Switzerland has recently enacted the Novel Federal Act on Data Protection (nFADP) to safeguard its citizens’ data. Approved by Parliament in the autumn of 2020, the nFADP will become enforceable on September 1, 2023. This fresh legislation represents an essential update to the 1992 Federal Data Protection Act, tailored to shield Swiss citizens’ data in the technologically advanced era of social media and digital advancements. The nFADP harmonizes Swiss data protection law with the European General Data Protection Regulation (GDPR), in an effort to maintain data flow with the European Union (EU) and bolstering the competitive edge of Swiss companies.
The nFADP introduces various changes for businesses, including the mandatory registration of processing activities and the implementation of the “Privacy by Design” and “Privacy by Default” principles, assuring additional security for personal data. Moreover, in case of a data breach, companies are required to promptly notify the Federal Data Protection and Information Commissioner (FDPIC). Additionally, the nFADP encompasses the concept of profiling and defines genetic and biometric information as sensitive data.
Compliance with this new legislation is important for Swiss companies, as it prevents reputational harm and potential fines. The nFADP empowers Swiss citizens with new rights to safeguard their data, necessitating companies to adhere to a series of steps to align with the new act.
The Path to Compliance with the new DPA
The nFADP presents a significant challenge to Swiss companies, particularly those that process large amounts of personal data. Here are some of the areas that companies need to take a closer look on:
- Monitoring: evaluation of the current data protection standards. It is important to take stock of the collected, processed, stored and shared data. It is advised to estimate the data protection risks as well.
- Appointing a Data protection advisor: The advisor is responsible for ensuring that the company processes personal data in accordance with the nFADP, advises the company on its data protection obligations and cooperates with the FDPIC.
- Keeping records of all processing activities: Companies must keep a record of all processing activities. This includes data on the type of data processed and the purpose of the processing, among others. Companies must also document the technical and organizational measures they have taken to protect personal data.
- Educating team members about the new law: Companies must ensure that their employees understand the new law and their obligations under it. This includes educating employees about the principles of “Privacy by Design” and “Privacy by Default,” as well as providing training on data protection issues.
- Conducting a risk assessment: Companies should conduct a risk assessment to identify and evaluate the risks associated with the processing of personal data. This assessment should identify the likelihood and severity of harm that could result from a data security breach, and identify the measures that can be taken to mitigate these risks.
- Implementing appropriate technical and organizational measures: Companies must implement appropriate technical and organizational measures to protect personal data. This includes measures such as data encryption, access controls, and regular data backups.
- Reviewing contracts with service providers: Companies that use third-party service providers to process personal data must ensure that these service providers comply with the nFADP.
This list is not exhaustive and does not cover all cases, but it should help to navigate through the new legislation. If you require help with reaching nFADP compliance, you can contact Buzzfactory for a free consultation.
The importance of complying with the nFADP
Complying with the nFADP is essential for Swiss companies, as non-compliance can lead to significant fines. The FDPIC has the power to impose fines of up to CHF 250,000 for serious violations of the new law, and up to CHF 50,000 for minor violations. In addition to financial penalties, companies that violate the nFADP risk damage to their reputation, which can have long-term consequences for their business.
Furthermore, compliance with the nFADP is important for maintaining the trust of customers and stakeholders. By demonstrating that they take data protection seriously, companies can build trust with customers and differentiate themselves from competitors who may not be taking the same level of care with personal data.
The new Federal Act on Data Protection (nFADP) is an important legislative change that brings Switzerland’s data protection laws in line with the technological and social developments of our time.
How GDPR has influenced Data protection law internationally
While the new Data Protection Act in Switzerland does not provide the same level of protection as the European General Data Protection Regulation (GDPR), both regulations are very similar. Except for companies that exclusively serve the Swiss domestic market, we can say that Swiss companies serving international markets should, in most cases, already be compliant with the nFADP (new Federal Act on Data Protection). This new act can be seen as an alignment with the European regulation, which has been a game changer in the world of data protection since its implementation in 2018. It was designed to give European citizens greater control over their personal data and to bring uniformity to data protection laws across the EU.
One of the advantages of the GDPR for companies is that it has created a level playing field for all businesses operating within the EU. Companies now have clear guidelines on how they should handle personal data, and the regulations ensure that everyone is playing by the same rules. This has helped to create trust and confidence in the digital economy and has improved the confidence of consumers in the companies that handle their data.
Another advantage of the GDPR is that it has forced companies to take data protection seriously. Many companies were previously neglecting their data protection responsibilities, but the reinforced control and reputational damage risks has pushed them to make changes to their policies and practices. This has resulted in improved data protection for individuals and has helped to create a culture of data privacy across Europe.
At a global level, the GDPR is unique in its scope and ambition. It is regarded as one of the most comprehensive data protection law in the world, and its principles are being adopted by countries outside of Europe. For example, California passed the California Consumer Privacy Act, and other countries have followed similar models as well since.
The GDPR has also paved the way for greater international cooperation on data protection issues. The regulation includes provisions for data protection authorities to work together across borders, which has helped to ensure that companies are held accountable for their actions regardless of where they are based.
Overall, the GDPR has been a positive development for data protection, both for individuals and for businesses. It has created an environment where data protection is taken seriously, and has helped to improve international cooperation on data protection issues.
In conclusion, the new Federal Act on Data Protection (nFADP) is an important legislative change that brings Switzerland’s data protection laws in line with the digital privacy challenges of our time. Its implementation follows the application of GDPR at a European level as necessity to level with this standard. The nFADP presents a significant challenge to Swiss companies, particularly those that process large amounts of personal data. However, by taking proactive steps to comply with the nFADP, companies can protect themselves from fines and reputational damage, build trust with customers, and differentiate themselves from competitors.
If you need assistance with implementing or assessing your current data privacy practices, feel free to reach out to our specialists.