The revised Swiss Federal Act on Data Protection comes into force 1 Sept. Unsurprisingly, perhaps, this upgrade to the 1992 version brings Switzerland’s data protection regime into greater alignment with the provisions of the EU General Data Protection Regulation. This includes the introduction of new, more stringent obligations on non-Swiss companies doing business in Switzerland, such as the requirement to appoint a Swiss representative. There is also an increased emphasis on the commitment to data subject rights, as well as new requirements around data breach reporting. Organizations will need to be prepared.
Expanded territorial scope
The revFADP significantly broadens the territorial scope of application of the Swiss data protection regime, taking inspiration from the GDPR, to ensure companies worldwide remain accountable for the protection of Swiss individuals’ personal information. The extraterritorial scope of the revFADP is, however, wider than that of its European muse. The new Swiss law applies to circumstances that have an effect in Switzerland even if such activities are initiated from abroad. This means the Swiss supervisory authority, the Federal Data Protection and Information Commissioner, is competent to enforce the revFADP regarding any activity with an impact in Switzerland, even if such effect is caused outside of Swiss borders. In practice, like the GDPR, organizations targeting goods or services to Swiss individuals or monitoring their behavior will now have to comply with revFADP requirements. In addition, organizations storing personal data on servers located in Switzerland will be caught by the new Swiss data protection legislation.
New obligation: Appointing a representative in Switzerland
An important change to note for organizations caught by the extraterritorial scope of the revFADP is the new requirement to appoint a representative in Switzerland. The requirement is triggered if an organization without a corporate seat in Switzerland is processing personal data of individuals in Switzerland and such processing activities are:
- Connected to offering goods and/or services to those individuals (targeting criterion) or monitoring the behaviors of those individuals (monitoring criterion).
- On a large scale, carried out regularly and pose a high risk to the data subject.
While the requirement to appoint a Swiss representative is no doubt inspired by the GDPR, there are, again, some noteworthy differences, primarily:
- The kind of organizational structure required to be considered as a local controller — namely the difference between the corporate seat under the revFADP and the establishment under the GDPR.
- The qualification of the data processing being on a large scale regularly and posing a high risk are application criteria under the revFADP. In the GDPR these criteria are turned around and formulated as exemptions.
An establishment under the GDPR is any kind of stable arrangement — for example, a branch or office — but the incorporation of an entity is not necessarily required. In contrast, the wording of the revFADP requires a corporate seat, unofficially translated in English to a “registered office.”
So far there is no literature to provide clarity about what kind of structure is required in Switzerland to not fall under the requirement to appoint a representative. The wording itself suggests there needs to be at least some kind of registration either as separate entity or a registered office, which is why in this aspect the requirement to appoint a representative under the revFADP is wider than under the GDPR. Companies with an entity in Switzerland can also appoint their subsidiary as representative, but should consider the subsidiaries’ ability to deal with data protection matters in Switzerland before doing so.
On the other hand, the additional qualifications of data processing narrow the scope because they target the data of intense and risky business models. In contrast, under the GDPR the same criteria, stipulated as exemptions, are very rarely ever triggered.
Role of the representative
The role of the Swiss representative has plainly evolved from the GDPR. The representative exists to act as a local, accessible point of contact for Swiss data subjects and for the FDPIC. The representative is designed to be a public appointment, and the revFADP requires controllers to publish the name and address of their designee to ensure data subjects can easily exercise their rights via the representative.
There is no express requirement under the revFADP to include this information in the controller’s privacy notice, as there is under the GDPR. Nevertheless, this remains an obvious place to include such information.
The inclusion of the requirement to appoint a representative reflects the broader data subject rights set out under the revFADP, compared to the 1992 Swiss law, and highlights the focus on empowering individuals to remain in control of their personal information. The representative must be on hand to provide data subjects with information on how to exercise their rights and enable the communication of such requests to controllers outside of Switzerland to preserve such rights for Swiss individuals.
For this reason, the representative needs to be a company established in Switzerland or an individual living there. Post-box solutions would not be able to fill the role of a representative and are, therefore, not suitable to comply with the requirement.
In addition to ensuring the facilitation of communication between non-Swiss organizations and the FDPIC, the representative will also be responsible for maintaining the controller’s record of processing activities and will be required to provide these to the supervisory authority upon request.
New data breach notification provisions
New data breach notification requirements mean controllers are obliged to inform the FDPIC of a breach as soon as possible when it is likely to result in a high risk to the data subject’s personality or fundamental rights. In the absence of any guidance from the FDPIC, it is so far unclear whether there will be any time limit for notification, in the same way the GDPR stipulates data breach notifications must be made within 72 hours.
Controllers are also required to inform data subjects affected by a breach if it is necessary for their protection, for example where the notification enables data subjects to take measures to limit the impact of a breach.
Non-Swiss organizations can look to their Swiss representative for support in the notification of data breaches where required.
Fines for noncompliance
In contrast to the GDPR, the revFADP does not create civil penalties for noncompliant organizations. Instead, intentional violations of the revised Swiss law by individuals acting for private controllers may result in criminal sanctions in the form of fines up to CHF250,000. Such fines will most likely be levied against C-level executives and those responsible for an organization’s data protection program, i.e., data protection officers, and include fines for:
- Willfully providing false or incomplete information at the point personal data is collected (Article 19), in respect of automated decision making (Article 21) and in breach of privacy notice obligations (Articles 25-27). See Article 60 (1, 2).
- Willfully providing false information and failing to cooperate with an FDPIC investigation, including failing to provide the FDPIC with the requisite information (Article 49(3)-Article 60(3)).
- Willfully disclosing personal data outside of Swiss boarders in violation of the provisions on crossborder transfers (Articles 16, 17) and willfully failing to satisfy the requirements of Article 9 in relation to the appointment of data processors (Article 61).
- Violating professional duty of confidentiality in respect of personal data (Article 62).
- Willfully failing to comply with an order of the DPIC (Art 63).
If the individuals responsible for such failings or intentional breaches of the revFADP cannot be reasonably determined, then the organization itself may be fined. However, fines of this nature for private controllers will not exceed CHF50,000.
revFADP, GDPR Comparison
The following table gives an overview of the differences between the GDPR and the Swiss revFADP regarding the topics mentioned in this article:
|Article 2(1): The processing of personal data.
|Article 2(1): The processing of personal data.
|The revFADP has a more pragmatic approach when it comes to identifiable data. Data is considered identifiable only if someone is willing and, with reasonable efforts, able to link data back to an individual. In Case T‑557/20, the European General Court took a similar approach.
|Article 3(2): Controllers and processors without an establishment when targeting or monitoring data subjects in the EU.
|Article 3(1): Circumstances which have an effect in Switzerland.
|Whereas the GDPR ties the applicability to actions taken by a controller or processor, the Swiss effect doctrine takes a passive approach and includes circumstances that are not related to selling goods/services in the Swiss market or monitoring the behaviour of Swiss data subjects.
|Article 27: Appoint a representative if:
• No establishment in the EU.
• Targeting or monitoring EU data subjects.
|Article 14: Appoint a representative if:
• No corporate seat in Switzerland.
• Targeting or monitoring individuals in Switzerland.
• Processing on a large scale regularly and posing a high risk.
|The requirement to appoint a representative under the revFADP applies to all organizations without a corporate seat, in contrast to an establishment under the GDPR which results in a broader applicability, whereas the additional qualifications narrow the scope again.
|Data Breach Reporting
|Article 33(1): Obligation to report data breaches posing any risk within 72 hours.
|Article 24(1): Obligation to report data breaches posing high risk as soon as possible.
|The revFADP excludes all breaches below the threshold of “high risk” and is more flexible on notification timing.
|Article 83(4,5): Administrative fines addressed to companies depending on the type of violation, either 10 million euros or 2% global turnover, or 20 million euros or 4% global turnover.
|Articles 60-63: Criminal liability of responsible person with fines of up to CHF250,000.
|The GDPR became well-known for exorbitant fines. Swiss revFADP frightens C-levels because of the criminal liability.
Switzerland is surrounded by the EU, so it is no wonder the Swiss revFADP takes its inspirations from the GDPR. It also makes perfect sense for a greater level of harmonization between the EU and Swiss data protections regimes to make compliance easier. However, there are some significant differences companies should note. Non-Swiss organizations need to consider the appointment of a representative in preparation for 1 Sept.