Site Search

Menu

Services

Menu

Private Wealth & Entrepreneurs

Menu

Family business & SME consulting

Featured

Artificial Intelligence

Menu

Events

Loading Results

What are the critical changes to be implemented with the revised FADP?

On September 25, 2020, the Swiss Parliament adopted the revised Swiss Federal Act on Data Protection (revFADP).  

The revFADP replaces the data protection law of 1992 and is expected to enter into force in Q3 2022. It will then become binding for the private sector and the federal administration.

The revFADP leads to numerous alignments with the European General Data Protection Regulation (GDPR). Still, it retains its own basic concept and deviates from it in various other aspects.

Which aspects have changed in comparison to the former FADP?
  1. No more protection of legal persons: With the revFADP, legal entities will no longer be protected by the data protection regulation.
  2. Highly sensitive personal data: The list of sensitive personal data is being extended to include:
    • genetic data
    • biometric data, which can identify a natural person (e.g., fingerprints, retina scans).
  3. Profiling and high-risk profiling: Profiling describes the process of automated processing of personal data to evaluate certain personal aspects of a natural person. High-risk profiling leads to a combination of data which allows an assessment of essential aspects of the personality of a natural person. 
  4. Data processor:
    • A data processing agreement will usually be necessary for the data processing.
    • The processor may only assign the data processing to a third party with the controller’s prior authorization.
  5. Privacy by design and privacy by default:
    • The controller must design the data processing from the planning phase onwards in a manner that data protection regulations and processing principles are always respected (Privacy by Design).
    • Furthermore, the default settings must be set in such a way that the processing of personal data is limited to the minimum extent necessary for the intended purpose, unless specified otherwise by the data subject (Privacy by Default).
  6. Extended information duties: Data subjects must be informed of the following when personal data is collected:
    a. Identity and contact details of the controller
    b. Purpose of the processing
    c. Any recipients, or categories of recipients to whom personal data are disclosed
    d. In the case of disclosure abroad, also the country or international body and, where applicable, the guarantees for the protection of personal data.
  7. Data subjects are entitled to any information which is essential for them to assert their rights under the revFADP. The information that is provided to the data subject can therefore not be limited to the minimum information that is defined in the revFADP.
  8. Right to data portability: The data subject may request the data controller to transfer their personal data to another data controller in a machine-readable form, free of charge.
  9. Automated decision-making: If a decision is based exclusively on automated processing and involves a legal consequence for or significantly affects the concerned person, the data controller must inform the data subject. The data subject must be given the opportunity to state their position and may request that the decision should be reviewed by a natural person.
  10. Extraterritoriality: Extension of the scope of application of the FADP to incidents that occur abroad and have repercussions in Switzerland.
  11. Representative office in Switzerland: Private controllers must designate a representative in Switzerland. 
  12. Data Protection Impact Assessment (DPIA): The controller is obliged to carry out a data protection impact assessment if the data processing may entail a high risk for the personality or fundamental rights of a data subject. The planned processing, the risks that arise and suitable measures to counter the risks must be described.
  13. Notification of data security breaches: In the event of a data breach which poses major risks to the personality or fundamental rights of the data subjects, the controller must notify the Federal Data Protection and Information Commissioner (FDPIC) as soon as possible. The data subjects must also be informed if deemed necessary for their personal protection. A processor must also report a data breach as quickly as possible to the controller, who must then take further steps.
  14. Sanctions: The maximum fine for natural persons in case of intentional breach of the duties of information and disclosure as well certain duties of diligence may be up to CHF 250’000 per violation. In contrast to the GDPR where companies are liable, persons responsible within the company, such as the CEO, CIO or other functions, can be sanctioned directly.
  15. The role of the FDPIC: Administrative measures such as the prohibition to a company to conduct future processing of specific personal data and/or the requirement to delete specific datasets are now possible. In addition, the FDPIC has the power to issue binding rulings instead of only non-binding recommendations.
     

Author

No search results

For further support and information, please visit our website.

#social#

Read more insights

Register for personalised updates tailored to your interests.

Subscribe to PwC updates 

{{filterContent.facetedTitle}}

Contact us

Philipp Rosenauer

Philipp Rosenauer

Partner Legal, PwC Switzerland

Tel: +41 58 792 18 56

Linkedin Follow Email
Lorena Rota

Lorena Rota

Manager, MLaw, Data Privacy & Security Healthcare, PwC Switzerland

Tel: +41 58 792 2750

Email
Services Assurance Consulting Corporate Support Services Deals Global Markets Legal People and Organisation Private Wealth SME and Family Business Tax Advice
Industry Sectors Energy Financial Services Government and Public Sector Health care Industrial Manufacturing Real Estate Retail and Consumer Goods Pharmaceuticals and Life Sciences Sports Business Advisory Technology, Media and Telecommunications
Today's issues Artificial Intelligence Workforce of the Future Finance Transformation Customer Transformation Cybersecurity Data & Analytics ESG: Criteria and Implementation
About PwC Contact Press Locations Organisation and Management Purpose, Values and Code of Conduct Reports Corporate Sustainability Our History Alumni
Careers Open Positions Career Events Experienced Hires Graduates Students Apprentices PwC as an Employer PwC's Career Blog
Research & Insights Our latest insights Subscribe to PwC insights Preference Centre

© 2018 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.