Switzerland’s Data Protection Act (FADP), personal privacy protections

Switzerland’s Federal Act on Data Protection, also known as “Datenschutzgesetz” or the FADP for short, is a data privacy law that was recently amended in 2020. Originally passed in 1992, the FADP was amended last year to put the law on par with other privacy laws around the world, such as the California Privacy Rights Act or CCPA, Virginia’s Consumer Data Protection Act or the VCDPA, and the EU’s General Data Protection Regulation or GDPR. To this end, Switzerland is only one of only a handful of European countries that is not a part of the European Union and as a result, does not fall under the jurisdiction of the General Data Protection Regulation. The FADP sets forth various requirements that business agencies and organizations must comply with when handling the personal data and information of Swiss citizens.

What is the scope and application of the FADP?

All data processing efforts that are undertaken by businesses in Switzerland’s private and public sector, as well as data processing that is handled by federal authorities are all subject to the jurisdiction of the FADP. What’s more, the FADP also applies to data processing activities that have either actual or potential effects within the country of Switzerland. This includes data processing that is initiated or conducted outside of Switzerland, which nevertheless has the potential to adversely affect the privacy rights of Swiss citizens. Moreover, the FADP also contains provisions related to sector-specific data protection and security requirements. For instance, Chapter 4 of the FADP applies solely to the processing of personal data and information “by public authorities of the Federation, and to the processing of personal data by businesses or organizations performing tasks in the exercise of Federal public authority vested in them”.

What are the requirements of businesses and organizations under the FADP?

There are a variety of principles that business agencies and organizations must adhere to at all times when collecting, using, or disclosing the personal data and information of Swiss citizens. These principles are as follows:

• Lawfulness– Data controllers are only permitted to process personal data or information that has been collected in accordance with other applicable laws. For example, personal information that has been collected through wiretapping or unlawful trespassing would violate this principle.
• Fairness (good faith)– Data controllers are only permitted to engage in data processing activities that a data subject would reasonably expect. Additionally, all data processing that occurs must be performed as described to data subjects in privacy notices.
• Transparency– Data controllers are responsible for conveying all necessary information to applicable data subjects in order to ensure transparency in relation to data processing. The information that data controllers provide must also allow for data subjects to exercise their rights under the FADP. At minimum, data controllers will need to inform data subjects about the identity and contact information of the data controller, the contact information of an Agencies Data Protection Officer or DPO, if the said agency has one, the contact information of a Swiss representative that may be associated with a particular agency, the specific purposes for which a data subjects data will be processed, any third-party recipients or categories of recipients who may also collect a data subjects data, the countries a data controller intends to transfer personal data to, and the safeguards that will be in place to protect this data, the categories of personal data that are to be collected and processed, and the existence of automated individual decision-making systems.
• Purpose limitation– Data controllers are only permitted to process the personal data of data subjects for specified purposes that have either been notified or would otherwise be obvious to data subjects. Data controllers may only process a data subject’s data in a manner compatible with these purposes, and the information relating to the purposes for this processing must be specific. Data controllers must also ensure that any further processing of personal data that is received from other controllers is also compatible with the specific purposes that have been both determined and communicated to data subjects at the time of data collection.
• Proportionality– Under the FADP, all data processing activities must be proportionate, meaning that data processing must be limited to what is necessary to achieve a data controller’s specific purpose, considering the kinds of personal data that are concerned, as well as the scope of said processing. Storage limitation and data minimization principles are also key aspects of the FADP’s proportionality principle. This means that data controllers must also limit the scope of personal data that is collected and processed to what is necessary for the intended purpose of the said data controller, as well as delete all applicable personal data when said data is no longer needed for such intended purposes.
• Accuracy– Data controllers must ensure that they only process personal data that is both accurate and kept up to date at all times. Data controllers are also responsible for taking reasonable steps to ensure that personal data that has been proved to be inaccurate or incomplete is either deleted or rectified, with regards to specific purposes for which said data was processed in the first place.
• Data security– Under the FADP, both data controllers and data processors have an obligation to ensure that an adequate level of data security is upheld at all times. This entails protecting the integrity, confidentiality, and availability of personal data, by means of adequate organizational and technical security measures. In assessing an appropriate level of security, data controllers and processors must also account for the type, purpose, and scope of said data processing activities, assess any potential risks for data subjects, and develop state-of-the-art security solutions.

What are the rights of Swiss citizens under the FADP?

Under the FADP, Swiss citizens are afforded a bevy of legal rights in relation to the collection, use, and disclosure of their personal data and information. These rights include:

• The right to be informed– The FADP mandates that collection and processing purposes in relation to a data subject’s personal data must be transparent at all times.
• The right to access– Under the FADP, data subjects maintain the right to access personal data that has undergone data processing and may subsequently be related to the said data subject, including the right to receive a copy of the personal data that has undergone processing.
• The right to rectification– Data subjects have the right to request that a data controller who holds inaccurate or incomplete information relating to them rectify said information. However, data controllers may also refuse such requests, on the grounds of a legal obligation or prevailing public and private interests.
• The right to erasure– Similar to the right of rectification, data subjects also have the right to request that a data controller delete personal data concerning them. In keeping with similarities to the right to rectification, data controllers may also refuse to delete a data subject’s personal data on the grounds of legal obligation or prevailing public or private interests.
• The right to object/opt-out– the FADP provides data subjects the right to object or otherwise opt-out of the processing of their personal data. Despite this right, data controllers may still disregard a data subject’s opt-out request under certain circumstances. For example, if maintaining a data subject’s data is required in relation to legal compliance, the performance of a contract, or prevailing public or private interests.
• The right to data portability– Data subjects have the right to request that data controllers provide them with a copy of any personal data in said controller’s possession, in a commonly used format.
• The right to not be subject to automated decision making– Under the FADP, data controllers are responsible for informing data subjects if they use automated decision-making mechanisms during the course of their data processing

What are the penalties for violating the FADP?

Under the FADP, businesses and organizations that are found to be in violation of the law are subject to monetary penalties of up to CHF 10,000 ($10,672). Furthermore, there are also a variety of administrative and criminal penalties that can also result from violating the FADP, including obliging a business or organization to correct, suspend, cease or delete personal data, either partially or entirely. There are also additional monetary penalties related to criminal offenses, including fines ranging from CHF 50,000 ($53,248) to CHF 250,000 ($266,201). The FADP also contains provisions that allow for Swiss citizens to bring a private right of action suits against agencies and individuals who violate their rights under the law.

As Switzerland is one of the few countries within Europe to not be a part of the European Union, FADP serves as the foremost regulation in regards to protecting the data privacy rights of Swiss citizens. As the FADP is similar in nature to the General Data Protection Regulation or GDPR, Swiss citizens can rest assured that their data privacy rights are protected at the highest level, despite the fact that the country does not fall under the jurisdiction of the GDPR. In amending the FADP for the first time in 29 years, Switzerland has joined one of the many countries around the world to pass updated privacy legislation in the last decade.