The new Swiss Federal Act on Data Protection (revFADP): The key points at one glance

In the FADP, the geographical scope is now explicitly determined according to the so-called impact principle. This means that the law will also apply to companies based abroad if they process personal data and this data processing has an impact in Switzerland. However, the previous principles will remain in place for civil and criminal enforcement.

In addition, companies without a registered office in Switzerland may now be required to designate a representative in Switzerland if they process the personal data of individuals in Switzerland. This obligation is triggered if the data processing is related to the offering of goods or services (so-called targeting) or the behavioral monitoring of these persons. In addition, the processing must be extensive and regular and involve a high risk to the personality of the persons concerned.

In the future, the revFADP will no longer apply to data of legal entities. Fortunately, this Swiss peculiarity has thus been abolished. However, the effects in practice should not be overestimated, since B2B transactions, for example, also regularly involve the processing of data from natural persons (e.g. contact persons).

The definition of personal data requiring special protection has been expanded compared to the current FADP and will in future also include data on ethnicity, genetic data and biometric data that uniquely identifies a natural person. Furthermore, the category of “personality profiles”, for which the same strict requirements apply as for particularly sensitive personal data, will not be included in the revFADP (but see the regulation on profiling below).

The revised Data Protection Act now contains a legal definition of profiling that corresponds to the EU GDPR and was not included in the previous FADP. According to this definition, profiling is “any form of automated processing of personal data which consists of using such data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location”.

In the preliminary draft, the Federal Council had originally proposed that profiling should in future always be permitted only with a justification, such as the consent of the data subjects. Certain statements in Parliament implied a similar understanding, although this Federal Council proposal did not find its way into the law. Thus, profiling would have to be permissible without consent also in the future. This also applies to so-called “high-risk profiling”, even though the debates in Parliament have led to some uncertainty and the issue is still likely to lead to discussions in the literature and case law. In our assessment, however, it can be assumed that Parliament did not want to deviate from the established basic concept of Swiss data protection law with regard to profiling (with high risk) either.

For private controllers, consent or other justification for profiling (with high risk) will thus only be required in the case of data processing that violates personal privacy. However, depending on the type and scope of profiling, this may be the case relatively quickly and thus consent or another justification ground may be required. Since there is often great uncertainty with regard to the justification of the overriding interest, it will not be uncommon to recommend obtaining consent in the future. If “high-risk profiling” must be assumed, then only explicit consent will suffice as a (possibly required) justification.

High-risk profiling was one of the main points of contention that almost caused the FADP revision to fail. The existence of high-risk profiling, in addition to the express nature of consent, is also relevant for the justification ground of creditworthiness checks (see below). The revised FADP defines high-risk profiling as follows:

“Profiling that entails a high risk to the personality or fundamental rights of the data subject by leading to a combination of data that allows an assessment of essential aspects of the personality of a natural person”.

The obligation to provide information is greatly expanded compared to the previous law. Regrettably, however, the revFADP does not contain an exhaustive list of all mandatory information that must be provided to the data subject during procurement. It must therefore be examined on a case-by-case basis which information is required, whereby an orientation towards the catalog of the EU GDPR could be considered.

In any case, the following mandatory information must be provided as a minimum:

• The identity and contact details of the person responsible
• The purposes of the processing
• Iin the case of disclosure of data, the recipients or categories of recipients
• In the event of data being disclosed abroad, additionally the state or international body and, if applicable, the guarantee of appropriate data protection or the exception if no such guarantees exist
• In the case of indirect data collection (i.e., data not collected from the data subject himself), additionally the categories of personal data processed
• The execution of automated individual decisions, i.e., a decision that is based exclusively on automated processing and that involves a legal consequence for the affected person or significantly affects the person

In addition to the obligation to provide information, the rights of data subjects are also further expanded in the revFADP. Similar to the GDPR, the data subject will now have a right to data disclosure and data transfer. Data subjects will be able to demand that the data they disclose be issued in a common electronic format or transferred to other providers. However, this right does not apply unconditionally. In particular, due to the legal requirements of the “common electronic format” and “proportionality,” it will have to be seen how often this right can actually be invoked by data subjects in the event of a dispute.

In addition, the data subject has a right of objection in the case of automated individual decisions (see obligation to provide information, above), according to which he or she may state his or her position on this and demand that the automated individual decision be reviewed by a natural person.

The future regulation of the transfer of personal data within a group of companies and thus the question of whether a so-called group privilege should be introduced was also the subject of discussion. Ultimately, however, such a group privilege only found its way into the new law in a very limited form. Although exceptions to the duty to inform and the right to information apply to the exchange of data within the group under the revFADP, an internal group transfer may still violate personal rights in the future and in this case may only be permissible if there is a justification. In this context, the special justification reason for intra-group processing only applies if the data in question and the way in which it is processed are relevant and necessary “for economic competition”. Intra-group processing must therefore always be carefully examined on a case-by-case basis to determine whether it is lawful.

For the performance of a credit check, Art. 30 para. 2 lit. c revFADP sets out special, stricter conditions for the assumption of an overriding interest. Accordingly, a credit check is justified if:

• No particularly sensitive personal data is processed and no high-risk profiling is involved
• The data is only disclosed to third parties if they require it for the conclusion or performance of a contract with the data subject
• The data is not older than ten years
• The data subject is of legal age

In the future – as under the GDPR – a directory of all data processing activities will also have to be kept under Swiss law (“directory of processing activities”). For most companies, keeping a data processing directory will presumably lead to the greatest effort during implementation, if appropriate measures for GDPR compliance have not already been taken. The great effort results from the fact that all data processing activities of the entire company must be recorded and precise details must be provided and continuously updated. The minimum content of this processing directory is prescribed by law for both the controller and the order processor.

The processing directory of the data controller must contain the following minimum information:

• The identity of the person responsible
• The purpose of the processing
• A description of the categories of data subjects and the categories of personal data processed
• The categories of recipients
• “If possible” the retention period of the personal data or the criteria for determining this period
• “If possible” a general description of the measures taken to ensure data security (appropriate technical and organizational measures to prevent breaches of data security)
• If the data is disclosed abroad, the indication of the state as well as the guarantees by which appropriate data protection is ensured

Various other obligations associated with the processing of personal data have also been newly included:

• Data Breach Notification: Data breaches (e.g., data loss) that are likely to result in a high risk to the personality or fundamental rights of the data subject must be reported immediately to the FDPIC (Federal Data Protection and Information Commissioner) and, if applicable, to the data subject.
• Data protection impact analysis: If an intended data processing entails a high risk of violation of the personality or fundamental rights of a data subject, the controller is obliged to analyze the risks of such processing in a data protection impact assessment. The revFADP assumes that a high risk must be considered in particular when new technologies are used and extensive processing of personal data requiring special protection is carried out, or when extensive public areas are systematically monitored.
• Privacy-by-design and privacy-by-default: As in the GDPR, the principles of “data protection by design” and “data protection by default settings” are also explicitly enshrined in the revFADP. When processing personal data, appropriate technical and organizational measures must be taken “from the planning stage” that ensure the implementation of data protection principles (e.g., data minimization) in these systems (privacy-by-design). The default settings, for example for apps or websites, must also be designed in such a way “that the processing of personal data is limited to the minimum necessary for the intended purpose” (privacy-by-default).

The revFADP provides for criminal sanctions in the form of a fine of up to CHF 250’000. In addition, the FDPIC can open an administrative investigation procedure and issue orders. Even if the FDPIC him or herself cannot order sanctions, failure to comply with an order of the FDPIC (e.g., the further processing of data despite a prohibition) is also subject to criminal sanctions of the same amount. The cantonal prosecution authorities will be responsible for enforcing the criminal sanctions. Finally, civil law actions for removal, injunction or damages are still possible.

In the legislative process, it was expressed that the criminal sanctions are mainly aimed at management persons and not at the executing employees. At the same time, however, it was not entirely ruled out that there may also be cases in which the sanction could be imposed on employees without a management function. Finally, in cases of infringements where a fine of CHF 50’000 is the maximum that can be imposed and the effort to identify the offending person within the business operations would be disproportionate, the company may be ordered to pay the fine instead of the natural person.