Switzerland (nFADP) | Data Protection Act
What is the Swiss Data Privacy Act (NFADP)?
Switzerland is implementing new legislation to better protect its citizens’ data. The purpose of nFADP law is to protect the personality and fundamental rights of natural persons about whom personal data is processed. Implementation through the Data Protection Ordinance is on September 1, 2023, and Swiss companies will have to comply with this legislation from September 1, 2023.
This progressive step aligns with the evolving landscape of the Switzerland privacy law, emphasizing a heightened commitment to safeguarding individuals’ data privacy.
The new Federal Act on Data Protection (nFADP) improves the processing of personal data and grants new rights to Swiss citizens. This important legislative change is accompanied by a few new obligations for businesses and a strengthening of existing requirements.
Key highlights of Switzerland’s nfadp
Know the difference between GDPR vs CCPA?
Download this whitepaper to know more about the key differences between the provisions of the California Consumer Privacy Act of 2018 (‘CCPA’) (SB-1121 as amended at the time of this publication) and the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). Both aim to guarantee data protection to individuals and apply to businesses collecting, using, or sharing consumer data obtained online or offline.
Data Protection Impact Assessment (Art-22)
Private and public-sector data controllers must perform a data protection impact assessment (DPIA) if data processing is likely to pose a high risk to the personality or fundamental rights of data subjects (Art. 22 nFADP).
Data Protection Advisor (DPA) (Art-10)
Under the Switzerland Data Protection Law, private companies may appoint a Data Protection Advisor (DPA), who doesn’t necessarily need to be an employee and whose main role is to provide independent advice on data protection, help create rules and regulations, and deliver training. After a data protection impact assessment, companies may solely rely on the DPA’s advice without needing to consult the FDPIC further.
Appoint a Representative (Art-14)
- Private controllers domiciled or domiciled abroad designate a representation in Switzerland if they process personal data of persons in Switzerland and the data processing meets the following requirements:
- The processing is related to the offer of goods and services or the observation of the behavior of persons in Switzerland.
- It is an extensive edit.
- It is a regular process.
- The processing entails a high risk for the personality of the people concerned.
- The representation serves as a point of contact for the persons concerned and the FDPIC.
- The Controller shall publish the name and address of the representative.
Rights of the Data Subject of Switzerland Privacy Law (nFADP) (Art-25)
- Any person may request information from the controller as to whether personal data relating to him or her is being processed.
- The data subject shall receive the information necessary to enable him or her to assert his or her rights under The Switzerland Federal Act and to ensure transparent data processing.
- Personal data relating to health may be disclosed to the data subject with his or her consent by a health professional designated by him.
- If the controller has personal data processed by a processor, he remains obliged to provide information.
- No one can waive the right to information in advance.
Time to provide information
According to the Switzerland Federal Act (nFADP), the controller must provide information free of charge to the data subject within 30 days of requesting it. In certain cases, the Federal Council can grant exceptions, for example if the effort is disproportionate.
Penal provisions (Art-60)
Violation of obligations to provide information, disclosure & cooperation:
- There is a fine of up to CHF 250,000 for private individuals who intentionally provide false or incomplete information in violation of Articles 19, 21 and 25-27, and intentionally failing to inform or provide the data subject with the information listed in Article 19(1) and 21(1).
- A fine of up to CHF 250,000 is imposed on private individuals who, in breach of Article 49 (3), intentionally provide false information to the FDPIC during an investigation or intentionally refuse to cooperate.