal code considers unauthorized recording of private conversations, such as unauthorized wiretapping, a violation of personal data.
The Swiss Civil Code (SCC)
While it does not specifically focus on data privacy, it contributes to Switzerland’s data privacy laws in several indirect ways. The SCC provides a legal framework for various aspects of civil law, including contracts, torts, and personality rights, which intersect with data protection principles.
New Swiss federal act on data protection
Also known as the Revised Federal Act on Data Protection (revFADP), this is the latest Swiss data privacy law. It applies to all organizations within and outside Switzerland, involved in collecting, processing, and or storing the data of Swiss residents. As with the European GDPR, the goal is to ensure a higher level of data security for all residents of Swiss residents. Here are the key provisions of the policy:
- Data subject rights
Only the rights of natural persons are prioritized under this new regime. The rights of legal entities such as organizations are not covered. It also increases the scope of rights of data subjects to include the right of data portability and the right to intervene when automated decision-making affects data subjects. This is in addition to previously guaranteed rights like the right of access, the right to edit, delete, etc.
In the case of data transfer to a third party, data controllers are now required to notify data subjects of the identity of the third party, the type of data to be transmitted, and the purpose of the data transfer.
- A new definition for sensitive personal data
It revises the definition of sensitive personal data to include biometric data and other things that uniquely identify an individual and genetic data. This is in addition to the existing definition, which includes personal data concerning religious, ideological, political, or trade union-related views or activities, health, and racial origin.
- Data impact assessment
As a safety procedure, data controllers and processors are required to perform a mandatory data protection impact assessment, especially for high-risk data processing activities.
- Report data breaches
Data controllers are now required to immediately report any high-risk data breach to the Federal Data Protection and Information Commissioner (FDPIC).
- Penalties
This new policy offers higher penalties for defaulting than the previous FDAP. Serious offenses can attract penalties of as much as CHF 250,00.
Data residency requirements in Switzerland
Unlike the German Data Privacy Laws, the revFADP does not specifically require organizations to store all personal data collected in Switzerland. This act aligns with Switzerland’s commitment to open trade and data flows.
Although there is no general requirement to keep personal data stored within the country, some sectors like finance and anti-money laundering may have regulations that require organizations to store their data within the country. The goal here is to ensure easy access to these data by the authorities. Laws regarding national security may also restrict data transfer in certain circumstances.
Furthermore, data controllers may wish to reach a data residency agreement with data processors or data subjects in a contractual arrangement, and it will be binding on all parties involved. Organizations may also decide to store their data locally because of the sensitivity of the data. The data residency requirements of Switzerland appear less stringent compared to the data residency requirements by countries across the world.
Switzerland has exceptions for certain financial information that effectively must be stored within the country.
Swiss cross-border data transfer requirements
Adequate level of data security
The country where the data is to be sent must meet the minimum data security requirements. Where the country has effective data protection laws and adequate data security protocols, data transfers are easy. The Swiss Federal Council maintains a list of countries deemed to have adequate data protection. This includes all EEA countries and the UK. If a recipient country isn’t on the list, additional safeguards are required before a data transfer can be approved.
Transfer methods for non-adequate countries
For countries outside the list approved by the Swiss Federal Council, data transfers are still possible under these circumstances:
- Standard contractual clauses
Simply put, they are contracts or agreements issued by the Swiss Federal Data Protection and Information Commissioner (FDPIC) to an organization, permitting them to transfer data to a country without an adequate data protection law. However, before this contract can be issued, the recipient organization must meet the following requirements:
- Using the updated EU SCCs with a Swiss Rider (an addendum addressing Swiss-specific legal aspects).
- Conducting a Transfer Impact Assessment (TIA) to evaluate risks and implement appropriate safeguards.
- Other binding corporate rules (BCRs)
Through this, companies can create their own data protection rules approved by the FDPIC for data transfers within their company, even with branches across different locations.
- Individual consent
Although this is not frequent or usual, in special cases, the express permission of the individual may suffice as enough consent for cross-border data transfer. However, this consent must be freely given, specific and unambiguous.
revFADP vs GDPR comparison
As with most recent data privacy laws, there are points of similarity and difference. We will examine some of the similarities between the European Union’s GDPR and the new Swiss Data Protection Act (revFADP).
How to comply with data protection laws in Switzerland — InCountry’s approach
Ensuring data sovereignty compliance is crucial for businesses operating in global markets to maintain legal integrity. InCountry’s Data Residency-as-a-Service can help your company stay compliant across all the countries your business operates, especially with the Swiss Data Protection Act 2023. With this service, we will store your customers private data in the country where it was generated and give you remote access to it from anywhere in the world. Thus eliminating the need for cross-border data transfer, especially critical for financial information.
Our strict data security protocols ensure that the data is safe. Data at rest and in transit is encrypted with industry-standard algorithms. Additionally, sensitive data can be tokenized, replacing it with unreadable strings for further protection.
Contact us today; let’s discuss your data compliance needs and show you how much value we can contribute to your business.