14.12.2023 / David Vasella
This note sets out the key provisions of the revised Swiss Data Protection Act, which entered into force on 1 September 2023, along with the revised Data Protection Ordinance. The note does not include a comparison with the former version of the Act and does not address specific use cases. It includes references to the GDPR to provide context on Swiss law requirements.
As with most countries, Switzerland regulates the processing of personal data by general legislation and provides for stricter or different rules in sector-specific regulation. Data processing is governed primarily by
Switzerland has gone through a lengthy process of revising the FDPA, and the revised FDPA, together with the revised FDPO, has entered into force on 1 September 2023. The key objective was aligning Swiss law with the revised Council of Europe’s Convention 108 and with the GDPR, also in view of the pending adequacy finding mentioned above.
Key points of the revised FDPA can be summarized as follows:
With respect to the territorial application of the FDPA (cf. article 3), slightly different criteria apply depending on the nature of the provision in question:
Different from the GDPR, there is no accountability principle under the FDPA. A controller or processor that fails to keep records of their processing activities, relevant events and compliance measures may be unable to demonstrate compliance in case of a complaint or an investigation but is not per se in breach of the FDPA.
However, there are some obligations of accountability, for example the obligation to keep records of data protection impact assessments for two years from closure of the project, or to keep logs and maintain processing regulations in certain high-risk scenarios.
The FDPA has no concept of a DPO as defined in the GDPR, but controllers may opt to appoint a “Data Protection Advisor” (“Daten¬schutzberater”) under article 10 FDPA. Appointing a Data Protection Advisor is optional, including for controllers whose core processing activities consist of high-risk processing (but it is mandatory for organizations acting as federal bodies, including private entities that perform public tasks). Where a Data Protection Advisor is appointed, they should be independent and have the resources required for them to actively monitor compliance within the organization (article 23 FDPO).
Appointing a Data Protection Advisor has only one direct effect under the FDPA: The obligation to consult with the Swiss data protection authority (the Federal Data Protection and Information Commissioner, FDPIC) if a data protection impact assessment confirms high residual risk no longer applies. In practice, however, this is of limited value, considering that most impact assessments will confirm lower-than-high risk.
The FDPA does not require Data Protection Advisors to be individuals or based in Switzerland. DPOs appointed under the GDPR may act as Data Protection Advisors as well, provided they meet the requirements.
Like with article 27 GDPR, controllers located abroad may be under an obligation to appoint a “representative” under article 14 FDPA (CH Representative) and publishes its name and address.
Controller must appoint a CH Representative where all of the following conditions are met for their processing:
Under article 15 FDPA, the CH Representation must
Controllers and processors are required to collect and maintain records of processing activities (article 12(1) FDPA). The information required to be included in these records are the same as under article 30(1) and (2) GDPR, except that no information is required about the CH Representative and a Data Protection Advisor (if appointed).
An exception from the obligation to maintain records of processing activities applies to companies with less than 250 members of staff (on a headcount, not on an FTE-basis), provided there is no large-scale processing of sensitive data and no high-risk profiling (article 24 FDPO).
Like article 35 GDPR, article 22(1) FDPA requires controllers to carry out a data protection impact assessment (DPIA) where processing “may” lead to a high risk. The factors to be considered when assessing potential high risk are the same as under the GDPR.
Like the GDPR, the FDPA sets out particular types of processing that typically – though not invariably – require a DPIA (article 22(2) FDPA):
GDPR FDPA
systematic and extensive evaluation of personal aspects, based on automated processing, on which decisions are based that produce legal effects or have a similar, significant effect Yes Yes, in case of high-risk profiling, even if no decisions are based on that profiling
large-scale processing of special categories of data Yes Yes
systematic monitoring of a publicly accessible area on a large scale Yes Yes
The DPIA must include, as a minimum, a description of the processing, an evaluation of the risks and the intended mitigating measures (article 22(3) FDPA. Different from the GDPR, however, there is no obligation to seek the views of data subjects on the intended processing (cf. article 35(9) GDPR). Because the requirements for DPIAs under the FDPA as to form and content are less strict than under the GDPR, no additional DPIA is required under the FDPA where the processing at stake has been assessed in a DPIA under the GDPR.
Where a DPIA confirms that the processing assessed carries high risk that the controller is unable or not willing to mitigate further, which is rare in practice, the FDPIC must be notified of the result at any time prior to the processing, except where the controller has appointed a Data Protection Advisor and/or the DPIA has been carried out voluntarily, i.e., without obligation (article 23 FDPA).
The FDPIC has up to three months to notify the controller of any objections against the processing as planned by the controller, and he may open an investigation during or after this time (article 23 FDPA). The controller is not bound to wait for confirmation by the FDPIC or expiry of the deadline but should assess the risk that the FDPIC may open an investigation.
DPIAs must be kept on record for at least two years from the date when the processing activity has ended (article 14 FDPO).
Similar to the GDPR, a “data security breach” means a security breach – i.e., a breach of confidentiality, integrity or availability – that leads to an unintentional or unlawful loss, deletion, destruction or modification of personal data or to personal data being disclosed or made accessible to unauthorized persons.
Processors must notify the controller “as soon as possible” of data breaches (article 24(3) FDPA). While this obligation is not a mandatory part of processing agreements, it is usually stated in such agreements, frequently specifying minimum notification content and timing requirements.
The controller must notify the FDPIC where a data breach “is probable to result in a high risk” for the data subject (article 24(1) FDPA). The FDPA provides no definition of high risk, but again assuming that “high risk” is a consistent notion throughout the FDPA, the severity of the risk depends on the nature, scope, circumstances and purpose of the processing (article 22(2) FDPA). However, so far there is no guidance on the interpretation of high risk in the context of data breaches. It is likely that the practice will refer to the EDPB’s guidelines on data breach notifications, or on the ENISA recommendations.
The notification to the FDPIC must made as soon as reasonably possible on becoming aware of the breach, provided that the time allowed before the notification depends on the severity of the risk. It must include, as a minimum, the following information (article 24(2) FDPA):
GDPR FDPA
Nature of the breach Yes, including where possible, the categories and approximate number of subjects concerned and categories and approximate number of personal data records concerned Yes, without the additional information
The name and contact details of the DPO or other contact point Yes No
Likely consequences of the breach Yes Yes
Measures taken or intended to mitigate the breach Yes Yes
The notification can be submitted through the official online form, but there is no obligation – notification can also be done by e‑mail. Controllers making a notification should be aware that the FDPIC is subject to the Freedom of Information Act and may be required to release breach notifications to media outlets or other third parties.
On receipt of notification, the FDPIC may open an investigation. However, the information provided to the FDPIC under article 24 FDPA may not be used in criminal proceedings against the controller without the controller’s consent (article 24(6) FDPA).
Independently of a notification to the FDPIC, the controller must communicate the breach to the data subjects individually, without undue delay, if this is “necessary for the protection of the data subjects”, in particular where subjects should take mitigating measures (for example change login credentials) or on order by the FDPIC (article 24(4) FDPA. The controller must provide the information that is required for the subjects to understand the breach and its likely effects for them and to take appropriate measures.
The controller may restrict, postpone, or waive the communication to the subjects (article 24(5) FDPA):
As noted above, controllers and processors must take appropriate security measures in relation of personally identifiable data (article 8 FDPA). On this basis, article 4 FDPO entities controllers as well as processors to keep logs where they engage in large-scale processing of sensitive personal data or highrisk profiling. Stricter obligations apply to federal authorities.
Where the obligation applies, the controller or processor must keep logs, at a minimum, of the storage, modification, reading, disclosure, deletion, and destruction of data. These logs must include information about the identity of the person who carried out the processing; the type of processing; date and time of the processing; and if data is disclosed, the identity of data recipi-ents. Logs must be kept for one year.
In some cases, controllers are required to keep “processing regulations”. As with the logkeeping obligation, this obligation applies only where the controller or processor engages in large-scale processing of sensitive personal data or high-risk profiling.
Processing regulations are separate from the records of processing activities – they are similar to an manual that sets out the internal organization; the data processing procedures for storing, correcting, disclosing, retaining, archiving, pseudonymizing, anonymizing, deleting or destroying personal data, including how data minimization is ensured; the procedure how the access and data portability rights are ensured; and the technical and organizational security measures including information about the configuration of IT resources.
Processing principles
As mentioned above, controllers and – for most principles – also processors must comply with the processing principles. Failure to comply means that the processing infringes on the personality rights of the data subjects and is unlawful unless it is justified by consent and/or a prevailing interest.
The FDPA sets out the following processing principles (article 6 – 8 and FDPA):
Lawfulness: Personal data must be processed lawfully, which does not mean that all processing must be based on legal grounds, but that processing must not be inconsistent with any other laws (i.e., other than the FDPA) that protect the data subjects’ personality rights);
good faith: processing must be carried out in good faith (fairness). The fairness principle is somewhat vague but may be used as a generic justification whenever a court or authority feels that a particular type if processing is unacceptable;
transparency: the key parameters of the processing principles including the processing purpose(s) must either be transparent (i.e., either be obvious in the circumstances or mentioned expressly);
purpose limitation: data may only be collected for a specific purpose and may only be processed in a way that is compatible with the purpose;
proportionality: processing must be proportionate to the purpose (data minimization) and must be “destroyed or anonymized” as soon as it is no longer needed with regard to the purpose of the processing;
correctness: controllers and processors must take reasonable measures to ascertain that the data is accurate and corrected or “deleted or destroyed“;
privacy by design and security: controllers must set up technical and organizational measures in order to meet the data protection requirements (privacy by design) and, in particular, to ensure a level of data security appropriate to the risks (data security);
privacy by default: controllers must set pre-defined settings such that the processing is limited to the required minimum (privacy by default);
right to object: data must not be processed against the express wishes of the data subjects (which is the Swiss variant of the data subjects’ right to object to processing);
disclosure restrictions: sensitive data must not be disclosed to third parties (i.e., other controllers).
A breach of the processing principles is unlawful unless justified but is generally not subject to a fine.
As an exception, a breach of minimum security requirements may be liable to a fine. The FDPA contains no such minimum requirements, but the FDPO includes provisions that may be considered to be minimum requirements, such as keeping logs for high-risk processing (articles 1 et seq.).
Justification
As mentioned above, processing in breach of one or several processing principles is unlawful only to the extent it is not justified. The following grounds may justify such processing (article 31(1) FDPA):
(a) Consent (articles 31(1) and 6(6) and (7) FDPA): Consent is regulated less strictly than under the GDPR. The key requirements for consent are the following:
“Informed consent”: the subject must be informed of the key elements of the processing;
“freely given consent”: consent is invalid if it is not freely given. According to case law, consent may be invalid if the controller makes it a condition to access goods or services arbitrarily, without objective reasons;
“Explicit” consent: Consent must be explicit for the processing of sensitive personal data and for high-risk profiling, provided these processing operations require consent;
capacity for judgement: consent is invalid if given by anyone without capacity of judgment. There is no minimum age for children, and the required age depends on the risks and complexity of the processing at stake.
Because the FDPA has no accountability principle, it is not a breach if consent is not documented, but the controller has an obvious interest in keeping tracible records of consent.
Where consent is invalid or withdrawn, the controller may continue to rely on prevailing interest to justify the processing (provided that an express withdrawal of consent may be construed as an objection, which tends to raise the bar for prevailing interest).
(b) Prevailing interest (article 31(1) FDPA):
Consent is not necessary where processing in breach of a principle is required to safeguard prevailing interests. Potentially prevailing interests include any interest that is not against the law, including public interest and purely commercial interests of private actors. These interests must prevail over the contrary interest of the data subject. The FDPA does not require a formal “legitimate interest assessment” (“LIA”), but the controller should document the balance of interest in all but obvious cases.
Examples of potentially prevailing interest include:
Anonymization of personal data for statistical uses;
data retention beyond the period required for the processing purposes because data is kept in a backup;
keeping personal data despite an objection for documentation or evidentiary purposes.
“Profiling”
The FDPA regulates both profiling and individual decision-making. With regard to profiling, the applicable provisions are different and in parts slightly stricter than the GDPR.
“Profiling” means any automated processing with the purpose of analysing or predicting personal aspects or the behaviour of a subject (article 5(f) FDPA). It remains to be seen if profiling requires full automation or includes profiling with some, but not decisive human interaction. In any event however, profiling does not require the raw data used for the profiling operation to be collected or otherwise processed automatically as long as the profiling operation itself is automated. Examples of profiling include automated evaluation of buying habits in order to determine premiums and incentives, calculating an activity index based on step count data from an app, the analysis of website or app behaviour in order to present targeted online advertising, or automatically selecting news based on user location.
Profiling as such triggers no express obligations for controllers (unless they act as a federal body). However, there may be an obligation under the transparency principle to inform the data subjects about profiling, and controllers frequently choose to include a reference to profiling in their privacy notices.
“High-risk profiling” has been introduced in the FDPA as a political compromise. It is any form of profiling that, based on a combination of data, leads to an “assessment of essential aspects of the personality” of an individual (article 5(h) FDPA). This definition is based on the concept of “personality profiles” in the current FDPA. Examples of “personality profiles” include end customer profiles based on buying habits, a comprehensive CV, results of a personality test or KYC data. Whenever profiling leads to such a profile, it is likely considered to be “high risk”. It is open, however, if only profiling is high-risk that outputs such a personality profile, or also profiling where the input (source) data amounts to a personality profile.
Where a controller engages in high-risk profiling,
Automated individual decision-making means decisions that:
General comments
In addition to the general transparency principle, and similar to articles 13 and 14 GDPR, the FDPA sets out a general obligation to provide certain information to the data subjects (article 19 FDPA). This obligation applies to all categories of data, subject to exceptions, not only to the collection of sensitive data.
For controllers established outside of Switzerland, the obligation to inform applies where the collection of data has sufficient ties to Switzerland, for example where the collection is related to an offer to individuals in Switzerland or is carried out using a server in Switzerland.
A breach of the obligation to inform may be liable to a fine.
Controllers must provide the following information as a minimum:
The information obligation is triggered by the “collection” (“Beschaffung”) of data. “Collection” requires a premeditated action aimed at obtaining data. Where personal data is obtained unintentionally, it is not collected. However, using existing data – “collected” or not – for a new purpose will always be considered to constitute collection, and will trigger an obligation to inform.
The minimum information must be provided to the data subjects:
There is no obligation to inform in the following scenarios (article 20 FDPA):
Controller/processor relationships
Where a controller intends to use a processor, the FDPA requires both parties to enter into a data processing agreement (article 9(1) FDPA). The data processing agreement (DPA) may be entered into in any form, including orally, but should be concluded in text form. The minimum content is lighter than under the GDPR. DPAs must require the processor, as a minimum, to
As mentioned above, joint controllers have no express obligation to enter into a joint controller arrangement or to inform the subjects about the allocation of responsibility between them. However, an obligation to agree on the allocation of responsibilities may, depending on the circumstances, be derived from the privacy by design and data security principles. Joint controller arrangements in accordance with the GDPR will satisfy this requirement.
All joint controllers must likely be indicated in privacy notices, and in the response to subject access requests.
In the event of a controller-to-controller transfer, the disclosing controller must comply with the processing principles and with cross-border transfer restrictions. Outside these requirements, there are no minimum requirements for controller-to-controller arrangements, but parties will often enter into a controller-to-controller agreement.
It should be noted, however, that under article 62 FDPA, disclosing secret personal data of which knowledge has been gained while exercising a profession that requires such knowledge (or acting on behalf of a person bound by a confidentiality obligation) is liable to a fine of up to CHF 250,000. There is a discussion in Switzerland if any disclosure that is not necessary for a contract with the data subject may be in breach of this provision, or only disclosures in breach of the FDPA.
The FDPA regulates data transfers abroad (including disclosure by giving access) in articles 16 et seq. Transfers abroad are permitted as follows:
General comments
Under the FDPA, by and large subjects have the same rights as under the GDPR, but the modalities for using these rights and the controller’s obligations to comply with these rights differ to an extent. The differences can be summarized as follows:
Similar to the GDPR, data subjects have the right to access their data. Subject access requests (SARs) may be made in writing or any other form, unless the revFDPO will have formal requirements, and must generally include proof of identity. The current, accepted practice is to require a copy of an ID document as proof, and we expect this practice will continue under the FDPA.
On request, controller must provide the following to subjects making a SAR:
Under article 28 FDPA, data subjects may request a copy of personal data in a standard electronic format (for example an Excel file) or may have data transferred to another controller.
The portability right applies only to data (article 20 FDPO) that:
A breach of the FDPA may lead to civil claims against the controller and/or the processor in breach, including cease and desist claims and claims for compensation of monetary damages. However, it would be on the claimant to establish and quantify the economic loss suffered as a result of the breach, which is usually a challenge in practice. Data subjects can also enforce their rights of information, correction and opt-out and may request that a court decision be published.
Under the FDPA, the FDPIC may initiate (ex officio or upon notification by a subject or other party) an investigation against controllers and processors if there are sufficient indications that processing could violate the FDPA (article 49(1) FDPA. Controllers and processors must provide the FDPIC with all information and make available all documents that are necessary for the investigation (article 49(3) and 50(1) FDPA).
If the FDPIC concludes that the FDPA is violated, the FDPIC may order that the processing is fully or partially adjusted, suspended or terminated and that the personal data is fully or partially deleted or destroyed (article 51(1) FDPA). The FDPIC may also defer or prohibit disclosure abroad and may order that the controller and/or processor, as applicable,
Different from the GDPR, the FDPA generally does not provide for fines on legal entities (but see below). However, certain breaches may lead to fines of up to CHF 250,000 being imposed on the individuals responsible for a breach, including, if applicable, on directors and officers and employees with independent decision-making power (article 29 of the Criminal Code), provided these breaches have been committed wilfully (cf. article 12 Criminal Code) and on condition that a subject makes a complaint. These breaches include (articles FDPA):
General principles
Under article 328b of the Swiss Code of Obligations (CO), employee data must not be processed unless processing is objectively related to job applications or the employment relationship. This restricts both the categories that an employer may process lawfully, such as when assessing potential candidates and throughout the employment relationship, but also the scope and purposes of its processing.
Article 328b CO mostly takes up the general principle of purpose limitation and data minimization. As such, it does not impose requirements that would not follow from the FDPA. However, courts would likely apply slightly stricter criteria when assessing the lawfulness of data processing within the employment relationship.
Where an employer intends to use personal data in a manner that is not required for the employment relationship, for example using employee photos on a website, the employer will usually rely on consent. Employee consent remains a valid basis, provided that it is given freely, and the information given to the employee is sufficient.
In a typical group scenario, employee data will be shared with other entities through an HR information management system (“HRIS”), through shared employee lists and for reporting purposes. Group companies engaging in these processing purposes will frequently act as joint controllers, though this requires a case-by-case analysis. In addition, one or several entities
will act as group-internal service providers (e.g., to provide shared reports, or operate an HRIS). This will require one or several data processing agreements, in addition to any joint controller arrangements or controller-to-controller agreements.
However, where the purpose of such shared processing is not beyond what employees would reasonably expect and is properly explained in an employee privacy notice, it is usually considered to be consistent with the processing principles as well as with article 328b CO. Employee consent is therefore usually not a requirement in these scenarios.