Today September 1, 2023, the Swiss New Federal Act on Data Protection (nFADP) comes into force

Switzerland is rolling out fresh legislation aimed at bolstering the safeguarding of its citizens’ data. As of September 1, 2023, Swiss enterprises will be mandated to adhere to these new regulations.

During its autumn session in 2020, the Swiss Parliament approved the enactment of the new Act on Federal Data Protection (nFADP). This legislation seeks to enhance the handling of personal data and confer fresh rights upon Swiss residents. Alongside these pivotal legal adjustments come a series of responsibilities for companies. The operationalization of these changes through the Data Protection Ordinance is set for September 1, 2023.

A Vital Legislative Reform The original Federal Data Protection Act was established back in 1992. Over the years, the Swiss populace has integrated internet and smartphone usage into their daily routines, with increasing reliance on social networks, cloud services, and the Internet of Things. Within this evolving landscape, a comprehensive overhaul of data protection laws, rather than piecemeal updates as seen in 2009 and 2019, is essential to provide the population with data protection that aligns with the technological and societal advancements of our era.

Another challenge the nFADP faces is ensuring compatibility between Swiss law and European law, particularly the European General Data Protection Regulation (GDPR). The nFADP aims to facilitate the uninterrupted flow of data with the European Union (EU), thereby preventing a loss of competitiveness for Swiss businesses.

Key Changes in Focus The nFADP brings about the following eight significant changes for businesses:

  1. Limited Scope: The new law applies solely to personal data of individuals, not legal entities.
  2. Expanded Sensitive Data Definition: Genetic and biometric data are now categorized as sensitive information.
  3. Privacy-Centric Design: Principles such as “Privacy by Design” and “Privacy by Default” are introduced. “Privacy by Design” mandates developers to integrate privacy protection into the core structure of products or services that collect personal data. “Privacy by Default” ensures the highest level of security as soon as products or services are launched, automatically activating measures to safeguard data and restrict its use. Essentially, all software, hardware, and services must be configured to uphold data protection and user privacy.
  4. Mandatory Processing Register: Maintaining a record of processing activities is now obligatory, though small and medium-sized enterprises (SMEs) handling low-risk data are eligible for exemptions.
  5. Data Breach Reporting: Swift notification to the Federal Data Protection and Information Commissioner (FDPIC) becomes mandatory in the event of data security breaches.
  6. Inclusion of Profiling: The concept of profiling, or automated personal data processing, is incorporated into the legal framework.
  7. Transparency Enhancements: Greater transparency requirements are imposed on data controllers.
  8. FDPIC Resources: The FDPIC’s website provides more comprehensive details regarding the revisions brought about by the nFADP.

Thus, contrasts with EU Regulations Companies that have already aligned with the EU General Data Protection Regulation (GDPR) will encounter minimal adjustments.