How does the revised Federal Act on Data Protection (revFADP) regulate personal data breaches?

Philipp Rosenauer
Partner Legal, PwC Switzerland

Failure to comply with data protection regulations can be costly. In Switzerland, fines of up to CHF 250,000 may be imposed on controllers and processors if their breach of data protection law is considered to be intentional. In general, the revFADP imposes lower fines than the EU General Data Protection Regulation (GDPR). However, in contrast to the EU GDPR, the fine is imposed on the individuals responsible for the misconduct. The personal nature of the fine is deemed more effective because the fine cannot be insured against or paid by the company.

Who is deemed liable in the event of a personal data breach? Does this differ from the GDPR?

Under the revFADP, the person directly committing the infringement is held liable; this is in contrast to the GDPR where (only) the infringing company is fined. Investigation proceedings for violations of data protection provisions are therefore directed against the person responsible for the data processing in question. Such fines – due to their personal nature – cannot be insured against; nor may the company pay them for the natural person.
The revFADP compensates for this strict, personal liability-based approach by imposing higher requirements for a fine. Accordingly, it must be evident that there was intentional or, at least, contingent, intentional conduct on the part of the violator. In addition, violations of the fundamental principles of the FADP continue to be exempt from punishment.

How are fines regulated in case of personal data breaches?

Liability and the catalogue of fines under the revFADP differ significantly from the GDPR.

First, the maximum fine has been significantly altered in the revFADP and has now been increased to CHF 250,000. In comparison to the GDPR regulation, the Swiss regulation imposes a lower fine than its European equivalent. In fact, the FADP regards the fine as a sanction for criminal behaviour, while the fine catalogue of the GDPR aims at strengthening the general motivation for regulatory compliance.

What will change with the revFADP?

The enforcement of the FADP will also change under the new law. In the past, the Federal Data Protection and Information Commissioner (FDPIC) was only able to issue recommendations to data controllers and processors who did not comply with the FADP. Under the revFADP, the FDPIC may now issue orders directly to controllers and processors. For example, the FDPIC will be able to order that a particular data processing activity is to be stopped or adapted.

This means, however, that the procedures will become more complicated and will require more personal resources than under the FADP of 1992, as these new powers will also result in additional duties for the FDPIC.

Under what circumstances will we face fines under the new revFADP?

In the past, fines were only imposed for the violation of the duty to inform, the duty to comply with the data subject access right and the duty to cooperate with the FDPIC.

Under the revFADP, violations of the provisions on data exports, the provisions on commissioning processors and certain violations of data security measures are also punishable with fines.