In September 2020, the Swiss Parliament gave the green light for the adoption of the new Federal Data Protection Act (nFADP). This measure aims to align local practices with the General Data Protection Regulation (GDPR) established by the European Union (EU). The primary goal of this law is to enhance the management of personal data while granting new rights to Swiss residents. Effective as of September 1, 2023, the nFADP shares significant similarities with the GDPR in terms of guiding principles and definitions. Furthermore, its cantonal-level adaptation will be uniformly applied throughout Switzerland.
If you are a business that has already complied with the European data protection regulations, the necessary adjustments will remain minimal.
In this article, we will delve into the new nFADP regulation in Switzerland and its implications for your digital strategy. We will begin by explaining the context and objectives of the nFADP, then review key changes, the Data Protection Impact Assessment (DPIA), consequences of non-compliance, and finally, provide practical advice for maintaining long-term compliance. We will also examine the specific impact of the nFADP on marketing teams.
Switzerland: GDPR, nFADP, Data Security, Competitiveness.
As a third-party country in relation to the European Union (EU), Switzerland must continuously modernize its legislation to comply with the GDPR and facilitate data flows with EU member nations.
This new legislation holds paramount importance in ensuring adequate data protection for Swiss citizens in the age of technological advancements and societal changes, such as the widespread use of the internet, smartphones, social media, the cloud, and the Internet of Things. Furthermore, harmonizing Swiss law with the GDPR is an essential challenge to maintain the smooth flow of data exchanges with the EU and prevent any decline in the competitiveness of Swiss businesses.
The revised nFADP strengthens data protection in Switzerland.
Implications for Individuals and Businesses.
Recently, the Swiss Data Protection Act (FADP) underwent revisions to address current challenges related to safeguarding personal data while ensuring compliance with European standards. This update encompasses several significant changes that strengthen the rights of individuals affected and the responsibilities of businesses.
The new Swiss data protection law (nFADP) applies to all companies processing personal and sensitive data as part of their operations. The law imposes strict obligations on businesses regarding consent, transparency, security, and the preservation of data confidentiality.
The New Powers of the Swiss Data Protection Commissioner.
With the advent of this law, the supervisory authority for data protection in Switzerland, the Data Protection Commissioner, sees its authority reinforced, gaining increased decision-making powers. The Commissioner will be empowered to request the suspension of personal data processing by a company and impose criminal sanctions when necessary. As a result, businesses are obligated to comply with these new regulations to avoid penalties and fines while ensuring optimal data security.
The 8 Major Changes Brought by the Revision of the LPD.
According to information available on the official website of the Federal Council, the new Swiss data protection legislation introduces eight major changes that pertain to businesses:
- This legislation covers only data related to real individuals and not that of companies or legal entities.
- Genetic and biometric information is now classified as sensitive data.
- Two new measures target developers: (a) the concept of “Privacy by Design,” which requires developers to integrate data protection measures into the design of their products or services that collect personal data; (b) the principle of “Privacy by Default,” which requires products and services to be preconfigured to protect user data and privacy from the outset.
- An impact assessment must be conducted if the collected data has the potential to compromise the rights of the individuals concerned.
- Before collecting personal information, individuals concerned must be informed and provide their consent.
- Companies are required to maintain a record of their data processing activities. Small businesses with limited privacy risks for individuals concerned may be exempted.
- In the event of a data security breach, companies must promptly notify the Federal Data Protection and Transparency Commissioner (FDPIC).
- Profiling, which is the automated processing of personal data, is now explicitly included in the law.
Other less significant changes are also implemented, such as the requirement for companies with more than 250 employees to appoint a Data Protection Officer (DPO), while the appointment of a DPO is recommended for companies with more than 200 employees.
The DPIA ensures the preservation of rights and freedoms.
When the processing of personal data poses a risk to the rights and freedoms of the individuals concerned, it is necessary to conduct a Data Protection Impact Assessment (DPIA). This obligation arises in two situations: first, when the processing is listed among the operations for which the National Commission for Information Technology and Civil Liberties (CNIL) has deemed it relevant to conduct a DPIA, and second, when the processing meets at least two of the nine criteria listed in the Article 29 Working Party’s guidelines on data protection (WP29). These criteria include:
The criteria derived from the WP29 guidelines are as follows:
- Evaluation or scoring,
- Automated decision-making with legal effects,
- Systematic monitoring,
- Collection of sensitive or highly personal data,
- Large-scale data collection,
- Data merging,
- Processing of data concerning vulnerable individuals,
- Innovative use of technology,
- Deprivation of a right or contract.
DPIA: When is it Required?
If you operate as a marketing expert and collect nationwide geolocation data for advertising purposes, this processing meets the criteria of large-scale data collection and collecting sensitive data. Consequently, it is imperative to conduct a Data Protection Impact Assessment (DPIA).
nFADP: Implications and Risks of Non-Compliance
To avoid the implications and risks associated with non-compliance, Swiss businesses must align with the guidelines of the nFADP.
With the enhanced powers of the Data Protection Commissioner, they are now authorized to:
- Conduct in-depth investigations,
- Require access to internal data,
- Carry out audits and impose corrections or data deletions in case of violations.
While these powers are less extensive than those of the European Union, it is essential to note that non-compliance with the law can result in consequences in the form of criminal and administrative penalties.
Swiss courts are empowered to impose criminal fines of up to 250,000 CHF for individuals in the event of a deliberate violation of data protection law. Therefore, companies must rigorously comply to avoid these sanctions, which have individual implications, meaning that executives can be held accountable before the judicial authorities.
Finally, it remains essential for companies to raise awareness among their senior management about this legal obligation. By adhering to the provisions of Swiss data protection legislation, businesses can ensure the security of their customers and preserve their reputation while avoiding the detrimental consequences of non-compliance.
Strategies for Long-Term Compliance with the nFADP
To ensure long-term compliance once the nFADP is in effect, it is important to assess the current situation and establish a well-crafted compliance plan. Here are some key aspects to consider in order to remain compliant:
- Assess the Need for a Data Protection Officer (DPO): Depending on the size and nature of your business, determine whether you require the assistance of a DPO.
- Inventory Data Processing: Create a comprehensive list of all data processing activities you perform. Note that some exceptions apply to small businesses or those not handling sensitive data.
- Opt-in and Opt-out: Implement active opt-ins or opt for double opt-ins for newsletter subscriptions. Include clear opt-out options in your email content.
- Data Protection Clauses: Ensure that contracts with your suppliers and employees include data protection clauses.
- Employee Training: Train your staff on data protection rules and ensure their compliance.
- Integrate Data Protection Principles: Apply data protection principles by default for all new projects or data processing (Privacy by Default).
- Manage Individual Rights: Prepare to address individuals’ requests regarding their rights, such as the right to be forgotten, erasure, objection, etc.
- Risk Assessment: Evaluate risks associated with high-risk data processing and transfers and conduct impact assessments when necessary.
- Data Security: Ensure the security of all personal data by maintaining their confidentiality, integrity, and availability.
- Security Breach Management Plan: Prepare to manage data security breaches and develop a crisis management plan.
After identifying essential compliance points, it’s important to create a detailed plan for their implementation. However, vigilance and compliance must be maintained in the long term. Ensure regular monitoring of regulatory developments, which can be achieved with the assistance of a data protection expert or a dedicated team within your organization. By following these steps, you will ensure your company maintains lasting compliance with the nFADP and avoids potential penalties.
Impact of the nFADP on Your Marketing Strategy
Marketing teams are directly affected by the changes brought by the new version of the Swiss Federal Act on Data Protection (nFADP), which has introduced significant alterations regarding the protection of personal data for Swiss consumers. Taking inspiration from the European Union’s General Data Protection Regulation (GDPR), this updated version of the LPD imposes stricter standards on businesses, particularly concerning direct marketing, digital consent, and the right to be forgotten.
→ Tackling cybercrime in business through cybersecurity and data protection
The underlying goal of these measures is to ensure a higher level of protection for users’ personal data by granting them better control over its use and processing. Companies are thus compelled to adapt to these new regulations to avoid penalties and preserve the trust of their customer base.
Direct Marketing: New Consent Requirements
Nowadays, companies are obligated to obtain the prior, free, and informed consent of consumers before approaching them with commercial proposals. Consumers must explicitly agree to the use of their personal data for direct marketing purposes.
→ Google Consent Mode – an effective way to keep track of your ads performance
→ Is a cookie-free world possible in digital marketing?
Right to Be Forgotten
To cultivate a climate of trust between Swiss businesses and consumers, it is of utmost importance to respect their privacy. Therefore, companies are obliged to respond positively to requests for the deletion of personal data from consumers, except in situations where such data is essential for contract execution or is required in a specific domain. This initiative demonstrates to consumers that their personal data is treated with profound respect, thereby contributing to the establishment of a mutual trust relationship.
While implementing these new regulations may present challenges for businesses, they are essential for protecting consumers’ privacy and increasing their control over their personal data.
Adhering to these rules allows companies to strengthen consumer trust and enhance their relationship with them. Furthermore, this can serve as a competitive advantage that your marketing teams can emphasize to distinguish themselves from those who would risk non-compliance with the legislation.
This law represents a significant milestone in data protection in Switzerland, aligning national practices with international standards. Its essential role in promoting data privacy, transparency, and security cannot be understated.
As the digital landscape continues to evolve, this new data protection legislation establishes a robust framework to ensure that Swiss citizens’ data is handled with diligence and respect.
By adhering to these rules, both businesses and citizens contribute to creating a more ethical and reliable online environment, where data exchanges take place with a focus on the rights and privacy of each individual.
For a swift and effective compliance with the new Swiss Federal Act on Data Protection, we at Eminence are your ideal partner. Our expertise in data privacy ensures that your websites meet the standards while optimizing your marketing strategies for an enhanced user experience. Contact us today to secure your data and strengthen your users’ trust online.