Many key points in the revised FADP are inspired by the GDPR. The following changes with respect to the former FADP are worth mentioning.
Sensitive personal data
The list of sensitive personal data (data that requires special protection) has been expanded. The FADP also includes data on ethnicity, genetic data and biometric data that identifies a natural person.
The FADP includes a legal definition of profiling that is identical to that of the GDPR, but there is also “high-risk profiling”, a special category of profiling with tighter restrictions.
Privacy by design and privacy by default
The principles of “privacy by design” and “privacy by default”, which can be found in the GDPR, have been introduced in the FADP.
Data protection officer
Data controllers may, but are not obliged to, appoint an independent data protection officer as a point of contact for data subjects and authorities responsible for data protection in Switzerland. The tasks of the data protection officer consist of educating and advising the data controller on data protection issues and assisting in the compliance with data protection legislation.
Records of processing activities
Like the GDPR, the FADP requires keeping a record of processing activities. This obligation applies to both data controllers and data processors. However, legal entities that have fewer than 250 employees and whose data processing poses a negligible risk of harm to the personality of the data subjects are exempt from this requirement. If companies have established processing records under the GDPR, these should also comply with the requirements under the FADP.
Working with processors
Controllers must enter into a processing agreement with processors. The FADP requires less for these agreements than the GDPR, but failure to enter into a processing agreement may result in criminal sanctions.
Cross-border disclosure of personal data
Like the GDPR, the FADP restricts transfers abroad to countries without adequate protection. Transfers are permitted based on safeguards, which include the standard contractual clauses, provided the exporter and the importer agree on an addendum to account for specifics under Swiss law. Again, in line with the GDPR, the exporter must carry out a transfer impact assessment before commencing a transfer to a recipient in an unsafe country.
Obligation to provide information
The information obligations are substantially expanded in the FADP. Among other things, the controller must inform the data subjects about its identity, contact details, the purpose of the processing, and the recipients or categories of recipients of the data. In addition, the controller shall inform the data subjects of the state or the international body to which personal data is disclosed and, if applicable, of the guarantees or the application of an exception. However, the FADP does not provide an exhaustive list of the necessary information to be provided and, depending on the circumstances, additional information may be required. Failure to provide the required information may result in criminal sanctions.
Automated individual decision-making
Controllers will have an obligation to provide information in relation to decisions based solely on automated data processing that have legal consequences or otherwise significantly affect data subjects. In addition, data subjects have a right to voice their views and ask an individual to review the respective decision.
Data protection impact assessment
Furthermore, data controllers must carry out a data protection impact assessment if the data processing is likely to lead to a high risk for data subjects.
Notification obligation of data security breaches
The controller must notify the FDPIC of any data security breach that is likely to result in a high risk for the data subjects. The notification must be made as soon as possible, but there is no fixed time limit. The threshold for the notification obligation is higher than under the GDPR. In addition, where necessary for the protection of the data subjects or upon instruction by the FDPIC, the controller must inform the data subjects of the breach.
More data subject rights
Individuals have new and more extensive rights under the revised FADP. For example, data subjects have the right to access their data, but there is no exhaustive list of information that is to be provided – depending on the circumstances, data subjects may have far-reaching rights to ask for information about the processing of their data. In addition, data subjects have rights relating to an automated individual decision-making process, and to have their data provided to them or another controller in a common, machine-readable format.