Skip to main content
white and brown building beside calm body of water

What is FADP? – New Federal Act on Data Protection (nFADP)

Loi fédérale sur la protection des données
Bundesgesetz über den Datenschutz
Legge federale sulla protezione dei dati

What do you need to know?

  • Consent not required for data collection/processing under all circumstances.
  • Goes into effect September 1st, 2023.
  • Applies to natural persons (no longer to legal persons) and commercial and non-commercial entities that process the data of Swiss citizens.
  • Entities are responsible for compliant data processing even if they use third parties (like vendors) to do it.
  • All processors must take reasonable organizational and technical measures to ensure data privacy and security.
  • Applies to data in both physical and electronic files.
  • Extraterritorial law, entities processing personal data do not have to be based in Switzerland.
  • Prohibits transfers of personal data from Switzerland to countries with which they do not have an adequacy agreement unless explicit user consent has been obtained from data subjects.

Notification Guidelines

Before any data collection takes place, individuals need to be notified, regardless of whether their consent is necessary for subsequent data processing.

Businesses must transparently share the following details, possibly on a dedicated privacy policy webpage, which are also essential criteria for obtaining valid consent:

• Who controls the data: the company or an external party.

• How to contact the data controller.

• Who receives the data and any other parties interacting with the data set.

• The country of the recipient if data will be sent across borders.

• The reasons behind collecting and using the data.

• Relevant data categories being collected.

• How the data is being collected, if applicable.

• The legal justification for the processing, if applicable.

• The rights individuals have concerning their data under the FADP, including their ability to deny or retract consent.

Consent Guidelines

In contrast to the GDPR, the FADP permits entities to handle personal data without a distinct legal foundation unless specific conditions are met. The situations requiring consent include:

• Managing sensitive individual data.

• High-risk profiling activities carried out by private individuals.

• Profiling tasks undertaken by a federal institution (government).

• Sharing data to external nations lacking sufficient data protection measures.

While the FADP offers alternative legal grounds for data processing other than consent (such as legal mandates or predominant public interest), they are more limited compared to the GDPR. If consent is deemed necessary, it has to be secured either before or during the data collection phase. Similar to the GDPR, the FADP mandates that user consent be detailed, well-informed, and freely given. To aid in ensuring compliance, a consent management platform is essential. This can assist in creating compliant user notifications—for instance, by enhancing a privacy policy page—and in capturing and archiving compliant consents. With the aid of geolocation, it’s possible to set up multiple configurations, catering to diverse regulations like the GDPR and FADP, adjusted based on the user’s location.

Customers’ rights

• Inquire whether information about them is being or has been processed (they cannot give up this right to know beforehand) and ask to view the data gathered about them.

• Obtain a physical copy of their data, either printed or photocopied, without incurring any costs.

• Seek corrections to their personal data if it’s found to be erroneous or not comprehensive (this request can be limited, denied, or postponed for reasons such as security concerns, to safeguard criminal probes, or to prioritize the rights of significant third parties).

YOUR FADP CHECKLIST

  • Make or refresh your website’s privacy policy, tailored to your business, users, and the data you handle.
  • Always inform users about data processing, even if their consent isn’t needed.
  • Use a consent platform to keep your privacy policy up-to-date and user-friendly.
  • Clearly list countries you share data with, and if those countries lack a data agreement, get user consent before sharing.
  • Collect and store user permissions securely, especially for sensitive data.
  • Update your company’s data rules and share them with your team.
  • Keep a record of all data activities.
  • Have a system in place to promptly address users’ data requests, such as access or corrections.
  • Ensure users can easily get their data, either on paper or in a common digital format.
  • Conduct an assessment if you handle a lot of sensitive data.
  • Have a plan for data breaches and notify necessary parties, including third parties, if a breach happens.
  • Update contracts with third parties to ensure data safety. Remember, you’re ultimately responsible.
  • Keep data only as long as needed and remove or anonymize it afterward.
  • Assign a data protection lead to manage policies and communicate with users.
  • Regularly consult with legal experts about your duties under the FADP.

IMPORTANT DISCLAIMER: The information provided on this document does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Readers of this document should contact their attorney to obtain advice with respect to any particular legal matter.  No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction.  Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation.