- 20.12.2024 -

One year under the revised Swiss Data Protection Act: Key changes and insights

To download the article in PDF format, please click here.

 

 

1.   Introduction

 

 

The revised Swiss Data Protection Act (Federal Act on Data Protection – FADP) entered into force on 1 September 2023, together with the new Ordinance to the Federal Act on Data Protection (Data Protection Ordinance) and the new Ordinance on Data Protection Certification (Data Protection Certification Ordinance). More than a year has passed since then, and it is time to look back on this first year under the new data protection legislation, recap the most important changes and summarise the latest developments.

 

2.   Recap of the most significant changes

 

This section provides a short, non-exhaustive summary of the most significant changes for companies. For a more detailed and comprehensive list and explanation of the changes under the revised FADP, please consult the article “New Swiss Data Protection Act – The Most Important Changes For Companies” published in 2023.

 

  • Focus on natural persons: The revised law only protects individuals, leaving legal entities outside its scope.

 

  • Extraterritorial scope: The revised FADP also applies to actions initiated abroad if they have an effect in Switzerland.

 

  • Privacy by design and by default: Organisations must make sure that data protection is embedded into their processes and systems from the planning stage (privacy by design) and ensure by suitable default settings that the processing is limited to the minimum required, unless the data subject specifies otherwise (privacy by default).

 

  • Record of processing activities: Controllers and processors must keep a record of their processing activities, except for companies with less than 250 employees whose data processing poses a negligible risk of harm to the personality of the data subjects.

 

  • Cross-border data transfers: The Federal Council now bindingly determines which countries are considered to guarantee an adequate level of data protection1. Personal data transfers to countries other than those are only authorised with additional guarantees or when an exception applies.

 

  • Strengthened duty of information: Data subjects must in any case be informed of the collection of their personal data. The minimum information includes, among others, information on cross-border data transfers, even if to an adequate country, and automated individual decisions.

 

  • Data protection impact assessment (DPIA): Controllers must carry out a DPIA if processing is likely to result in a high risk to the data subject's personality or fundamental rights. If the DPIA shows that, despite the measures envisaged, the processing still leads to a high risk, the Federal Data Protection and Information Commissioner (FDPIC) must be consulted.

 

  • Data breach notification: Controllers must notify the FDPIC as quickly as possible of any breach of data security that is likely to lead to a high risk to the data subject's personality or fundamental rights. Data subjects must be informed if required for their protection or if the FDPIC so requests.

 

  • Expanded privacy rights: Data subjects newly have a right to data portability and a right to request that an automated individual decision be reviewed by a natural person.

 

  • Tightened criminal provisions: Individuals (i.e. natural persons, not companies) are liable to a fine of up to 250 000 Swiss francs, for example for wilful violation of the duty of information, failure to cooperate with the FDPIC, violation of legal requirements for cross-border transfers and engagement of processors, failure to comply with minimum data security standards, etc.

 

3.   Latest developments

 

3.1.   Guidance issued by the FDPIC

 

The FDPIC recently published a number of guides, factsheets and recommendations to help organisations fulfil the requirements under the revised law. The documents can all be found on the website of the FDPIC2 and include, among others:

 

  • Updated guide to technical and organisational data protection measures (TOM)
  • Technical recommendations for logging
  • Factsheet on data protection impact assessment (DPIA)
  • Templates for processing regulations
  • Factsheet on FDPIC investigations of violations of data protection regulations

 

3.2.   Online reporting portals

 

In view of the entry into force of the revised FADP, the FDPIC implemented the following online portals to ensure secure electronic reporting:

 

  • Data breach reporting portal3
  • Register of processing activities for federal bodies (DataReg)4
  • Contact details of data protection officers (DPO portal)5
  • Portal for reporting violations of data protection regulations6

3.3.   Recent developments

 

Adequacy decision for Swiss-US Data Privacy Framework

 

The Federal Council approved the new Swiss-US Data Privacy Framework for the secure exchange of personal data. Since 15 September 2024, personal data can thus be transferred from Switzerland to certified companies in the USA without any additional guarantees. The list of certified companies can be found on the official website of the Data Privacy Framework7.

 

FDPIC statement on AI-supported data processing

 

In view of the rapid increase in AI-supported data processing, the FDPIC published a press release stating that, regardless of the approach to future AI regulation, the FADP is directly applicable to AI-supported data processing. Manufacturers, providers and users of AI systems must in particular make the purpose, functionality and data sources of AI-based processing transparent and ensure that data subjects have the highest possible degree of digital self-determination. The full text of the press release can be found on the website of the FDPIC8.

 

3.4.   Recent investigations by the FDPIC

 

Ransomware attack on Xplain

 

Following a ransomware attack on the IT security service provider Xplain, a large volume of personal data from the federal administration, including sensitive personal data, stored on Xplain’s servers was published on the darknet. The FDPIC opened an investigation into the Federal Office of Police (fedpol), the Federal Office for Customs and Border Security (FOCBS) and Xplain.

 

In his final reports to fedpol9 and the FOCBS10, the FDPIC concluded that neither of them had a clear agreement with Xplain stating whether, and if so, on what terms personal data should be stored on Xplain's servers as part of the support services provided. Data was sent to Xplain without precise requirements for the transfer and data security being defined. The FDPIC also found that an unnecessarily large volume of personal data was transferred to Xplain.

 

According the FDPIC’s final report to Xplain11, the processor failed to take appropriate data security measures and violated the principles of purpose limitation and proportionality by retaining personal data from the federal administration and not deleting it according to contractual obligations.

 

From the recommendations issued by the FDPIC, the following general conclusions can be drawn:

 

  • Data minimisation and data security are of utmost importance

 

  • Processing by processors must be regulated through clear contractual arrangements

  • Processors must be carefully selected, assessed and monitored for their ongoing compliance

 

  • Processors must meet data security, retention and deletion requirements

 

Investigation into Digitec Galaxus

 

Following data subjects’ reports of having to accept a large range of data processing activities before they could place an order, the FDPIC opened an investigation into the processing of customer data at Digitec Galaxus, one of Switzerland’s largest online shops. The investigation concerned on the one hand Digitec Galaxus’ privacy notice and on the other hand the obligation to create a customer account to place an order with the online shop.

 

In his final report12, he FDPIC concluded, among other things, that Digitec Galaxus violated the principles of transparency and proportionality. From the recommendations issued by the FDPIC, the following conclusions can be drawn:

 

  • Data minimisation and proportionality are key principles to comply with

 

  • Privacy notices must be clear and transparent and state, among other things, what personal data is processed, for which purposes, and to whom it is disclosed

 

Investigation into Ricardo / TX Group

 

Following reports and complaints by users of the auction platform Ricardo, who were informed in a new privacy notice that their data would be shared within the TX Group for security and marketing purposes, and that if they objected to such disclosure and/or use of their data, their account would be deactivated, the FDPIC opened an investigation into Ricardo and its parent company TX Group.

 

In his final report13, the FDPIC concluded, among other things, that Ricardo violated the principle of transparency and had no valid legal ground for processing personal data for marketing and analytics purposes, as the data subjects were not informed appropriately and had not given their consent. From the recommendations issued by the FDPIC, the following conclusions can be drawn:

 

  • Usage data is considered personal data, even if it is not directly linked to the respective user, as long as the user remains identifiable without disproportionate effort

 

  • Data subjects must be clearly and transparently informed on the use of their personal data for marketing and tracking purposes and on the creation of personality profiles (according to the previous FADP) or profiling (according to the revised FADP)

 

  • The controller’s overriding legitimate interest must be carefully weighed against the data subjects’ interests and right to control over their data, if it is to be used as a ground for justification.

 

For a more detailed analysis of the Digitec Galaxus and Ricardo / TX Group investigations, please consult the article “Navigating compliance: Key insights from FDPIC recent investigations”.

 

4.   Conclusions

 

One year after the entry into force of the new Swiss Data Protection Act, some main areas of focus have emerged, which merit special attention by all organisations that process personal data:

 

Personal data processing by processors / outsourcing

According to the FDPIC’s annual report 2023 – 2024, several of the data breaches reported involved a service provider, i.e. a processor, and many of them were high-risk breaches concerning a large number of data subjects. It is therefore crucial for companies to carefully select and assess their processors, have the necessary agreements in place, and continually monitor the processors’ compliance with data protection and security requirements.

 

Data security

 

The FDPIC made data security an important topic in his guidelines and recommendations, with particular emphasis on the newly introduced risk-based approach. Furthermore, some of the FDPIC’s most prominent investigations showed that data security is a topic of utmost importance, which it will certainly remain with the ongoing technological developments. 

 

Duty of information / transparency

 

With the extended duty of information under the revised FADP and several investigations of the FDPIC pointing out shortcomings in this regard, companies should attach particular importance to their privacy notices and regularly review them to make sure they are at any time clear, accurate and complete.

 

Data minimisation

 

Data minimisation is not only a legal requirement, but also helps reduce the risk of severe, large-scale data breaches. Storing, and sharing with processors, only the minimum amount of data necessary for the processing purposes and deleting or anonymising personal data as soon as it is no longer needed, does not only guarantee compliance with the FADP, but also helps mitigate risks. 

 

If you have any questions or need support in this area, please do not hesitate to contact FABIAN PRIVACY LEGAL.

 

 

1      The list of adequate countries can be found here: https://www.fedlex.admin.ch/eli/cc/2022/568/en#annex_1

2      https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/infothek/infothek-ds.html

3      https://databreach.edoeb.admin.ch/report

4      https://datareg.edoeb.admin.ch/search

5      https://www.dpo-reg.edoeb.admin.ch/welcome

6      https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html

7      https://www.dataprivacyframework.gov/list

8      https://www.edoeb.admin.ch/edoeb/en/home/kurzmeldungen/2023/20231109_ki_dsg.html

9      https://www.newsd.admin.ch/newsd/message/attachments/87347.pdf (in German)

10    https://www.newsd.admin.ch/newsd/message/attachments/87363.pdf (in German)

11    https://www.newsd.admin.ch/newsd/message/attachments/87361.pdf (in German)

12    https://www.newsd.admin.ch/newsd/message/attachments/87062.pdf (in German)

13    https://www.newsd.admin.ch/newsd/message/attachments/90127.pdf (in German)