dataprotection.ch

Introduction

The revised FADP was adopted by the Swiss parliament on 25 September 2020 and its entry into force will occur on 1 September 2023. The revision of the FADP largely follows the GDPR’s approach. However, the FADP is less formalistic and has less specific regulatory content. There are only a few points where the new FADP will be stricter than the GDPR. Examples are the material scope of application (Article 2, FADP), the obligation to provide information (Article 19, FADP), the right of access (Article 25, FADP), and the existence of criminal sanctions for individuals (Article 60 ff, FADP). The definition of personal data requiring special protection also goes further than under the GDPR. The revised FADP will be accompanied by the revised Data Protection Ordinance (DPO), and the revised Ordinance on Data Protection Certifications (DPCO).

Although the revised FADP applies primarily to the territory of Switzerland, it has an extraterritorial scope of application. In particular, it can extend to processing that occurs abroad but has an effect in Switzerland. Consequently, if personal data is processed outside of Switzerland but affects natural persons in Switzerland, the data handler abroad must comply with the revised Swiss law. In addition, private controllers with their domicile or residence abroad must designate a representative in Switzerland if they process personal data of persons in Switzerland and the data processing meets all of the following requirements (Article 14, revised FADP):

  • the data processing is connected to offering goods or services in Switzerland, or to monitoring the behaviour of these persons;
  • the processing is extensive;
  • the processing is regular; and
  • the processing involves a high risk for the personality of the data subjects.

The representative serves as a point of contact for data subjects and the Federal Data Protection and Information Commissioner (FDPIC). The controller must publish the name and address of the representation.

Adopted legislation (entry into force as of 1 September 2023):

  • revDPA (DE/FR/IT)
  • Unofficial English translation of the revDPA (to be used for information purposes only) can be found here.
  • revDPO (DE/FR/IT)
  • revDPCO (DE/FR/IT)

Further materials (drafts, explanatory reports):

Please find below the relevant official documentation published by the Federal Department of Justice and Police, in particular:

  • Explanatory report on the revised DPO (available in German and French) and on the DPCO (available in German, French and Italian)
  • FAQ on data protection law by the Federal Office of Justice (available in German, French and Italian)
  • Draft DPA (DE/FR/IT)
  • Explanatory report to draft DPA (DE/FR/IT)
  • Preliminary draft DPO (DE/FR/IT)
  • Explanatory notes regarding the preliminary draft’s amendments (DE/FR/IT)
  • Preliminary draft amendments of the further legislation (DE/FR/IT)
  • Modernised Convention 108 (FR/EN)
  • Concordance table (DE/FR/IT)
  • Directive 2016/680 (EN/DE/FR/IT)
  • Exchange of notes regarding the adaption of Directive 2016/680 (DE/FR/IT)

For convenience and future reference, please find below the following additional documents prepared by Walder Wyss:

  • Unofficial English translation of the preliminary draft DPA. Can be found here.
  • Unofficial English translation of the preliminary draft DPO. Can be found here.
  • Commented chart comparing the provisions of the draft DPA to those of the current DPA and those of the preliminary draft. The chart can be found here (in German).

Our translations are unofficial and are to be used for information purposes only.