The new Swiss data protection law – what you need to know

You produce data near constantly. When showing your Swisspass on the way to work, while paying by card in the canteen at lunchtime, and if you activate a sleep tracker on your smartwatch, even while you sleep.

Much of your data is processed by companies for various purposes. This isn’t illegal per se, but there are clear rules stating which data may be processed for what purpose – and which can’t be processed at all. This is regulated by the Data Protection Act. The only thing is, the origin of the current law dates back to 1992. Even before CERN released the World Wide Web to the public.

On 25 September 2020, Parliament approved the total revision of the Federal Act on Data Protection (FADP). On 31 August 2022, Parliament decided to put the law into force on 1 September 2023 – this long transition period would allow companies to implement new guidelines.

What is in the Data Protection Act?

Roughly summarised, the FADP contains three points. The rights you have when someone processes your personal information, the duties that someone has when processing your personal data, and the consequences for that person if they don’t comply with their duties – whether on purpose or by accident.

The FADP thus protects the personality and fundamental rights of individuals whose data is being processed.

Why is the Data Protection Act necessary?

In Switzerland, you have the fundamental right to «informational self-determination». In short, you can choose how your data is used – at least the data that relates specifically to you. This is regulated in the Federal Constitution under Article 13, paragraph 2.

You have this right in relation to data about you that the state or companies collect and process. Ensuring this is the government’s responsibility. The new data protection law is the instrument the state will use to achieve this and ensure your rights.

What does the revision aim to achieve?

The real meat of the new FADP is improved data protection and more transparency around what happens with your data, especially digitally. You should know that your data is safe and that third parties can’t do what they want with it. Furthermore, you get easy ways to check what happens with your data in individual cases. Also, you should know who has what data about you and where they got it from.

For entities that collect data, it specifies how they are to handle data, what they’re allowed to do with it and what isn’t allowed. It also specifies how they should act if something goes against the FADP and possible penalties resulting from this.

Last but not least, it concerns the role of the Federal Data Protection and Information Commissioner (FDPIC). They’ll be given broader responsibilities and more autonomy in the area of data protection.

Data protection will generally be handled much more strictly under the new law, and misconduct will be punished more severely. There are two main reasons for this revision: first, the current FADP is quite old. Nowadays, there are data protection issues in the online sector that weren’t or aren’t sufficiently regulated.

Secondly, the revision is needed for cooperation with the EU. With this revision, Switzerland will continue to be considered a «third country with an adequate level of data protection». This way, both parties can continue to work together without any conditions.

This improves protection of your privacy concerning data abroad and vice versa, as set out in the European Convention on Data Protection 108 (press release in German), which Switzerland co-signed.

How does it differ from the GDPR?

The General Data Protection Regulation is the European Union’s data protection law. In a sense, it’s the counterpart to Switzerland’s Federal Data Protection Act (FADP).

Swiss companies must also comply under certain circumstances. Companies like Galaxus, as we sell goods in the EU and process personal data in the EU for this purpose. Full details on the GDPR can be found here.

What data is protected and how?

All personal data is protected. This includes names, home or e-mail addresses, telephone numbers and other information that relates specifically to you (FADP Art. 5).

Protections are provided by rules specified in the FADP. These can be divided roughly into two parts: on the one hand, rules that a company must follow when obtaining and processing your data. On the other hand, technical and organisational requirements this company has to meet in the process.

What protective measures are already in place?

Some of the provisions concerning the acquisition and processing of data were already contained in the old FADP. For example, proportionality and purpose limitation in the procurement of data. I’ll give you one example each for better understanding:

– FADP Art. 6 para. 2: processing must be carried out in good faith and be «proportionate». For example, if you order a pizza online, a courier may ask for your name and address, which they, of course, need in order to deliver the pizza. But they don’t need your hometown or date of birth.

– FADP Art. 6 para. 3 states that «data may only be collected for a specific purpose that the data subject can recognise». Let’s say the courier likes you or vice versa. If they call you (using your number from the pizza order) and ask you out, that’s a violation. You can find further details on that topic’s website.

What protective measures are new?

In the revision, some measures have been added to take the current times into account. I’ll list the most important ones here – if you want to see all the details, I recommend reading the FDPIC’s FAQ:

The principles of «privacy by design» and «privacy by default» apply to software, hardware and all services. «Privacy by design» means that data protection requirements must be integrated as early as the development stage of a system. Things like two-factor authentication, encrypted transmission, controlled access and so on. «By default» ensures that a provider guarantees all necessary measures for data protection and restrictions on data use. Even before putting the product or service to market.

The obligation to provide information is broadened (FADP, Art. 19). A company must always inform you in advance when it wants to gather data about you. You must also be told who processes your data and for what purpose. You will also be given an individual to contact. In practice, this is often listed in the terms and conditions of an order process.

Companies have a duty to provide information (FADP, Art. 25). This means you’re allowed to ask where a company got your data, what data they have and for how long they plan to keep it. For example, if you receive promotional brochures from a company you’ve never heard of, you may ask where they got the address. Or if a company won’t let you request an invoice for a product due to a lack of credit. In such a case, you may ask why they have this rating and where they got that data. The FDPIC has summarised how to do this formally here.

Data protection impact assessment: let’s say a company plans to process particularly sensitive data on your part. In these cases, it must prepare a data protection impact assessment (FADP, Art.22). It must state how this processing is to proceed and what protective measures the company plans to take. In addition, it must assess whether there’s a risk to you or your fundamental rights. If the company answers yes to the last question, it must first obtain word from the FDPIC as to whether this is feasible.

Directory of processing (FADP, Art. 12): it’s now mandatory that companies keep a so-called «register of processing activities». This is more or less a protocol in which all data processing is recorded. However, this only applies to companies with more than 250 employees – and only if sensitive data is processed.

Obligation to report data security breaches (FADP, Art.24): suppose a hospital is hacked. Action must be taken. Those responsible must immediately determine what data was affected by the hack. If they see that affected data includes sensitive information regarding individuals or fundamental rights – for example medical records – they have to inform the FDPIC as soon as possible.

Higher fines (FADP, Art. 60): if a company violates the duty to inform, disclose or cooperate according to the DPA, it will face a fine as before. However, the maximum possible fine amount has been increased to 250,000 francs. Previously, it was only 10,000 francs. Chump change for most companies, an absolutely pitiful pittance. Higher fines aim to increase compliance with the new law.

What is «particularly sensitive» data?

«Particularly sensitive data» (FADP, Art. 5c) includes any data particularly pertinent to you as an individual. For example, health records, welfare payments and criminal records – but also your religious affiliation, ethnicity and political views.

If a company plans to collect and process such data, they must ask you explicitly for permission before doing so. Simply informing – as with other data – isn’t enough.

Websites for associations – what do you need to do?

As a private individual, the new FADP should barely affect you. The modern data protection measures should only bring advantages on your end. This does change if, for example, you maintain the website of a club in your spare time. After all, an association also has obligations with regard to data protection – for example, when it comes to the personal details of its members. In addition to the duties you already had before, two essential ones have now been added.

First, your website must have a privacy policy. There you have to explain who will see the data you collect and what will be done with it. This also applies to the digital form your buddies use to register for the bowling club’s barbecue. This still counts as data collection. Even if you use other, external services – for example newsletter tools – you’ll need to state this too. The dissemination of data via social media or the use of cookies must be clarified in the privacy policy too. The best thing to do is to contact your website host and ask for advice. Otherwise, you can find a sample privacy policy (in German) here.

Second, if you want to share member data with external third parties, you must explicitly ask for permission. For example, FIFA always demands a complete list of guests if you want to visit the FIFA Museum in Zurich with your club. For this, you must have explicit permission from each member.

Further details are provided in each case on an optional basis. The FDPIC has created a good overview page on this here.