dataprotection.ch

Introduction

The revised FADP was adopted by the Swiss parliament on 25 September 2020 and its entry into force will occur on 1 September 2023. The revision of the FADP largely follows the GDPR’s approach. However, the FADP is less formalistic and has less specific regulatory content. There are only a few points where the new FADP will be stricter than the GDPR. Examples are the material scope of application (Article 2, FADP), the obligation to provide information (Article 19, FADP), the right of access (Article 25, FADP), and the existence of criminal sanctions for individuals (Article 60 ff, FADP). The definition of personal data requiring special protection also goes further than under the GDPR. The FADP will be accompanied by a revised Ordinance to the FADP, but only a preliminary draft has so far been produced, which faced harsh – and justified – criticism.

Although the revised FADP applies primarily to the territory of Switzerland, it has an extraterritorial scope of application. In particular, it can extend to processing that occurs abroad but has an effect in Switzerland. Consequently, if personal data is processed outside of Switzerland but affects natural persons in Switzerland, the data handler abroad must comply with the revised Swiss law. In addition, private controllers with their domicile or residence abroad must designate a representative in Switzerland if they process personal data of persons in Switzerland and the data processing meets all of the following requirements (Article 14, revised FADP):

  • the data processing is connected to offering goods or services in Switzerland, or to monitoring the behaviour of these persons;
  • the processing is extensive;
  • the processing is regular; and
  • the processing involves a high risk for the personality of the data subjects.