The Revised FADP is Coming – What You Need to Know

A revised version of the Swiss data protection law, the new Federal Act on Data Protection (FADP), comes into force from September 1 this year. The Federal Council announced in August 2022 that the law, its ordinances and certifications would be introduced with no transition period.

The changes aim to keep the legislation relevant with current technology and more closely align with the European GDPR.

As with other similar legislation, the FADP places obligations on organizations to protect the personal information of living individuals and grants individuals’ rights to access, delete or transfer their data.

It applies to all processing of personal data that “has an effect” in Switzerland. That means the law applies even if the processing took place outside the country. Foreign organizations acting as “data controllers” will need to appoint a data protection representative based in Switzerland. However, this requirement doesn’t apply to processors.

The FDAP takes a privacy by design approach to data security and obligates businesses to implement technical and organizational measures to protect personal information. Like the GDPR, organizations must maintain a record of processing activities, although there are exemptions for some small and medium-sized businesses.

Although the revised FADP is broadly similar to the GDPR in its requirements for data protection, transparency of processing and individuals’ data rights, its approach to penalties and sanctions for violations and data breaches is significantly different.

The FADP punishes individuals responsible for data protection within businesses, rather than the organization itself. Fines of up to CHF 250,000 (US $278,500) can be levied against responsible individuals. Businesses may be charged with criminal liability and fined up to CHF 50,000 (US $55,700) if efforts to identify responsible individuals are disproportionate. Violations of notification and reporting obligations as well as data security incidents will be punishable under the new law.

Under the new law, the cross-border transfer of data outside Switzerland will depend on the Federal Council’s approval that the country’s own privacy legislation provides sufficient protection.

For organizations already compliant with the GDPR, the new FADP shouldn’t be a major concern. However, companies need to ensure they satisfy those areas of the law that don’t align with the European regulation.

Among the most important steps for businesses to take is a periodic inventory of all personal information across the organization, specifically identifying information that relates to Swiss individuals. Ground Labs’ Enterprise Recon simplifies this process by automating the discovery process and focusing on specific targets based on over 300 pre-packaged data types.

To understand how data discovery can support compliance with Switzerland’s new FADP, download your free copy of our white paper, Data Discovery: The Foundation of Any Compliance or Regulatory Obligation.