Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
At the end of September 2020, after a legislative process of almost four years, both chambers of the Swiss Parliament approved the revised Federal Act on Data Protection (revised FADP). The revised FADP includes numerous adaptations to the EU’s General Data Protection Regulation (GDPR), but retains its own basic concept and also deviates from the GDPR in various aspects. Examples of important changes in the revised FADP are: much stricter sanctions, extended duties to provide information, the duty to create a record of data processing activities, and the expansion of the data subject’s rights. A comparison between the revised FADP, the current FADP and the GDPR can be found here. However, it is not yet known per what date the Federal Council will set the revised FADP into force.
Stages of the FADP revision
With the main goal of aligning Swiss data protection law to the laws of the EU and adapting it to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108), the FADP revision went through the following stages:
Rejected amendments to the statute
During this legislative process, some of the proposed amendments were dropped. This was the case, e.g., with:
Most important new provisions of the revised FADP
The new Swiss data protection law nevertheless contains numerous amendments, the most important of which are explained below. An overview of the revised FADP, i.e., of the regulations which apply under the revised FADP, and a comparison with the current FADP and the GDPR, is available here in table form.
Scope: effects doctrine, representation and exclusion of data of legal persons
In the revised FADP the territorial scope of application is now explicitly determined according to what is known as the effects doctrine. This means that the law will also be applicable to companies established abroad if they process personal data and this data processing has an effect in Switzerland. However, the previous principles will remain in place for the purposes of civil and criminal law enforcement.
Companies without a registered office in Switzerland may now also be obliged to appoint a representative in Switzerland if they process personal data of persons in Switzerland. This obligation is triggered if the data processing is related to the offering of goods or services or the observation of the behaviour of these persons. In addition, it must involve substantial and regular processing which entails a high risk for the personality of the data subjects.
The revised FADP is no longer applicable to data of legal persons. Fortunately, this Swiss peculiarity will thus be abolished. However, the practical effects should not be overestimated, as B2B data traffic, for example, also regularly involves the processing of data of natural persons (e.g.. contact persons).
New categories of sensitive personal data
The definition of personal data requiring special protection („sensitive data“) has been expanded compared to the current FADP and will in future also include data on ethnicity, genetic data and biometric data that allow the clear identification of a natural person. The individual categories led to many discussions (e.g., deletion of union data and social welfare measures; MLL News of 29 May 2020) and were in some cases controversial until the last moment (e.g. restriction of genetic data; MLL News of 25 September 2020). Furthermore, the category of „personality profiles“, to which the same strict, higher requirements apply as for sensitive data, will not be included in the revised FADP (see, however, the regulation on profiling below).
Regulation on profiling
The revised FADP now contains a legal definition of profiling that corresponds to the definition in the GDPR and is not included in the current FADP. As profiling is therefore considered:
„any form of automated processing of personal data consisting of using such data to assess certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or whereabouts“.
In the preliminary draft, the Federal Council had originally proposed that in future profiling should only ever be permitted with justification such as the consent of the data subjects. Certain statements in Parliament have implied a similar understanding, although this proposal by the Federal Council was not incorporated into the draft bill. Thus, profiling should continue to be permissible without consent in the future. This also applies to so-called „high-risk profiling“, even though the debates in Parliament have led to a certain degree of uncertainty and the issue is still likely to be the subject of discussions in the literature and case law. In our opinion, however, it can be assumed that Parliament did not want to deviate from the established basic concept of Swiss data protection law, even with regard to high-risk profiling.
For private controllers, consent or other justification for (high-risk) profiling will therefore only be required in the case of data processing that violates personality rights. However, depending on the type and scope of profiling, this may quite easily be the case and therefore consent or other justification may be required. Since there is often considerable uncertainty as to the justification for the prevailing interest, it is likely that obtaining consent will continue to be recommended in the future. In the case of „high-risk profiling“, only explicit consent is sufficient as (possibly required) justification.
High-risk profiling was one of the main points of contention which almost caused the FADP revision to fail (MLL News of 25 September 2020). The occurrence of high-risk profiling is relevant for the explicitness of consent as well as for the justification of a credit assessment (see below). In the revised FADP, high-risk profiling is defined as:
„profiling which involves a high risk to the personality or fundamental rights of the data subject, as it creates a pairing between data that enables an assessment of essential aspects of the personality of a natural person“.
Extended information duties
The obligation to provide information is significantly extended compared to the current law. Unfortunately, however, the FADP does not contain an exhaustive list of all mandatory information that must be provided to the data subject when processing personal data. It is therefore necessary to check in each single case what information is required, whereas following the list of the GDPR could be considered.
At least the following mandatory information must be provided:
In addition, the revised FADP does not regulate the form in which the information has to be provided to the data subject. Therefore, although there is no legal form requirement to be observed, an „appropriate“ form must be chosen which is adequate to the purpose of transparent data processing. However, a data privacy policy on the website will not always be sufficient (MLL News from 4 August 2020).
Extension of the data subject’s rights
In addition to the duty to provide information, the rights of the data subject in the revised FADP will be further extended. Similar to the GDPR, a right of the data subject to the handing over and transmission of data is now established (right to data portability). Data subjects will be able to demand that the data they disclose be made available in a common electronic format or transferred to other providers. This right is, however, not absolute. Due to the requirements of the „common electronic format“ and „proportionality“, it remains to be seen how often this right can actually be invoked by the data subject in the event of a dispute (see MLL News of 4 August 2020).
In addition, in the case of automated individual decisions (see obligation to provide information above), the data subject has a right to object, according to which they may state their position on the matter and demand that the automated individual decision be reviewed by a natural person.
Provisions for the transfer of personal data within a corporate group – intra-group exemption?
The upcoming rules on the transfer of personal data within a corporate group and thus the question of whether a so-called intra-group exemption should be introduced also provided much food for discussion (MLL News of 18 December 2019). Ultimately, however, such an intra-group exemption has only been adopted in a very limited form in the new legislation. For example, although exemptions from the duty to inform and the right to information apply to intra-group data exchange under the revised FADP, intra-group disclosure may still constitute a violation of personality rights and is only permissible if there is a justification. In this case, the special justification for intra-group processing only applies if the data concerned and the type of processing are relevant and necessary „for economic competition“. Therefore, the legality of intra-group processing must always be carefully examined in each individual case.
Justification for credit assessment
Art. 30 para. 2 c) revised FADP stipulates special, stricter requirements for the assumption of a prevailing interest in case a credit assessment is conducted. Accordingly, a credit assessment is justified if:
Record of all data processing activities
In the future – as under the GDPR – a record of all processing activities has to be maintained under Swiss law. The maintenance of a record of processing activities will presumably lead to the greatest effort in implementation for most companies, unless appropriate measures for GDPR compliance have already been taken. The great effort results from the fact that all data processing activities of the entire company must be recorded and exact details must be provided and continuously updated. The minimum content of this processing record is prescribed by law for both the controller and the processor.
The controller’s record of processing activities must contain the following minimum information:
Other new duties of the controller
Also newly included are various other obligations connected to the processing of personal data (MLL News of 15 June 2020):
Stricter sanctions and increased powers of the FDPIC
The revised FADP provides for criminal sanctions in the form of a fine of up to CHF 250,000. In addition, the FDPIC may open an administrative investigation and issue orders. Even if the FDPIC himself cannot order sanctions, there is still the threat of criminal sanctions of the same amount, even if an order issued by the FDPIC is disregarded, e.g. if data are continued to be processed in spite of a ban. The cantonal criminal prosecution authorities will be responsible for enforcing criminal sanctions. In addition, civil law actions for removal, injunction or damages are still possible.
During the legislative process, it was expressed that criminal sanctions are mainly aimed at managers and not at the employees who carry out the work. At the same time, however, it was not completely ruled out that there may also be cases in which the sanction could be imposed on employees without management functions. In the case of offences for which a fine of CHF 50,000 or less is envisaged and the effort to identify the offender within the business would be disproportionate, the company can ultimately be ordered to pay the fine instead of the natural person.
Outlook
With the adoption of the final voting text by both Councils, it is now clear which regulations companies that process data will have to comply with in Switzerland in the future. Nevertheless, it is not yet clear when the Federal Council will enter the revised FADP into force. Until the Federal Council announces the date of entry into force, it will however still be necessary to wait until the referendum period (14 January 2020) has expired. The specific date is particularly important because the revised FADP does not provide for any transitional periods. It is therefore advisable to push ahead with the corresponding compliance projects quickly or to launch them now (see also MLL News of 15 July 2020).
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR)
© Copyright 2006 – 2022 Law Business Research