New Swiss Data Protection Act: Differences to GDPR
Almost six years after the project was launched and some two years after the introduction of the EU General Data Protection Regulation (GDPR), Swiss Parliament finally passed the revised Federal Data Protection Act (FDPA). The new FDPA is expected to come into force in 2022.
With the revision of the FDPA, Switzerland intends to continue to be recognized as a third country with an equivalent level of data protection in order to minimize data protection-related problems for Swiss companies in cross-border traffic.
This factsheet compares the provisions of the new FDPA with those of the GDPR and presents, on the one hand, the conceptual differences and, on the other hand, the stricter or more lenient deviations as well as the commonalities of the regulations.
General remarks on the new FDPA
The FDPA regulates data protection for both government and private data controllers. Although it was inspired by the GDPR and replicates essential provisions, the FDPA is significantly less detailed compared to the GDPR. As Swiss companies in the cross-border area were already confronted with implementing the GDPR two years ago, the new FDPA will only require a review of existing internal data protection concepts combined with a few adjustments.
The provisions of the FDPA in detail
Below, we summarize the differences and similarities between the FDPA and the GDPR with regard to individual regulatory areas of data protection law:
Scope of application
While the old FDPA also applied to legal entities, the scope of application of the new FDPA is the same as that of the GDPR - processing activities are, however, covered more generally. The extraterritorial scope of application was also replicated in analogy to the GDPR in the sense that the FDPA declares itself applicable to all processing activities that have an impact on the territory of Switzerland. This means that data controllers abroad are also required to take the provisions of the FDPA into account if their activities (also) have an impact on Switzerland
Permissible processing and consent
Under the FDPA, the same principles for data processing and validly obtaining consent from data subjects apply in principle as under the GDPR (transparency, purpose limitation, fairness, data minimization, data security, privacy by design, automated case-by-case decisions, profiling, etc.). To the extent that the FDPA deviates from the GDPR at all, the FDPA is less stringent, which is why a GDPR -compliant processor does not need to adjust anything in its existing data protection setup in this regard.
Rights of the data subjects
The rights of data subjects vis-à-vis the data controller basically correspond to the GDPR. Deviations exist, for example, in a shorter list of additional information about which the data subject has a right to information under the FDPA, while at the same time other information must be disclosed which the GDPR does not prefer (e.g., the list of export countries including the legal basis for data transfer, as well as the right of access to "useful" information). It may therefore make sense for the controller to include these deviations in an "Annex regarding Switzerland" in the internal data protection policy.
Controllers and processors
The FDPA goes in sync with the GDPR with respect to the notions of controller and processor. However, compared to the GDPR, the FDPA additionally requires the naming of the data export countries in the data processing agreement. In addition, the liability of the processor is not already limited by law in the FDPA (although this lack of limitation is hardly an aggravating difference compared to the GDPR in the result, as explained under "Liability/Fines" below).
Data protection officers and representatives
The obligation of the controller to appoint a local Swiss representative is in line with the principle of the GDPR. Also with respect to the appointment of a data protection officer ("data protection advisor" under the FDPA), the FDPA follows the GDPR, but does not provide for mandatory appointment in certain cases. However, the appointment of a data protection advisor relieves the controller of some regulatory obligations, in addition to allowing the Swiss data protection advisor to independently validate data protection impact assessments (which, under the GDPR, is only possible through the competent supervisory authority).
Notification obligations in the event of breaches
Although the FDPA basically replicates the provisions of the GDPR on the definition of data breaches and processors, it does not explicitly provide for the 72-hour notification period, nor does it regulate the content of the breach notification in detail. Furthermore, under the FDPA, the supervisory authority only needs to be informed if there is a "high risk" and the data subject only if such information is necessary to protect the data subject. An internationally active controller should therefore consider supplementing its internal data protection policies with a Swiss addendum in order to benefit from the less stringent provisions of the FDPA.
Duty to provide proof and documentation
The obligation to provide proof and documentation with regard to processing activities basically correspond to those of the GDPR, except with regard to the validation of the data protection impact assessment (FDPA: the data protection advisor of the controller, GDPR: the competent supervisory authority).
Liability and the catalog of fines under the FDPA differ significantly from the GDPR. While on the one hand the maximum fine of the FDPA is CHF 250,000, which is far below the GDPR, the FDPA understands the fine as a sanction for criminal behavior, while the fine catalog of the GDPR rather aims at strengthening the motivation for general regulatory compliance. This different approach leads to the fact that under the FDPA not (only) the infringing company can be fined, but also the person directly committing the infringement (e.g. the employee who commits the data protection infringement).
The FDPA compensates for this strict approach of personal liability by imposing higher requirements for a fine. In general, intentional or at least contingent intentional conduct on the part of the violator is required for punishment with a fine.
The Federal Data Protection and Information Commissioner (FDPIC) is the competent data protection supervisory authority in Switzerland. The FDPIC will be able to take the same administrative measures as the supervisory authorities under the GDPR, with the exception of issuing fines - this competence remains reserved for the cantonal law enforcement authorities.
Summary and recommendation
With the introduction of the new FDPA, data protection compliance will become both more efficient and more complex. With regard to the potential personal liability of data controllers, the new FDPA should also receive the necessary attention. Due to the close alignment of the FDPA with the GDPR, it holds pleasantly few surprises for GDPR-compliant controllers. Nevertheless, we recommend that Swiss companies and foreign data controllers entering the Swiss market carefully review their existing data protection processes and policies, with appropriate updates in the few but important areas where the FDPA materially deviates from the GDPR.