Guide to Switzerland’s New Federal Act on Data Protection (nFADP)

In this guide:

  1. Core tenets of Switzerland’s nFADP
  2. Guide your organization to compliance
  3. Why Privacy Bee is the key

Core tenets of Switzerland’s New Federal Act on Data Protection (nFADP)

The Swiss government created the new Federal Act on Data Protection (nFADP) to update their existing FADP and align the legislation with the European Union (EU) General Data Protection Regulation (GDPR). Because the GDPR is widely considered to be the global standard for data privacy laws, the nFADP serves as the key legislation needed to bring Swiss residents the same modern protections via enhanced data subject rights, increased accountability for companies and more. Switzerland is not an EU member state, so this was a necessary step.

Like so many global data privacy laws, the nFADP has an extraterritorial scope. This means the law applies to all companies processing the personal data of Swiss residents, regardless of their location.

At its core, the nFADP builds upon the Swiss provisions already included in the FADP with some notable improvements:

  • Stringent consent requirements: The nFADP introduces more rigorous standards for consent, emphasizing that it is voluntary and, in certain cases, explicit. This parallels the stringent criteria outlined in the GDPR, ensuring a higher level of scrutiny and clarity in obtaining individuals’ consent.
  • Additional transparency requirements: The nFADP emphasizes transparency in the processing of data. Companies are obligated to communicate all details regarding the acquisition, utilization, and safeguarding of a data subject’s personal information. This includes specifying the purpose of data processing and disclosing any involvement of third parties.
  • Greater accountability and governance: The nFADP imposes a requirement for businesses to demonstrate their commitment to data protection principles. It mandates more stringent criteria for conducting data protection impact assessments (DPIAs) and obliges businesses to promptly notify individuals of data breaches, reinforcing accountability and governance in the handling of personal data.
  • Expanded data subject rights: The nFADP broadens the rights of data subjects, providing individuals with increased authority over their personal data. This expansion empowers individuals with greater control and influence regarding the management and utilization of their personal information by allowing them to know and request access to their information, along with how it is being processed. Swiss residents can also demand to access, correct or delete their data in the appropriate circumstances.

Recognizing these significant changes and new requirements for businesses is critical, as noncompliance can lead to significant penalties. For the individual Swiss resident, the most important aspect of these provisions is the expansion of your rights as a data subject. The rights must be respected, and businesses must have the proper processes in place to support your requests to exercise these rights.

Overall, the general principles match that of the original FADP with tweaks to match GDPR. These principles of the nFADP include:

  1. Lawfulness: Establishes the legal basis for processing personal data, ensuring that data processing activities adhere to legal requirements.
  2. Purpose limitation: Stipulates that personal data must be collected for specific, explicit, and legitimate purposes, preventing unauthorized or unrelated processing.
  3. Data minimization: Emphasizes the importance of processing only the minimum amount of personal data necessary for the intended purpose.
  4. Accuracy: Requires data controllers to maintain accurate and up-to-date personal data, preventing the dissemination of incorrect information.
  5. Storage limitation: Sets limits on the retention of personal data, ensuring that data is not stored longer than necessary for the specified purpose.
  6. Integrity and confidentiality: Imposes the obligation to implement appropriate security measures to protect the integrity and confidentiality of personal data.

The impact of data protection laws, including the nFADP, on individuals is significant. Such laws aim to enhance privacy rights, providing individuals with greater control over their personal data. This includes increased transparency about data processing activities, the right to access and correct personal information, and measures to ensure the security of data. Additionally, the legislation empowers individuals with the right to be informed about how their data is being used and shared, and to object to certain types of processing. As there are updates to the legislation, individuals in Switzerland can expect the nFADP to continue prioritizing their privacy rights, potentially introducing new provisions to address emerging challenges in the digital landscape.

Guide your organization to compliance

Switzerland’s nFADP impacts businesses by establishing comprehensive regulations to govern the processing of personal data. The nFADP aims to strike a balance between protecting individuals’ privacy rights and facilitating legitimate data processing activities by businesses. In doing so, it creates numerous obligations on companies to ensure compliance.

Any business operating in Switzerland or selling to Swiss residents needs to implement the following best practices:

  • Data inventory and mapping: Start by cataloging the flow of personal data within your organization. Identify the data collection points, storage locations, processing methods, and individuals with access. Comprehensive documentation will create an overview of data processing activities, aiding in the detection of potential vulnerabilities.
  • Review and update privacy policies: Companies are mandated to share precise, transparent, and easily accessible information about their data processing activities. Consequently, a clear and comprehensible privacy policy is imperative. Evaluate existing privacy policies to align with the transparency requisites of the nFADP. Ensure accessibility and clarity, elaborating on the purposes of data processing and sharing practices.
  • Robust consent management practices: Swiss data protection laws underscore transparency and fairness in handling user privacy. Implement unambiguous and easily accessible consent forms, facilitating straightforward withdrawal of consent, and maintaining an updated consent record. Explicit, voluntary, and informed consent is obligatory under the nFADP. Design clear consent forms listing all data collection purposes and usage, while providing a convenient mechanism for individuals to revoke consent.
  • Strengthen data protection measures: The nFADP mandates the implementation of suitable technical and organizational measures for data protection and confidentiality. Examples include encryption, access controls, and secure data transfer methods. Regularly reassess and update these measures to counter ever-evolving threats.
  • Prepare for data breaches: A prompt and efficient response plan for data breaches can prevent a minor incident from escalating into a severe crisis. Any data breach must be reported to the Federal Data Protection and Information Commissioner (FDPIC) without delay. Thus, it’s important to have a defined protocol for detecting, reporting, and investigating data breaches. This involves notifying the FDPIC and affected individuals, assessing the breach’s impact, and initiating preventive measures.
  • Employee training: Invest in data protection training for your employees, even though no specific article mandates it. Implicitly necessary for compliance with accountability and transparency principles in data processing, all staff members should be acquainted with their responsibilities under the nFADP and receive training on how to securely handle personal data.

For large organizations, or smaller companies processing a large amount of personal data, it may be worth considering the following additional best practices:

  1. Appoint a Data Protection Officer (DPO): Although not universally mandated, businesses should designate a data protection advisor. This individual provides guidance on data protection matters and engages with Swiss authorities. Certain criteria must be satisfied for a business to be exempt. These include the advisor’s independent functioning, absence of conflicting tasks, requisite expertise, and the disclosure of their contact information.
  2. Establish privacy by design and default: The principles of “Privacy by Design” (Datenschutz durch Technik) and “Privacy by Default” (Datenschutz durch datenschutzfreundliche Voreinstellungen) have been introduced by the nFADP. This mandates authorities and companies to integrate data protection measures at the start of the project planning stage, ensuring default anonymization or deletion of data. The objective is to protect users of private online services by limiting processing to essential data until a user grants further authorization for their personal data.
  3. Conduct regular audits: Even though this is not explicitly stated in the nFADP, conducting routine audits is crucial for aligning with the principles of accountability and the risk-based approach to data protection.

For data breaches resulting from improper practices, individuals can face fines of up to CHF 250,000 depending on the violation and its severity. Actions deemed to be deliberate and obvious breaches of business obligations are directly punishable. That said, negligence is typically forgiven if documentation is robust and data protection practices are reasonable. If identifying the specific person in a company is unreasonably difficult, the company itself can be fined up to CHF 50,000 as well for each violation.

Businesses operating in Switzerland need to stay informed about any updates or amendments to the FADP to ensure ongoing compliance with data protection laws. It is recommended that businesses consult legal experts for specific advice tailored to their operations and the most current legal requirements.

Why Privacy Bee is the key

Protecting personal data while providing the required information about data usage to all users is imperative for businesses engaged in online service delivery today. New regulations are sprouting up around the word, necessitating more stringent opt-in and opt-out policies and granting consumers more rights. Consumers now have the ability to review and remove their personal data, increasing the accountability of every organization processing personal identifiable information (PII).

Despite the creation of additional regulations in more countries every year, the responsibility still falls primarily on the individual to oversee, assess, update and delete (via DSAR request) their personal data wherever it may be collected and dispersed across the internet. This task becomes a massive undertaking when working to cover an entire organization, rendering it practically impossible for a single person or small team to manage without outside professional help. Yet the identification and subsequent elimination of this data play a pivotal role in deterring cybercriminals from launching dangerous social engineering attacks against an organization.

This is where Privacy Bee emerges as the optimal solution, simplifying the time-consuming process of monitoring and eradicating employee personal data for business leaders. It’s especially effective for executives who are highly visible to the general public. Using sophisticated automation processes backed by a human service team, Privacy Bee substantially reduces a company’s attack surface and mitigates the looming threat of a data breach. Social engineering attacks are the fastest-growing data breach threat, no matter how mature an organization’s cybersecurity program is today. If it isn’t already covered, then threat actors still have a way to target your organization’s most sensitive information.

If you are already conducting risk assessments and vendor surveys, kudos to you! However, it is still essential to recognize vendors are most susceptible to a breach via subpar data privacy management, which you wouldn’t want to bleed into your organization. Privacy Bee not only minimizes the proliferation of your organization’s personal data across the vast digital landscape but also extends its protective umbrella to vendors, helping you ensure 3rd party partners do not serve as the weak link in your security defenses.

But what is there to gain from compromised data?

In the ever-expanding, billion-dollar surveillance industry, Data Brokers and People Search Sites have assumed pivotal roles, reaping record-breaking profits by trading and transferring your organization’s information with obscure and uncontrollable entities. These entities then either publish this information or compile it to sell on again, and suddenly your personal data can be easily found after a quick Google Search. The consequences of private data exposure are far-reaching and pose significant threats if the information can be quickly obtained by malicious cybercriminals. If it’s as simple as a quick search to find you or your coworker’s information, then threat actors can launch cyberattacks at scale by targeting the most vulnerable team members with emotionally engaging messaging that turn even the most highly-trained professionals into victims. The only way to prevent this is by stopping the data flow at the source, because the consequences are simply too costly to risk.

A solitary data breach leads to massive productivity losses for all affected, expensive remediation efforts, and recurring breach incidents. This isn’t new, and is a predicament that plagues the vast majority of businesses following an initial breach. Industry estimates state as many as 83% of organizations who experienced a data breach go on to experience multiple. That is staggering, and is exactly what Privacy Bee is fighting back against. The first data breach sets off a chain reaction that inflicts short-term damage on your bottom line while eroding brand value and customer trust over time. Furthermore, there are ripple effects to consider, such as heightened employee turnover due to poaching.

Privacy Bee combats external threat actors lurking beyond your organization’s perimeters. By meticulously pinpointing every nook and cranny of the internet where sensitive data resides and swiftly purging it, Privacy Bee closes the data security gap. The service even encompasses dark web monitoring and provides timely data breach notifications if another company falls victim to an exploitation incident and potentially exposes your information in the process.

Our unwavering commitment is deeply rooted in the belief that privacy is an inalienable human right that transcends political discourse and negotiations. This is why Privacy Bee vigilantly monitors user data for security vulnerabilities while holding the surveillance industry accountable. We compel Data Brokers, People Search Sites, and more than 150,000 additional websites to expunge your stored data and opt out of further data collection to protect you, your family, and your entire organization.

Privacy Bee protection covers a wide range of potential threats, including:

  • Data breaches
  • Social engineering attacks
  • Doxxing
  • Identity theft
  • Spam emails
  • Telemarketing calls
  • Cyberstalking
  • Swatting
  • Blackmail

Privacy Bee is a powerful tool for business leaders who want to protect their employee and customer data. In today’s world, where privacy is more important and harder to come by than ever, you need a trusted partner fighting to preserve your personal and organizational integrity.

Take the Next Step
ROI into Data Privacy Management from Privacy Bee
Previous article

Calculating the ROI into External Data Privacy Management Solutions
Next article

Guide to Bahrain’s Personal Data Protection Law (PDPL)

Trusted by thousands of companies.

Instant access to the world's leading business privacy platform. Dive into your account:

By registering, you're agreeing to our Terms of Service

Or prefer to speak with sales?