Switzerland FADP

  • Updated on Feb 23, 2023
  • Published on Feb 15, 2023
  • 2 minute(s) read
Prev Next

Who is this article for?

Any Swiss organization dealing with privacy data from the EU or EEA, but not operating in the EEA or EU.

While Switzerland is not part of the EU or the EEA, it is a member of the European Free trade Area and has received an Adequacy Decision from the EU on its data protection regulations. Switzerland adopted a policy analogous to the GDPR, the Federal Act on Data Protection (FADP). Swiss companies only have to obey the GDPR if operating in the EEA or EU.

The original FADP was enacted in 1993, and the revised version will be enacted on September 1, 2023. You can find the full regulatory text here.

The FDPA is similar to the EU GDPR with some conceptual differences.

  • Data operations don't require a defined legal basis. However, explicit consent of the data subject is required for high-risk profiling and processing of particularly sensitive personal data.
  • Appointing a Data Protection Officer (DPO) is not obligatory for private companies.
  • Punishments for data breaches are given to individuals responsible for failing to ensure adequate data protection. Whereas, in the EU GDPR, fines are imposed on companies.

The Revised FDAP will reflect the following changes:

  • Information on legal persons or legal entities is no longer protected.
  • The revised version will apply to both manual and electronic records.
  • The concept of automated processing of personal data (profiling) is included in the law.
  • The scope of what is considered sensitive personal data is broader:
    • Racial origin
    • Trade union membership
    • Health data, but only to the extent it reveals the handicap or illness of the data subject
    • Religious, ideological, or political activities (not only related beliefs)
    • The intimate sphere as such (not only sex life)
    • Genetic data
    • Biometric data allowing the unique identification of a person
    • Social security measures
    • Administrative or criminal proceedings and sanction
  • Increase in fundamental rights of data subjects
    • Right of access
    • Right to know the purpose of the processing
    • Right to deletion
    • Right to data portability
    • Right to intervene when automated decision-making impacts data subjects
  • Individuals who intentionally breach the rules face sanctions of CHF 250,000.
  • When a data breach occurs, there is a need to report directly to the Swiss Federal Data Protection and Information Commissioner (DPIC).
    • During high-risk data breaches
    • If there is any increased risk to the personality or fundamental rights of the affected individuals.
  • Mandatory data protection impact assessment for data controllers and data processors when conducting high-risk data processing activities

You can check out this link for a comparison table of the Swiss FDAP with the EU GDPR.

Click here to contact us, give feedback on this article, report errors, or address concerns regarding the portal resources.

Related articles
  • GDPR Compliance Guide
    Governance and Compliance > GDPR - Data Privacy and Security
  • EU GDPR
    Governance and Compliance > GDPR - Data Privacy and Security