Switzerland (nFADP) | Data Protection Act

Switzerland is implementing new legislation to better protect its citizens’ data. The purpose of nFADP law is to protect the personality and fundamental rights of natural persons about whom personal data is processed. Implementation through the Data Protection Ordinance is on September 1, 2023, and Swiss companies will have to comply with this legislation from September 1, 2023.

This progressive step aligns with the evolving landscape of the Switzerland privacy law, emphasizing a heightened commitment to safeguarding individuals’ data privacy.

The new Federal Act on Data Protection (nFADP) improves the processing of personal data and grants new rights to Swiss citizens. This important legislative change is accompanied by a few new obligations for businesses and a strengthening of existing requirements.

Private and public-sector data controllers must perform a data protection impact assessment (DPIA) if data processing is likely to pose a high risk to the personality or fundamental rights of data subjects (Art. 22 nFADP).

Under the Switzerland Data Protection Law, private companies may appoint a Data Protection Advisor (DPA), who doesn’t necessarily need to be an employee and whose main role is to provide independent advice on data protection, help create rules and regulations, and deliver training. After a data protection impact assessment, companies may solely rely on the DPA’s advice without needing to consult the FDPIC further.

1. Private controllers domiciled or domiciled abroad designate a representation in Switzerland if they process personal data of persons in Switzerland and the data processing meets the following requirements:
   • The processing is related to the offer of goods and services or the observation of the behavior of persons in Switzerland.
   • It is an extensive edit.
   • It is a regular process.
   • The processing entails a high risk for the personality of the people concerned.
2. The representation serves as a point of contact for the persons concerned and the FDPIC.
3. The Controller shall publish the name and address of the representative.

1. Any person may request information from the controller as to whether personal data relating to him or her is being processed.
2. The data subject shall receive the information necessary to enable him or her to assert his or her rights under The Switzerland Federal Act and to ensure transparent data processing.
3. Personal data relating to health may be disclosed to the data subject with his or her consent by a health professional designated by him.
4. If the controller has personal data processed by a processor, he remains obliged to provide information.
5. No one can waive the right to information in advance.

Violation of obligations to provide information, disclosure & cooperation:

1. There is a fine of up to CHF 250,000 for private individuals who intentionally provide false or incomplete information in violation of Articles 19, 21 and 25-27, and intentionally failing to inform or provide the data subject with the information listed in Article 19(1) and 21(1).
2. A fine of up to CHF 250,000 is imposed on private individuals who, in breach of Article 49 (3), intentionally provide false information to the FDPIC during an investigation or intentionally refuse to cooperate.