• Français
  • English
  • Deutsch

THE NEW DATA PROTECTION ACT IN SWITZERLAND (nFADP)

SUMMARY OF THE PRINCIPLES AND OBLIGATIONS OF THE nPDA

 

 

 

 

 

 

 

 

DFS AVOCATS can help you with any legal issues related to adapting your website to the requirements of the nFADP.

 

DFS AVOCATS is pleased to inform you that we work closely with the digital marketing company LES DIGIVORES in Geneva, which can help you with any technical questions related to adapting your website to the requirements of the nFADP.

 

 

 

 

 

 

 

 

 

CHANGES FOR BUSINESSES AND CITIZENS

 

Switzerland is adopting new legislation to better protect its citizens’ data. The country’s businesses must comply with it from 1 September 2023. What are the main differences between the old and new Data Protection Acts? What are the new rights and obligations of data subjects and data controllers? Here is an overview of the key changes.

 

  1. PROTECTION OF INDIVIDUALS PERSONAL DATA

 

The nFADP applies only to the data of natural persons, and no longer to that of legal entities. This means that companies no longer benefit from the protection of their data, unless it is linked to an identifiable natural person. For example, the name of a limited company is not personal data, but that of a sole trader is.

 

  1. DEFINITION OF SENSITIVE DATA

 

The nFADP extends the definition of sensitive data, which now includes genetic and biometric data. This data is subject to stricter requirements in terms of consent, transparency and security. For example, the use of facial recognition or fingerprints to identify an individual requires explicit and prior consent.

 

  1. THE PRINCIPLES OF PRIVACY BY DESIGN AND PRIVACY BY DEFAULT

 

The nFADP introduces the principles of Privacy by Design and Privacy by Default. The former implies that products or services that collect personal data must be designed from the outset to respect users’ privacy. The second ensures that the level of data protection is as high as possible by default, without user intervention. For example, applications or websites must minimise data collection and limit its use to the stated purposes.

 

  1. THE RIGHT TO INFORMATION AND ACCESS

 

The nFADP strengthens the right to information and access of those affected by the processing of their data. They have the right to know who is processing their data, for what purpose, on what legal basis, for how long and with whom. They also have the right to obtain a copy of their data or to request its rectification or erasure. Data controllers must respond to requests within 30 days.

 

  1. THE RIGHT TO PORTABILITY AND OPPOSITION

 

The nFADP creates two new rights for data subjects: the right to portability and the right to object. The first allows individuals to receive their data in a structured, commonly used and machine-readable format, or to transmit it to another data controller. The second allows individuals to object to the processing of their data on legitimate grounds or where it is based on consent or the public interest.

 

  1. REGISTER OF PROCESSING ACTIVITIES

 

The nFADP requires data controllers to keep a register of the processing activities they carry out. This register must contain the following information: the name and contact details of the controller, the purposes of the processing, the categories of data and persons concerned, the recipients of the data, transfers to third countries, security measures and retention periods.

 

  1. NOTIFICATION OF DATA BREACHES

 

The nFADP requires data controllers to notify the Federal Data Protection and Information Commissioner (FDPIC) of any data breach that is likely to result in a high risk to the rights and freedoms of data subjects. They must also inform data subjects if the breach presents a high risk to them. Notification must take place as soon as possible, and no later than 72 hours after becoming aware of the breach.

 

  1. SANCTIONS IN THE EVENT OF NON-COMPLIANCE

 

The nFADP provides for criminal penalties in the event of non-compliance with legal obligations. Violations may be punishable by a fine of up to 250,000 Swiss francs. For example, failure to inform data subjects about the processing of their data, failure to respond to their requests for access or rectification, or failure to notify a data breach may be punishable.

 

Sources:

  • New Data Protection Act (nDPA)
  • Federal Data Protection and Information Commissioner (FDPIC)

 

(admin.ch)