At the end of September 2020, after a legislative process of almost four years, both chambers of the Swiss Parliament approved the revised Federal Act on Data Protection (revised FADP). The revised FADP includes numerous adaptations to the EU’s General Data Protection Regulation (GDPR), but retains its own basic concept and also deviates from the GDPR in various aspects. Examples of important changes in the revised FADP are: much stricter sanctions, extended duties to provide information, the duty to create a record of data processing activities, and the expansion of the data subject’s rights. A comparison between the revised FADP, the current FADP and the GDPR can be found here. However, it is not yet known per what date the Federal Council will set the revised FADP into force.
Stages of the FADP revision
With the main goal of aligning Swiss data protection law to the laws of the EU and adapting it to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108), the FADP revision went through the following stages:
- At the end of December 2016, the Federal Council opened the consultation process on the preliminary draft for a total revision of the FADP (MLL News of 6 January 2017 and MLL News of 14 February 2017).
- In September 2017, the Federal Council passed the draft bill for the revision of the FADP and the corresponding dispatch (MLL News of 21 September 2017).
- In 2019 the first debates took place in Parliament, first in the National Council (MLL News of 27 November 2019), then in the Council of States. In the process, deviations from the Federal Council’s draft and the first cornerstones of the revised FADP were approved (MLL News of 13 February 2020).
- This was followed in 2020 by the procedure for reconciling the versions of the two Councils (see MLL News of 29 May 2020, and MLL News of 29 July 2020) and the Conciliation Committee between the Councils, in which the Councils agreed upon the final voting text of the revised FADP (MLL News 25 September 2020).
Rejected amendments to the statute
During this legislative process, some of the proposed amendments were dropped. This was the case, e.g., with:
- the provision regarding data of deceased persons provided for in the Federal Council’s draft, which had previously already attracted much criticism (MLL News of 17 September 2019)
- the proposal of the Political Institutions Committee of the Council of States according to which consent is required for every disclosure of personal data (MLL News of 18 December 2019). However, the proposal ultimately led to the introduction of a (limited) corporate group privilege with regard to data protection law (see below), and
- the suggestion that the Federal Data Protection and Information Commissioner (FDPIC) could issue or declare binding „best practice“ recommendations. It only remained as a new provision that stipulates the right to submit codes of conduct to the FDPIC and his obligation to publish his opinion.
Most important new provisions of the revised FADP
The new Swiss data protection law nevertheless contains numerous amendments, the most important of which are explained below. An overview of the revised FADP, i.e., of the regulations which apply under the revised FADP, and a comparison with the current FADP and the GDPR, is available here in table form.
Scope: effects doctrine, representation and exclusion of data of legal persons
In the revised FADP the territorial scope of application is now explicitly determined according to what is known as the effects doctrine. This means that the law will also be applicable to companies established abroad if they process personal data and this data processing has an effect in Switzerland. However, the previous principles will remain in place for the purposes of civil and criminal law enforcement.
Companies without a registered office in Switzerland may now also be obliged to appoint a representative in Switzerland if they process personal data of persons in Switzerland. This obligation is triggered if the data processing is related to the offering of goods or services or the observation of the behaviour of these persons. In addition, it must involve substantial and regular processing which entails a high risk for the personality of the data subjects.
The revised FADP is no longer applicable to data of legal persons. Fortunately, this Swiss peculiarity will thus be abolished. However, the practical effects should not be overestimated, as B2B data traffic, for example, also regularly involves the processing of data of natural persons (e.g.. contact persons).
New categories of sensitive personal data
The definition of personal data requiring special protection („sensitive data“) has been expanded compared to the current FADP and will in future also include data on ethnicity, genetic data and biometric data that allow the clear identification of a natural person. The individual categories led to many discussions (e.g., deletion of union data and social welfare measures; MLL News of 29 May 2020) and were in some cases controversial until the last moment (e.g. restriction of genetic data; MLL News of 25 September 2020). Furthermore, the category of „personality profiles“, to which the same strict, higher requirements apply as for sensitive data, will not be included in the revised FADP (see, however, the regulation on profiling below).
Regulation on profiling
The revised FADP now contains a legal definition of profiling that corresponds to the definition in the GDPR and is not included in the current FADP. As profiling is therefore considered:
„any form of automated processing of personal data consisting of using such data to assess certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or whereabouts“.
In the preliminary draft, the Federal Council had originally proposed that in future profiling should only ever be permitted with justification such as the consent of the data subjects. Certain statements in Parliament have implied a similar understanding, although this proposal by the Federal Council was not incorporated into the draft bill. Thus, profiling should continue to be permissible without consent in the future. This also applies to so-called „high-risk profiling“, even though the debates in Parliament have led to a certain degree of uncertainty and the issue is still likely to be the subject of discussions in the literature and case law. In our opinion, however, it can be assumed that Parliament did not want to deviate from the established basic concept of Swiss data protection law, even with regard to high-risk profiling.
For private controllers, consent or other justification for (high-risk) profiling will therefore only be required in the case of data processing that violates personality rights. However, depending on the type and scope of profiling, this may quite easily be the case and therefore consent or other justification may be required. Since there is often considerable uncertainty as to the justification for the prevailing interest, it is likely that obtaining consent will continue to be recommended in the future. In the case of „high-risk profiling“, only explicit consent is sufficient as (possibly required) justification.
High-risk profiling was one of the main points of contention which almost caused the FADP revision to fail (MLL News of 25 September 2020). The occurrence of high-risk profiling is relevant for the explicitness of consent as well as for the justification of a credit assessment (see below). In the revised FADP, high-risk profiling is defined as:
„profiling which involves a high risk to the personality or fundamental rights of the data subject, as it creates a pairing between data that enables an assessment of essential aspects of the personality of a natural person“.
Extended information duties
The obligation to provide information is significantly extended compared to the current law. Unfortunately, however, the FADP does not contain an exhaustive list of all mandatory information that must be provided to the data subject when processing personal data. It is therefore necessary to check in each single case what information is required, whereas following the list of the GDPR could be considered.
At least the following mandatory information must be provided:
- the identity and contact details of the controller;
- the processing purposes;
- in the case of disclosure of data: the recipients or the categories of recipients;
- in the case of data being disclosed abroad, additionally: the state or international body and, if applicable, the safeguards of appropriate data protection or the exception, if no such safeguards are given;
- in the case of indirect data collection (i.e. data are not collected from the data subject themselves), additionally: the categories of personal data processed;
- the conduct of automated individual decisions, i.e. a decision based solely on automated processing which results in a legal consequence or substantial effects for the data subject.
Extension of the data subject’s rights
In addition to the duty to provide information, the rights of the data subject in the revised FADP will be further extended. Similar to the GDPR, a right of the data subject to the handing over and transmission of data is now established (right to data portability). Data subjects will be able to demand that the data they disclose be made available in a common electronic format or transferred to other providers. This right is, however, not absolute. Due to the requirements of the „common electronic format“ and „proportionality“, it remains to be seen how often this right can actually be invoked by the data subject in the event of a dispute (see MLL News of 4 August 2020).
In addition, in the case of automated individual decisions (see obligation to provide information above), the data subject has a right to object, according to which they may state their position on the matter and demand that the automated individual decision be reviewed by a natural person.
Provisions for the transfer of personal data within a corporate group – intra-group exemption?
The upcoming rules on the transfer of personal data within a corporate group and thus the question of whether a so-called intra-group exemption should be introduced also provided much food for discussion (MLL News of 18 December 2019). Ultimately, however, such an intra-group exemption has only been adopted in a very limited form in the new legislation. For example, although exemptions from the duty to inform and the right to information apply to intra-group data exchange under the revised FADP, intra-group disclosure may still constitute a violation of personality rights and is only permissible if there is a justification. In this case, the special justification for intra-group processing only applies if the data concerned and the type of processing are relevant and necessary „for economic competition“. Therefore, the legality of intra-group processing must always be carefully examined in each individual case.
Justification for credit assessment
Art. 30 para. 2 c) revised FADP stipulates special, stricter requirements for the assumption of a prevailing interest in case a credit assessment is conducted. Accordingly, a credit assessment is justified if:
- no sensitive personal data are processed and no high-risk profiling is involved;
- the data are only disclosed to third parties if they need the data for the conclusion or execution of a contract with the data subject;
- the data are not older than ten years;
- the data subject is of full age.
Record of all data processing activities
In the future – as under the GDPR – a record of all processing activities has to be maintained under Swiss law. The maintenance of a record of processing activities will presumably lead to the greatest effort in implementation for most companies, unless appropriate measures for GDPR compliance have already been taken. The great effort results from the fact that all data processing activities of the entire company must be recorded and exact details must be provided and continuously updated. The minimum content of this processing record is prescribed by law for both the controller and the processor.
The controller’s record of processing activities must contain the following minimum information:
- the identity of the controller
- the purpose of the processing
- a description of the categories of data subjects and the categories of personal data processed
- the categories of the recipients
- „if possible“, the period of retention of personal data or the criteria for determining this period
- „if possible“, a general description of the measures taken to ensure data security (appropriate technical and organizational measures to prevent data security breaches)
- if the data is disclosed abroad, the indication of the country and the safeguards by which appropriate data protection is ensured.
Other new duties of the controller
Also newly included are various other obligations connected to the processing of personal data (MLL News of 15 June 2020):
- Data breach notification: Breaches of data security (e.g. loss of data) which are likely to result in a high risk to the personality or fundamental rights of the data subject must be notified without delay to the FDPIC and, as the case may be, to the data subject.
- Data protection impact assessments: If an intended data processing operation entails a high risk of violation of the personality or fundamental rights of a data subject, the controller is obliged to analyse the risks of such processing in a data protection impact assessm The revised FADP is based on the understanding that a high risk must be assumed in particular when using new technologies and extensive processing of sensitive personal data or when systematically monitoring extensive public areas.
- Privacy-by-design and privacy-by-default: As in the GDPR, the revised FADP also explicitly anchors the principles of „data protection through technology“ and „data protection through privacy-friendly default settings“. When processing personal data, appropriate technical and organizational measures must be taken „from the planning stage“ to ensure the implementation of data protection principles (e.g. data minimization) in these systems (privacy by design). The default settings, e.g. for apps or websites, must also be designed „so that the processing of personal data is limited to the minimum necessary for the intended purpose“ (privacy-by-default).
Stricter sanctions and increased powers of the FDPIC
The revised FADP provides for criminal sanctions in the form of a fine of up to CHF 250,000. In addition, the FDPIC may open an administrative investigation and issue orders. Even if the FDPIC himself cannot order sanctions, there is still the threat of criminal sanctions of the same amount, even if an order issued by the FDPIC is disregarded, e.g. if data are continued to be processed in spite of a ban. The cantonal criminal prosecution authorities will be responsible for enforcing criminal sanctions. In addition, civil law actions for removal, injunction or damages are still possible.
During the legislative process, it was expressed that criminal sanctions are mainly aimed at managers and not at the employees who carry out the work. At the same time, however, it was not completely ruled out that there may also be cases in which the sanction could be imposed on employees without management functions. In the case of offences for which a fine of CHF 50,000 or less is envisaged and the effort to identify the offender within the business would be disproportionate, the company can ultimately be ordered to pay the fine instead of the natural person.
With the adoption of the final voting text by both Councils, it is now clear which regulations companies that process data will have to comply with in Switzerland in the future. Nevertheless, it is not yet clear when the Federal Council will enter the revised FADP into force. Until the Federal Council announces the date of entry into force, it will however still be necessary to wait until the referendum period (14 January 2020) has expired. The specific date is particularly important because the revised FADP does not provide for any transitional periods. It is therefore advisable to push ahead with the corresponding compliance projects quickly or to launch them now (see also MLL News of 15 July 2020).