The revised Swiss Federal Act on Data Protection comes into force 1 Sept. Unsurprisingly, perhaps, this upgrade to the 1992 version brings Switzerland’s data protection regime into greater alignment with the provisions of the EU General Data Protection Regulation. This includes the introduction of new, more stringent obligations on non-Swiss companies doing business in Switzerland, such as the requirement to appoint a Swiss representative. There is also an increased emphasis on the commitment to data subject rights, as well as new requirements around data breach reporting. Organizations will need to be prepared. 

Expanded territorial scope

The revFADP significantly broadens the territorial scope of application of the Swiss data protection regime, taking inspiration from the GDPR, to ensure companies worldwide remain accountable for the protection of Swiss individuals’ personal information. The extraterritorial scope of the revFADP is, however, wider than that of its European muse. The new Swiss law applies to circumstances that have an effect in Switzerland even if such activities are initiated from abroad. This means the Swiss supervisory authority, the Federal Data Protection and Information Commissioner, is competent to enforce the revFADP regarding any activity with an impact in Switzerland, even if such effect is caused outside of Swiss borders. In practice, like the GDPR, organizations targeting goods or services to Swiss individuals or monitoring their behavior will now have to comply with revFADP requirements.  In addition, organizations storing personal data on servers located in Switzerland will be caught by the new Swiss data protection legislation.

New obligation: Appointing a representative in Switzerland

An important change to note for organizations caught by the extraterritorial scope of the revFADP is the new requirement to appoint a representative in Switzerland. The requirement is triggered if an organization without a corporate seat in Switzerland is processing personal data of individuals in Switzerland and such processing activities are:

  • Connected to offering goods and/or services to those individuals (targeting criterion) or monitoring the behaviors of those individuals (monitoring criterion).
  • On a large scale, carried out regularly and pose a high risk to the data subject.

While the requirement to appoint a Swiss representative is no doubt inspired by the GDPR, there are, again, some noteworthy differences, primarily:

  • The kind of organizational structure required to be considered as a local controller — namely the difference between the corporate seat under the revFADP and the establishment under the GDPR.
  • The qualification of the data processing being on a large scale regularly and posing a high risk are application criteria under the revFADP. In the GDPR these criteria are turned around and formulated as exemptions.

An establishment under the GDPR is any kind of stable arrangement — for example, a branch or office — but the incorporation of an entity is not necessarily required. In contrast, the wording of the revFADP requires a corporate seat, unofficially translated in English to a “registered office.”

So far there is no literature to provide clarity about what kind of structure is required in Switzerland to not fall under the requirement to appoint a representative. The wording itself suggests there needs to be at least some kind of registration either as separate entity or a registered office, which is why in this aspect the requirement to appoint a representative under the revFADP is wider than under the GDPR. Companies with an entity in Switzerland can also appoint their subsidiary as representative, but should consider the subsidiaries’ ability to deal with data protection matters in Switzerland before doing so

On the other hand, the additional qualifications of data processing narrow the scope because they target the data of intense and risky business models. In contrast, under the GDPR the same criteria, stipulated as exemptions, are very rarely ever triggered.

Role of the representative

The role of the Swiss representative has plainly evolved from the GDPR. The representative exists to act as a local, accessible point of contact for Swiss data subjects and for the FDPIC. The representative is designed to be a public appointment, and the revFADP requires controllers to publish the name and address of their designee to ensure data subjects can easily exercise their rights via the representative.

There is no express requirement under the revFADP to include this information in the controller’s privacy notice, as there is under the GDPR. Nevertheless, this remains an obvious place to include such information. 

The inclusion of the requirement to appoint a representative reflects the broader data subject rights set out under the revFADP, compared to the 1992 Swiss law, and highlights the focus on empowering individuals to remain in control of their personal information. The representative must be on hand to provide data subjects with information on how to exercise their rights and enable the communication of such requests to controllers outside of Switzerland to preserve such rights for Swiss individuals.

For this reason, the representative needs to be a company established in Switzerland or an individual living there. Post-box solutions would not be able to fill the role of a representative and are, therefore, not suitable to comply with the requirement.

In addition to ensuring the facilitation of communication between non-Swiss organizations and the FDPIC, the representative will also be responsible for maintaining the controller’s record of processing activities and will be required to provide these to the supervisory authority upon request.

New data breach notification provisions 

New data breach notification requirements mean controllers are obliged to inform the FDPIC of a breach as soon as possible when it is likely to result in a high risk to the data subject’s personality or fundamental rights. In the absence of any guidance from the FDPIC, it is so far unclear whether there will be any time limit for notification, in the same way the GDPR stipulates data breach notifications must be made within 72 hours. 

Controllers are also required to inform data subjects affected by a breach if it is necessary for their protection, for example where the notification enables data subjects to take measures to limit the impact of a breach.

Non-Swiss organizations can look to their Swiss representative for support in the notification of data breaches where required.

Fines for noncompliance

In contrast to the GDPR, the revFADP does not create civil penalties for noncompliant organizations. Instead, intentional violations of the revised Swiss law by individuals acting for private controllers may result in criminal sanctions in the form of fines up to CHF250,000. Such fines will most likely be levied against C-level executives and those responsible for an organization’s data protection program, i.e., data protection officers, and include fines for:

  • Willfully providing false or incomplete information at the point personal data is collected (Article 19), in respect of automated decision making (Article 21) and in breach of privacy notice obligations (Articles 25-27). See Article 60 (1, 2).
  • Willfully providing false information and failing to cooperate with an FDPIC investigation, including failing to provide the FDPIC with the requisite information (Article 49(3)-Article 60(3)).
  • Willfully disclosing personal data outside of Swiss boarders in violation of the provisions on crossborder transfers (Articles 16, 17) and willfully failing to satisfy the requirements of Article 9 in relation to the appointment of data processors (Article 61).
  • Violating professional duty of confidentiality in respect of personal data (Article 62).
  • Willfully failing to comply with an order of the DPIC (Art 63).

If the individuals responsible for such failings or intentional breaches of the revFADP cannot be reasonably determined, then the organization itself may be fined. However, fines of this nature for private controllers will not exceed CHF50,000.

revFADP, GDPR Comparison

A table gives an overview of the differences between the GDPR and the Swiss revFADP regarding the topics mentioned in this article.  

Conclusion

Switzerland is surrounded by the EU, so it is no wonder the Swiss revFADP takes its inspirations from the GDPR. It also makes perfect sense for a greater level of harmonization between the EU and Swiss data protections regimes to make compliance easier. However, there are some significant differences companies should note. Non-Swiss organizations need to consider the appointment of a representative in preparation for 1 Sept.

Source: iapp