What Swiss data protection and privacy laws do we need to know?
(FADP, DPO, EU GDPR alignment, ISG, TCA, ESigA)
Swiss legislation in the field of data protection, privacy and IT is comprehensive and aims to align closely with international standards, in particular the European Union's General Data Protection Regulation (GDPR). Here are some key aspects:
Cybersecurity
Switzerland is proactive in the area of cybersecurity:
- The Federal Office for Cybersecurity (BACS), formerly the National Cyber Security Centre (NCSC), coordinates national cybersecurity efforts, provides guidance and responds to cyber incidents.
- Cybercrime laws: The Swiss Penal Code includes provisions against cybercrimes such as hacking, data breaches and fraud.
Data Protection and IT Compliance
- Cross-border data transfers: Swiss law permits data transfers to countries with adequate levels of data protection. Transfers to other countries require additional safeguards.
- IT compliance: Organisations must ensure compliance with data protection laws, including regular audits, employee training and implementation of data protection policies.
Here are the main Swiss data protection and privacy regulations:
Federal Act on Data Protection (FADP)
The primary legislation governing data protection in Switzerland is the Federal Act on Data Protection (FADP). The FADP ensures that personal data is handled in a manner that respects individuals' privacy rights.
- The FADP defines personal data broadly, including any information related to an identified or identifiable person.
- Data processing must be conducted lawfully, in good faith, and proportionately.
- Individuals have the right to access their data, correct inaccuracies, and request deletion.
- Organisations must take appropriate technical and organisational measures to protect data.
- Scope: It applies to all organisations that process personal data in Switzerland and to certain data processing activities outside Switzerland that have an effect in the country.
- Transfers of personal data to countries without adequate data protection require specific safeguards or conditions.
The FADP has been revised to align more closely with the EU's GDPR, enhancing data protection standards and introducing stricter requirements for businesses and organisations. The revised FADP, which came into force on 1 September 2023, introduces more robust safeguards and stricter enforcement mechanisms to ensure the privacy and security of personal data in Switzerland.
Data Protection Ordinance (DPO)
The DPO is a set of implementing regulations for the FADP. It provides more detailed procedures and clarifications on how the principles set out in the FADP should be applied in practice.
The ordinance covers specific requirements for data security, the role and duties of the Federal Data Protection and Information Commissioner (FDPIC), and the particulars of registering data files, among other procedural issues.
In essence, the FADP lays down the legal framework and foundational principles, while the DPO provides detailed guidelines and administrative procedures to ensure compliance with the law. Together, they work to protect personal data and regulate how it should be handled within the jurisdiction of Switzerland.
EU GDPR alignment
Although Switzerland is not a member of the EU, the revised FADP is closely aligned with the GDPR. This alignment helps Swiss companies comply with EU standards, facilitating data transfers and international operations.
While Switzerland's FADP and the European Union's GDPR share similar goals and principles, there are some key differences between the two:
FADP | GDPR |
Scope and applicability: | |
| Applies to private companies and federal bodies that process personal data in Switzerland. It also applies to data processing activities outside Switzerland that have an effect within the country. | Applies to any organisation processing personal data of individuals within the EU, regardless of where the organisation is located. |
Data protection officer (DPO): | |
| Does not explicitly require the appointment of a DPO, but encourages it as a good practice. | Requires the appointment of a DPO in certain circumstances, such as where processing is carried out by a public authority or where the core activities involve regular and systematic monitoring of data subjects on a large scale. |
Legal basis for processing: | |
| Requires that personal data be processed lawfully, in good faith, and in a proportionate manner. It does not explicitly list lawful bases as the GDPR does. | Provides six lawful bases for processing personal data: consent, contract, legal obligation, vital interests, public task, and legitimate interests. |
Data breach notification: | |
| Also requires data breach notification, but the criteria and timing may be less stringent than under GDPR. | Requires organisations to report personal data breaches to the supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. |
Rights of data subjects: | |
| Grants similar rights, but does not explicitly include the right to data portability. | Grants several specific rights to data subjects, including the right of access, rectification, erasure (right to be forgotten), restriction of processing, data portability, and the right to object. |
Fines and penalties: | |
| Fines under the FADP are generally lower, with maximum fines for certain violations of up to CHF 250,000. | Fines for non-compliance are substantial, up to €20 million or 4% of annual worldwide turnover, whichever is greater. |
Profiling and automated decision-making: | |
| Addresses automated decision-making, but the provisions are less detailed compared to the GDPR. | Sets specific rules on profiling and automated decision-making, including the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or significantly affects the individual. |
Data transfer mechanisms: | |
| Similar requirements for data transfers to third countries, focusing on ensuring adequate protection or appropriate safeguards. | Allows data transfers to third countries only if they ensure an adequate level of data protection, or if specific safeguards (such as standard contractual clauses or binding corporate rules) are in place. |
Regulatory authority: | |
| The Federal Data Protection and Information Commissioner (FDPIC) is responsible for overseeing compliance in Switzerland. | Supervisory authorities in each EU member state oversee compliance, with the European Data Protection Board (EDPB) providing guidance and ensuring consistent application. |
While the FADP and GDPR are aligned in many respects, especially after the revision of the FADP to harmonise with the GDPR, these differences highlight the unique aspects and requirements of each regulatory framework.
The other regulation worth mentioning:
The Information Security Act (ISG)
It entered into force on 1 January 2024. The aim of the ISG is to ensure the confidentiality, integrity and availability of data handled by federal authorities and providers of critical infrastructure (sectors that are essential for society, the economy and the state, such as energy and drinking water supply, waste disposal, finance, healthcare, information and communication, food and drink, transport and traffic, security and safety).
Key aspects of the law:
- Information security management: Mandates the implementation of Information Security Management Systems (ISMS) based on recognised standards.
- Incident reporting: Requires significant security incidents to be reported to the relevant authorities.
Several laws regulate electronic communications and IT infrastructure:
- Telecommunications Act (TCA): Regulates the provision of telecommunications services, focusing on competition, consumer protection and data security.
- Electronic Signatures Act (ESigA): Regulates electronic signatures, giving them the same legal validity as handwritten signatures if they meet certain standards.
Conclusion
Swiss data protection, privacy and IT legislation is robust and aims to protect personal data and ensure the secure handling of information. Alignment with EU regulations helps Swiss companies operate smoothly in an international context while maintaining high standards of data protection and cybersecurity.
And we remind you that our company hosts its own data and that of its customers exclusively in Switzerland, where it is highly protected both physically and legally!
Sources:
FADP - https://www.fedlex.admin.ch/eli/cc/2022/491/en
DPO - https://www.fedlex.admin.ch/eli/cc/2022/568/en
https://www.admin.ch/gov/de/start/dokumentation/medienmitteilungen/bundesrat.msg-id-98497.html
NSCS – BACS – SEPOS - https://www.netzwoche.ch/news/2023-11-08/bund-legt-verantwortung-fuer-it-sicherheit-in-neue-haende
TCA - https://www.fedlex.admin.ch/eli/cc/1997/2187_2187_2187/en