Skip to content Skip to footer
Search
PwC

Menu

Events

Loading Results

What are the critical changes to be implemented with the revised FADP?

On September 25, 2020, the Swiss Parliament adopted the revised Swiss Federal Act on Data Protection (revFADP).  

The revFADP replaces the data protection law of 1992 and is expected to enter into force in Q3 2022. It will then become binding for the private sector and the federal administration.

The revFADP leads to numerous alignments with the European General Data Protection Regulation (GDPR). Still, it retains its own basic concept and deviates from it in various other aspects.

Which aspects have changed in comparison to the former FADP?
  1. No more protection of legal persons: With the revFADP, legal entities will no longer be protected by the data protection regulation.
  2. Highly sensitive personal data: The list of sensitive personal data is being extended to include:
    • genetic data
    • biometric data, which can identify a natural person (e.g., fingerprints, retina scans).
  3. Profiling and high-risk profiling: Profiling describes the process of automated processing of personal data to evaluate certain personal aspects of a natural person. High-risk profiling leads to a combination of data which allows an assessment of essential aspects of the personality of a natural person. 
  4. Data processor:
    • A data processing agreement will usually be necessary for the data processing.
    • The processor may only assign the data processing to a third party with the controller’s prior authorization.
  5. Privacy by design and privacy by default:
    • The controller must design the data processing from the planning phase onwards in a manner that data protection regulations and processing principles are always respected (Privacy by Design).
    • Furthermore, the default settings must be set in such a way that the processing of personal data is limited to the minimum extent necessary for the intended purpose, unless specified otherwise by the data subject (Privacy by Default).
  6. Extended information duties: Data subjects must be informed of the following when personal data is collected:
    a. Identity and contact details of the controller
    b. Purpose of the processing
    c. Any recipients, or categories of recipients to whom personal data are disclosed
    d. In the case of disclosure abroad, also the country or international body and, where applicable, the guarantees for the protection of personal data.
  7. Data subjects are entitled to any information which is essential for them to assert their rights under the revFADP. The information that is provided to the data subject can therefore not be limited to the minimum information that is defined in the revFADP.
  8. Right to data portability: The data subject may request the data controller to transfer their personal data to another data controller in a machine-readable form, free of charge.
  9. Automated decision-making: If a decision is based exclusively on automated processing and involves a legal consequence for or significantly affects the concerned person, the data controller must inform the data subject. The data subject must be given the opportunity to state their position and may request that the decision should be reviewed by a natural person.
  10. Extraterritoriality: Extension of the scope of application of the FADP to incidents that occur abroad and have repercussions in Switzerland.
  11. Representative office in Switzerland: Private controllers must designate a representative in Switzerland. 
  12. Data Protection Impact Assessment (DPIA): The controller is obliged to carry out a data protection impact assessment if the data processing may entail a high risk for the personality or fundamental rights of a data subject. The planned processing, the risks that arise and suitable measures to counter the risks must be described.
  13. Notification of data security breaches: In the event of a data breach which poses major risks to the personality or fundamental rights of the data subjects, the controller must notify the Federal Data Protection and Information Commissioner (FDPIC) as soon as possible. The data subjects must also be informed if deemed necessary for their personal protection. A processor must also report a data breach as quickly as possible to the controller, who must then take further steps.
  14. Sanctions: The maximum fine for natural persons in case of intentional breach of the duties of information and disclosure as well certain duties of diligence may be up to CHF 250’000 per violation. In contrast to the GDPR where companies are liable, persons responsible within the company, such as the CEO, CIO or other functions, can be sanctioned directly.
  15. The role of the FDPIC: Administrative measures such as the prohibition to a company to conduct future processing of specific personal data and/or the requirement to delete specific datasets are now possible. In addition, the FDPIC has the power to issue binding rulings instead of only non-binding recommendations.
     

Author

Anna Maria Tonikidou

Senior Associate | Data Privacy | ICT | Implementationᐩ, Zurich, PwC Switzerland

+41 58 792 46 89

Email

For further support and information, please visit our website.

#social#

Read more insights

Register for personalised updates tailored to your interests.

Subscribe to PwC updates 

Contact us

Philipp Rosenauer

Philipp Rosenauer

Partner Legal, PwC Switzerland

Tel: +41 58 792 18 56

Claudia Liliane Jung

Claudia Liliane Jung

Senior Manager | Data Privacy | ICT | Implementationᐩ, PwC Switzerland

Tel: +41 58 792 4728

Anna Maria Tonikidou

Anna Maria Tonikidou

Senior Associate | Data Privacy | ICT | Implementationᐩ, PwC Switzerland

Tel: +41 58 792 46 89

Lorena Rota

Lorena Rota

Data Privacy | ICT | Implementationᐩ, PwC Switzerland

Tel: +41 58 792 2750