Data Protection in Switzerland: The New FADP

The New Federal Act on Data Protection (nFADP)

The new Federal Act on Data Protection (nFADP) came into force on 1 September 2023, replacing the 1992 act that had become obsolete in the face of technological developments. This total revision aligns Swiss law with international standards, notably the European Union's General Data Protection Regulation (GDPR).

General Principles (Art. 6 FADP)

Art. 6 FADP sets out the fundamental principles governing the processing of personal data:

1. Lawfulness: processing must comply with the law
2. Good faith: processing must be fair and transparent
3. Proportionality: only data necessary for the stated purpose may be collected
4. Purpose limitation: data may only be processed for the purpose indicated at the time of collection
5. Accuracy: data must be accurate and kept up to date
6. Storage limitation: data must be destroyed or anonymised as soon as it is no longer necessary

Any violation of these principles renders the processing unlawful, unless a justification exists (consent, overriding interest, statutory provision).

Privacy by Design and by Default (Art. 7 FADP)

Art. 7 FADP introduces two major concepts:

1. Privacy by design: the data controller must integrate data protection from the design stage of their systems and processes
2. Privacy by default: default settings must ensure the least intrusive processing possible

In practice, this means that applications, websites and IT systems must be configured to minimise data collection by default. The user must actively consent to more extensive processing.

Duty to Inform (Art. 19-21 FADP)

Art. 19 FADP imposes an enhanced information obligation. When collecting personal data, the controller must communicate:

1. Their identity and contact details
2. The purpose of the processing
3. Any recipients of the data
4. In case of transfer abroad, the destination country and the protection guarantees

This obligation applies to all data collection, not only to sensitive data (unlike the former law). Failure to comply with this duty constitutes a criminal offence.

Rights of Data Subjects (Art. 25-27 FADP)

The nFADP considerably strengthens the rights of persons whose data is processed:

Right of access (art. 25 FADP): any person may request the controller free of charge whether data concerning them is being processed and obtain a copy of that data. The controller must respond within 30 days.

Right to data portability (art. 28 FADP): individuals may request that their data be provided to them in a commonly used electronic format or be transferred to another controller.

Right to erasure: although the nFADP does not provide for a right to be forgotten as explicit as the GDPR, the proportionality principle (art. 6 FADP) requires the destruction of data that has become unnecessary.

Criminal Sanctions (Art. 60-66 FADP)

This is one of the major innovations of the nFADP: violations are subject to criminal sanctions. Art. 60 FADP provides for a fine of up to CHF 250,000 for private individuals who:

1. Violate the duty to inform (art. 19-21 FADP)
2. Fail to respect the right of access (art. 25-27 FADP)
3. Transfer data abroad in violation of art. 16-17 FADP
4. Entrust processing to a sub-processor without complying with legal conditions

Unlike the GDPR, sanctions target natural persons responsible, not the company as such. The Federal Data Protection and Information Commissioner (FDPIC) may also open investigations and order administrative measures.

Comparison with the European GDPR

The nFADP draws heavily on the GDPR but presents notable differences:

1. Sanctions: fines up to CHF 250,000 (nFADP) vs 4% of global turnover (GDPR)
2. Target: natural persons (nFADP) vs companies (GDPR)
3. DPO: no obligation to appoint a data protection officer (nFADP); obligation under conditions (GDPR)
4. Consent: no systematic consent required under nFADP (processing is lawful if it complies with principles); consent often required under GDPR
5. Legal basis: Swiss companies active in the EU must comply with both regulations