After more than three years, the Swiss parlament completed the total revision of Swiss Federal Act on Data Protection (FADP) at the end of September. The aim was to align it with the European GDPR, which has been in force since 2018. Until now, Swiss companies had to comply with two standards when coming into contact with data of individuals in the European Economic Area (EEA). The modernized, revised Swiss Federal Act on Data Protection (FADP) will bring important changes by the end of 2021 that are also relevant for small and medium-sized companies.
Alignment but no assimilation to the GDPR
Although the FADP is strongly based on the EU GDPR, there will also be important differences in the future. We already took a close look at the GDPR when it came into force in May 2018 – in our blog article you can read what the GDPR means for individuals and for companies.
After more than two years, one would think that the topic of the GDPR is now firmly anchored in affected companies. But a look at the e-dialog Consent Management Report shows that although almost 80% of all companies in Germany, Austria and Switzerland use consent management (collection of data), 76% have poor implementation of data protection and another 20% have considerable need for improvement.
So that you and your SME can prepare early enough for the changes, we have summarized the 6 most important changes of the FADP.
The 6 most important innovations of the FADP at a glance
- The scope of the Federal Act on Data Protection is no longer limited to data of legal entities (companies), but now also refers to data of natural persons (people). In addition, private individuals now face fines of up to CHF 250,000 for violations, as opposed to the previous maximum fine of CHF 10,000.
- The FADP defines an extended list of data requiring special protection: Genetic and biometric data that uniquely identify a person will also be considered particularly worthy of protection from the end of 2021 and will be linked to qualified legal consequences.
- High-risk profiling is newly regulated by law: If there is a linkage of personal data that allows an assessment of essential aspects of a natural person, then companies must clarify whether their data processing is high-risk and, if so, obtain explicit consent for the data processing from the data subjects.
- «Privacy by Design» sowie «Privacy by Default» are now enshrined in law: Data processing must be designed in such a way that data protection regulations are complied with from the planning stage onwards (privacy by design). Default settings for apps or websites must be designed in such a way that the processing of personal data is limited to the minimum necessary (Privacy by Default).
- New right to data portability: any person may request the release of their personal data in an electronic format or its transfer to another company. Since the revised Data Protection Act, this also explicitly applies to foreign companies operating on the Swiss market.
- The revFADP prescribes the keeping of a register of data processing. Exceptions are only provided for companies with fewer than 250 employees and for companies whose data processing entails a low risk of violations of the personal rights of the data subject.
Early Birds with a head start
Swiss companies still have more than a year to prepare for the changes in the FADP and to review their existing processes and guidelines in light of the new law and adapt them if necessary. Use the time wisely and give your SME an edge over the competition. We are happy to support you – contact us!