nFADP: New Federal Act on Data Protection in Switzerland

The Federal Council has recently provided for the total revision of the DPA and the corresponding ordinance provisions.

This law will enter into full force on 01 September 2023, with the aim of ensuring better data protection in the future.

In particular, data protection will be adapted to technological developments, self-determination regarding personal data will be strengthened, and transparency in the collection of personal data will be increased.

LINK: https://www.kmu.admin.ch/kmu/en/home/facts-and-trends/digitization/data-protection/new-federal-act-on-data-protection-nfadp.html

The main changes foreseen

Only the data of natural persons will henceforth be covered, and no longer those of legal persons.
Genetic and biometric data enter the definition of sensitive data.
The principles of “Privacy by Design” and “Privacy by Default” are introduced. As its name indicates, the principle of ‘Privacy by Design’ (protection of data from conception) implies that developers integrate protection and respect for users’ privacy into the very structure of the product or service called upon to collect personal data. The principle of ‘Privacy by Default’, on the other hand, ensures the highest level of security from the time the product or service is put into circulation, by automatically activating, i.e. without user intervention, all the necessary measures to protect data and limit their use. In other words, all software, material and services must be configured to protect data and respect users’ privacy.
Impact analyses must be conducted if there is a high risk to the personality or fundamental rights of the persons concerned.
The right to information is extended: the collection of all personal data – and no longer only of so-called sensitive data – must lead to the prior information of the data subject.
A register of processing activities becomes mandatory.
Rapid notification is required in the event of a data security breach, to be forwarded to the Federal Data Protection and Information Commissioner (IDT).
The notion of profiling (i.e. automated processing of personal data) becomes part of the law.

Market competitiveness at EU level and differences to the EU

Companies that had already adapted to the EU General Data Protection Regulation (GDPR) will have few changes to make.

The new data protection law strengthens Switzerland as a business location and ensures compatibility with European law by making it possible to ratify the updated version of Council of Europe Convention 108 on data protection.

These adjustments in the new data protection legislation are important to ensure that the EU continues to recognise Switzerland as a third country with an adequate level of data protection and that cross-border data transfers remain possible in the future without additional conditions. This is central for Switzerland as a business location and for its competitiveness. The EU has recognised Switzerland’s level of protection since 2000. This recognition is currently being reviewed.

The commitment of Jetika Group

We are committed to ensuring that all our customers are up to date with the nFADP data protection law. Our commitment is to treat our customers’ data in accordance with the federal guidelines, and to respect our corporate philosophy as always.