The new Swiss Federal Data Protection Act (FADP) enters into force on September 1, 2023 and substantially revises the old Swiss data protection law of 1992. The changes you have to be aware of as a tech company depend on whether you are already GDPR (EU-General Data Protection Regulation) or FADP compliant, or just starting your data protection journey. This blog post aims to clarify the practical steps that you need to take to ensure compliance with the new data protection act.
Steps for already GDPR-compliant companies
If your company is already GDPR-compliant, then the good news is that you will only need to consider minor changes. You should especially focus on these two points of the new FADP:
- Make sure your privacy policies and data processing agreements specify the countries to which your company transfer data to. Whilst the GDPR only requires companies to inform data subjects if they transfer data to third countries and, if yes, which safeguards apply, the FADP is more specific in this point, requiring information on the concrete list of third countries the personal data is transferred to.
- You should check if you may need a Swiss representative. Companies without an establishment in Switzerland are required to appoint a representative in Switzerland if (1) they process data of Swiss persons while offering goods or services in Switzerland or monitor the behaviour of persons in Switzerland, (2) the data processing is regular, extensive and (3) result in a high risk for the person involved, leaving some room for interpretation. However, if you process sensitive data like health or genetic data, you should definitely check whether you need a Swiss representative. Once identified, the representative should be officially designated in the relevant documentation, such as data processing contracts and privacy policies.
Steps for companies compliant with the current Swiss Data Protection Law
For tech companies that are compliant with the current FADP, however, you will need to take a closer look on more steps in order to comply with the upcoming legal changes. These are the main areas where your company may need to update its current policies:
- The definition and regulation on profiling has changed, meaning any form of automated data processing aimed at, for example, predicting or analyzing aspects or behavior of data subjects. The performance of this simple profiling alone does not impose any further obligations on private companies. However, if this profile is based on an automated assessment or leads to an automated decision it could be qualified as “high-risk” profiling. This may lead to further necessary steps like asking for explicit consent or expanded rights for individuals.
- You have to review your privacy policies to ensure it provides sufficient information regarding the controller of the data, the purpose of the data processing, third-party recipients of the personal data, and possible third-country transfers.
- In the context of data subject rights, the updated law introduces the right to data portability, which requires to implement technical measures allowing data subjects to receive their personal data in a commonly used format if the data are processed automatically and on the basis of consent or in connection with a contract.
- If your company has over 250 employees, then it must maintain records of processing activities. This involves documenting all data processing activities, including, for example, the purpose of the processing, the categories of personal data, the data subjects concerned and the respective retention periods.
- The new FADP also mandates to have a data breach notification process in place. Businesses should establish a procedure to detect, report, and manage data breaches promptly. Additionally, staff should be trained on how to respond to data breaches effectively. If the data breach results in a high risk for the data subjects concerned, you need to inform the data protection authority as soon as possible.
- Companies should also ascertain whether they need to conduct privacy impact assessments. These are needed whenever the data processing activity you wish to start has the possibility of jeopardizing the fundamental rights of data subjects. This can happen when new technologies are used and namely when it involves the processing of sensitive data in a large scale or the systematic surveillance of people in public spaces.
- Lastly, it is also important for you to review and update your contracts with data processors. You should ensure, for example, that these agreements explicitly guarantee the security of personal data processed and have a process included on how to handle data breaches.
Starting from scratch – What to do if data protection is new territory for you
If you just start your business journey and privacy regulations are completely new for you, we advise you to start by determining the following points:
- The first step is to find out which law applies to your company (in most cases the new Swiss FADP, EU-GDPR or both) and identify the main data protection risks for your business idea. Consider factors such as your location of establishment, the types of data collected, the purpose of processing, and any cross-border data transfers, as well as if you process any form of sensitive data such as health data.
- Moreover, you are advised to obtain an understanding and overview of data processing activities within your company, including sales, marketing, HR, and IT. Check service providers with whom your company shares or stores data, such as cloud services and external software companies. Assess their compliance with data protection requirements and ensure adequate agreements are in place.
- We also encourage you to first focus on public-facing sectors such as your website and privacy policies. Review and adjust these areas first to ensure they meet the new FADP requirements.
- Lastly, if your company lacks the necessary expertise or resources, consider seeking external help from data protection consultants or legal experts to ensure full compliance with applicable privacy laws.
The new Swiss Federal Data Protection Act (FADP) introduces some changes that tech companies need to be aware of. If your company is already GDPR-compliant, only minor adjustments are needed, such as specifying the countries you are transferring data to in your privacy documents and considering the appointment of a Swiss representative if needed.
Companies compliant with the current FADP must review their internal processes, especially regarding profiling, the right to data portability, the possible need to maintain records of processing activities, data breach notification processes, and contracts with data processors. If data protection is completely new to your company, determine the applicable laws, assess your data processing activities on a risk-based approach regarding your business idea, prioritize public-facing sectors, and consider seeking external help for compliance if needed.