In Switzerland, the Revised Federal Data Protection Act (the “Revised FDPA”), the “update” of the Swiss data protection act to align it with the General Data Protection Regulation (the “GDPR”), was approved in 2020 and it will enter into force during 2022 or 2023, the exact date is not settled yet. However, it is important to notice that there will be no transition period, thus compliance should be addressed proactively in order to avoid sanctions.
This article will try to summarise some of the main elements of the Revised FDPA.
Disclaimer: Readers of this article should note that at the date of publication, the laws and regulations to which this article makes reference to may be subject to further amendments which will not be reflected here.
Why does Switzerland need to update its Data Protection Act?
Switzerland and the European Union (“EU”) have strong connection for what concerns privacy and data protection: both Switzerland and the EU Member states are members of the Council of Europe and thus they are influenced by the European Convention of Human Rights and by the case law of the European Court of Human Rights, specifically art. 8 of the Convention, and the Convention 108,the first data protection convention dated back to 1981.
Moreover, when the European Union adopted its first Data Protection Directive, in October 1995, Switzerland adopted its own data protection act, which was aligned to the EU data protection framework. Considering the good level of harmonisation, later in 2000, the European Commission granted an adequacy decision for transferring data to and from Switzerland as the level of protection granted in Switzerland had been considered the same of the European Union.
After the entry into force of the GDPR in 2018, there was the necessity for Switzerland to update its act in order to align to the new regulation and keep the adequacy decision. The result is the Revised FDPA.
Revised Federal Data Protection Act compliance in Switzerland
It is important to remember that Switzerland is a Member neither of the EU nor of the European Economic Area (as it was rejected by a referendum in 1992). Thus, there is no obligation for Switzerland to align with the GDPR, which has an European Economic Area relevance, and such alignment is purely on a voluntary base, although it is relevant to keep the adequacy decision.
The latter point is important because it also entails that GDPR compliance does not satisfy by itself the compliance for Revised FDPA.
We can distinguish two main situations: when compliance should be adjusted and when it should be mirrored.
In the latter case, Revised FDPA compliance needs a symmetrical action to GDPR, but under the Swiss law: for example, a Company operating in both Switzerland and the EU should elect a representative in both, one according to GDPR and one according to the Revised FDPA. In practical terms, this means that, if the appointments are made via emails, the must be two emails and two acceptances sent to the respective party (one from Switzerland to the European Union and vice versa).
The adjustments to compliance may require an some amendments or none.
For example, it is known that the Revised FDPA has an opposite approach than GDPR: while the latter requires a legal basis for processing data, the Revised FDPA requires a justification only to interfere with rights and freedoms of a data subjects. In practical terms, this would have little relevance once the intrusion/legal basis is establish: e.g. if data are processed for the performance of a contract, this would satisfy both legislation
However, there are also cases in which this would not be enough: having in place a data protection notice according to article 13 and/or 14 GDPR as well as a record of processing activities art. 30GDPR would be a useful boilerplate to develop a Swiss notice and record, but amendments must be made or different processes created: e.g., GDPR requires a data breach notification within 72 hours. The Revised FDPA does not set a specific limit. Thus, implementing the same limit would be beneficial. However, the triggering obligation are different and thus the internal policy should be amended accordingly.
Main differences between the Revised FDPA and GDPR
As stated, the Revised FDPA does not directly enforce the rules for international transfer of data as Switzerland is by itself a destination for data. This means that while Switzerland has theoretically the power to issue its own adequacy decisions, however this is most likely to be just a moot point: when the European Court of Justice nullified the Privacy Shield to transfer personal data to the United States of America, the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) was not obliged to act accordingly, however, in order to avoid losing the EU adequacy decision, so they did.
However, this also means that may issue its own standard contractual clauses, enter into its own agreements with other data protection authorities or approve the binding corporate rules. Thus the international transfer of data is a field that should be carefully evaluated when dealing with Revised FDPA compliance.
Also, it should be noted that the maximum amount for fines is substantially different: while GDPR may impose up to EUR 10or 20 million or up to 2% or 4% of global annual turnover, the Revised FDPA opted for a limit of CHF 250,000.00. However, it is interesting to note that such fine is not for the company, but for the natural person, be it the decision maker or the management.
The Revised FDPA and GDPR have strong overlapping and some differences, but the degree of similarity is high.
It is important to ascertain what can be retained and what should be changed In order to comply with both laws.
In order to avoid sanctions from multiple jurisdictions, professional should be engaged.
lecocqassociate provides a full range of financial regulatory, corporate and commercial advice in relation to the structuring and incorporation of entities.
This article is for information purposes only. It does not constitute professional advice or an opinion. Please contact us on firstname.lastname@example.org for any questions.