The Swiss New Federal Act on Data Protection (nFADP) is a comprehensive legal framework designed to strengthen the privacy rights and protect the personal data of Swiss citizens.

The nFADP replaces Switzerland's previous privacy legislation of 1992, providing a renewed legal foundation for data protection in the country.

This article will walk you through Switzerland's data privacy law, its legal background, who it applies to, what it requires, the penalties for non-compliance, and more. Let's get into it.




What is the Swiss New Federal Act on Data Protection (nFADP)?

The Swiss New Federal Act on Data Protection (nFADP) is Switzerland's central data protection law. It was passed in the fall of 2020 and went into force on September 1, 2023.

The nFADP significantly elevates Switzerland's data protection standards to meet the social and technological demands of the Internet age.

To this effect, it grants Swiss citizens several privacy rights while imposing new obligations on businesses - a familiar feature of modern privacy laws.

The nFADP notably shares many similarities with the EU's General Data Protection Regulation (GDPR), borrowing most of its concepts and terminologies. That said, the nFADP deviates from the GDPR in key areas, introducing its own unique features for data protection.

Ultimately, the nFADP represents a strategic leap forward in Switzerland's commitment to data protection in an ever-evolving digital landscape.

Background of the Swiss New Federal Act on Data Protection (nFADP)

The Swiss nFADP has its roots in the 1992 Federal Act on Data Protection (FADP), which served as Switzerland's first privacy regulation.

As the digital landscape evolved, the Swiss Parliament recognized the need for a revision of its data protection standards. Evidently, the FADP wasn't equipped to tackle the modern privacy challenges posed by social media, cloud computing, and the Internet of Things.

Another vital reason for this reform was to harmonize Swiss law with the EU GDPR. This strategic alignment would establish Switzerland as a third country with "adequate" data protection by EU standards.

In other words, Swiss companies would enjoy free data flows with their EU counterparts, thereby maintaining their competitiveness.

After several rounds of public consultations and deliberations, the nFADP was adopted in September 2020. It was initially scheduled to go into force on January 1, 2022, but was later postponed to September 1, 2023.

Who Does the Swiss New Federal Act on Data Protection (nFADP) Apply to?

According to Article 3, the nFADP covers "circumstances that have an effect in Switzerland, even if they were initiated abroad."

In practice, the nFADP applies to:

  • Companies operating in Switzerland, and
  • Companies outside Switzerland that process the personal data of individuals in Switzerland

In the latter case, companies are required to designate a representative in Switzerland.

It's also important to note that the nFADP covers both private entities and federal authorities that process Swiss personal data.

Key Definitions Under the Swiss New Federal Act on Data Protection (nFADP)

Like many modern privacy laws, the Swiss nFADP provides its own specific meaning to common data protection terms and concepts. Let's look at some of the most important ones.

Personal Data

The Swiss nFADP defines personal data as "any information relating to an identified or identifiable natural person."

In the context of data privacy, personal data includes but isn't limited to:

  • First/last names
  • Email addresses
  • Phone numbers
  • Financial information
  • Social security numbers
  • Driver's license numbers
  • Pictures or videos identifying a person
  • Online identifiers (tracking cookies, pixels, IP addresses, etc.)

Unlike the previous law, the Swiss nFADP excludes the personal data of legal persons from its scope. In other words, the law only protects the personal data of natural persons - another feature consistent with the GDPR.

Sensitive Personal Data

While sensitive personal data isn't a new concept in Switzerland, the nFADP broadens its definition to include "genetic data" and "biometric data which uniquely identifies a natural person."

Other cited examples of sensitive personal data under the law include data relating to:

  • Religious and philosophical beliefs
  • Political and trade union activities
  • Health or the private sphere
  • Race or ethnicity
  • Administrative and criminal proceedings or sanctions
  • Social assistance measures

Not surprisingly, the nFADP imposes stricter obligations on businesses that handle this type of data.

In particular, such businesses must obtain prior, informed, and explicit consent to process sensitive data (e.g., via an empty checkbox next to an "I Agree" statement that clearly indicates approval of specified terms).

And here's another example of how this can look:

Processing

Under the Swiss nFADP, "processing" is defined as:

"any handling of personal data, irrespective of the means and procedures used, in particular, the collection, storage, keeping, use, modification, disclosure, archiving, deletion or destruction of data"

Essentially, processing is any and all action carried out on personal data, from gathering and storing to sharing and erasing.

Note that the nFADP only covers data processing in the commercial or professional context. Processing data for personal or household purposes is exempt from the nFADP scope.

Profiling

The concept of profiling is a new addition to Swiss data protection, thanks to the nFADP.

According to the law, profiling is:

"any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person..."

Essentially, profiling entails using an automated data-driven system to analyze or predict aspects of a person's life, such as their location, behavior, economic circumstances, etc.

The nFADP distinguishes between standard profiling and "high-risk profiling," which is any profiling that poses a high risk to data subjects' rights. Naturally, businesses engaged in high-risk profiling are held to stricter standards under the nFADP.

Data Controller and Data Processor

The nFADP categorizes businesses into data controllers and data processors based on their functions in handling data (another GDPR-inspired feature).

Under the law, a data controller is a private individual or federal body that decides the purpose and the methods of processing personal data.

In contrast, a data processor is a private individual or federal body that processes personal data on behalf of the controller.

Note: As a data controller, you're only allowed to outsource data processing to a processor if:

  • The processor handles personal data the same way you would and follows the rules and methods you're allowed to use, and
  • There aren't any legal or contractual obligations preventing you from outsourcing

For more information on the distinction between these two classes, check out our article GDPR Data Controller vs. Data Processor

Data Processing Principles Under the Swiss New Federal Act on Data Protection (nFADP)

Taking a page from the GDPR's playbook, the Swiss nFADP sets out six data processing principles businesses must adhere to under Article 6 of its provisions.

They're as follows:

  1. Lawful Processing: Process personal data only when you have a valid and legally justifiable reason for doing so.

  2. Good Faith and Proportionality: Handle personal data with integrity and ensure that your data processing activities are fair and appropriate.

  3. Specific Purpose: Only collect personal data for a clear and specific reason that the data subject understands. During processing, don't use the data for something unrelated to that purpose.

  4. Data Lifecycle: Once you no longer need personal data for its original purpose, either destroy it or make it anonymous.

  5. Accuracy and Correction: Make sure personal data always remains accurate. If the data is incomplete or you find mistakes, take steps to correct, delete, or destroy it. How you do this depends on the nature of the data and the risks it poses to a data subject's rights.

  6. Voluntary and Explicit Consent: If you rely on consent for some data processing activities, ensure consent is freely given, informed, and specific. Explicit consent is required for:

    • Processing sensitive personal data
    • High-risk profiling by a private individual
    • Profiling by a federal authority

General Requirements of the New Federal Act on Data Protection (nFADP)

As previously mentioned, the Swiss nFADP sets out a number of new obligations for businesses and renews several established requirements under the old legislation.

Let's take a closer look at the nFADP's requirements.

Provide a Privacy Policy

While the nFADP doesn't explicitly require a Privacy Policy, it requires businesses to provide certain information about how personal data is collected, used, and shared (also known as the key contents of a Privacy Policy).

To ensure transparent data processing, your Privacy Policy must, at minimum, include the following clauses:

  • Your identity and contact information
  • The categories of personal data you collect and process
  • Your purpose(s) for processing personal data
  • If applicable, the third parties or categories of third parties with whom you share personal data
  • Data subjects' rights and how to exercise them
  • The countries or international organizations you send data to and any safeguards in place (if applicable)

Note that if you don't obtain data directly from a data subject, you must provide them with the information above within one month of receiving the data. Moreover, if you share their data with a third party before this deadline, you must inform the data subject before or when the disclosure occurs.

Let's see some examples of how you can present some of these clauses in your Privacy Policy.

PayPal provides a long list detailing the categories of personal information it collects from users through their interaction with its services:

Deloitte explains how it uses personal information in a concise clause within its Privacy Notice:

Sephora sets out the categories of third parties with whom it may share data using simple, clear headlines:

And Microsoft provides a detailed contact information clause to address privacy concerns of users in various regions:

Facilitate Data Subject Rights

As mentioned, the nFADP grants Swiss data subjects several rights. Briefly, they're as follows:

  • Right to Be Informed: You must inform data subjects about the collection and processing of their personal data to maintain transparency.
  • Right to Access: Data subjects have the right to access and receive a copy of their personal data. They can also ask about the data origin, your processing purposes, and with whom you may share their data.
  • Right to Rectification: Data subjects can request that you correct their inaccurate or outdated personal data.
  • Right to Erasure: Data subjects can request the deletion of their data, but you may refuse this right if you have a valid legal justification.
  • Right to Object/Opt-Out: Data subjects can object to the processing of their data for specific purposes (e.g., profiling). That said, you may decline their request for legitimate compliance reasons.
  • Right to Data Portability: Data subjects can obtain a copy of their data and request its transfer to another controller.
  • Rights relating to Automated Decision-Making: Data subjects have the right to be informed about automated decision-making processes that legally or significantly affect them. They can also request that a natural person review such decisions.

Remember to display these rights in your Privacy Policy and provide data subjects a simple way to exercise them.

Here's how Amazon Web Services does this:

Here's another example of this type of clause:

Ensure Adequate Data Security

Under Article 8, controllers and processors must set up technical and organizational security measures to protect personal data against unauthorized access, data breaches, and other threats.

Importantly, your security safeguards must be proportionate to the risk level of your data processing activities. In other words, higher risk demands more robust security safeguards.

Although not mandatory under the nFADP, it's a best practice to provide a general description of your security safeguards in your Privacy Policy, like Amazon Web Services does here:

Here's another example:

Conduct Data Protection Impact Assessments (DPIAs)

Under Article 22, the nFADP requires you to conduct a DPIA for processing activities that are likely to pose a high risk to data subjects' privacy or fundamental rights. If you plan several similar processing activities, you can conduct a joint assessment for efficiency.

"High-risk" processing activities depend on factors like the nature, scope, circumstances, and purpose of data processing. Under the law, they include:

  • Large-scale processing of sensitive personal data
  • Systematic, large-scale monitoring of public areas

When conducting your DPIA, you'll need to provide:

  • A description of your processing activities
  • An evaluation of the risks to data subjects' rights
  • A description of the measures you'll implement to protect these rights

Notably, you may be exempt from the duty to conduct DPIAs if you're legally required to process data or if your product or service is certified under Article 13 of the nFADP.

You may also be exempt from DPIA obligations if you comply with a nFADP code of conduct that protects data subjects' rights and has been submitted to the Federal Data Protection and Information Commissioner (FDPIC).

While the processes won't be exactly the same, you can get some insight into how such an assessment works by checking out our article: GDPR Data Protection Impact Assessment

Appoint a Data Protection Officer (DPO)

While not mandatory, the nFADP encourages data controllers to appoint a Data Protection Officer (also known as a Data Protection Advisor).

A DPO is a privacy expert who oversees your company's data protection program. Their responsibilities include training and advising you on data protection matters, as well as supporting your nFADP compliance efforts.

If appointed, the DPO becomes your primary contact point for both data subjects and relevant data protection authorities in Switzerland.

To be considered legitimate (and be able to weigh in on DPIAs), your DPO must:

  • Be independent and not bound by your instructions
  • Have no conflict of interest
  • Have the required professional skills and expertise in data protection

Importantly, you must notify the FDPIC of your DPO's appointment. You must also make the DPO's contact details publicly available (e.g., in your Privacy Policy).

For example, here's how EY does this in its Privacy Statement:

Notify Relevant Parties of Data Breaches

The nFADP requires data controllers to promptly notify the FDPIC of data breaches that could pose a significant risk to data subjects' privacy or fundamental rights. Data processors, on the other hand, must report any data breach to their controller as quickly as possible.

When reporting a data breach, you must provide the following details:

  • The nature of the data breach
  • What consequences the breach may have
  • The measures you plan or have taken to address the breach

In some cases, you may need to inform the affected data subjects of a breach if it's necessary for their protection or if the FDPIC requests it:

You can, however, limit, delay, or even avoid informing data subjects if:

  • Legal confidentiality requirements prohibit it
  • It's impossible or requires an unreasonable effort to provide the information
  • The same level of information is provided via a public announcement

Maintain a Record of Processing Activities (RoPA)

Under the nFADP, both data controllers and processors must maintain a record of processing activities, or RoPA, for short.

As a data controller, your RoPA must, at minimum, include the following:

  • Your identity (name, contact details, etc.)
  • Why you're processing data
  • The categories of data subject and type of personal data you process
  • Who you share data with
  • How long you intend to keep data, or how you decide on this period
  • A general description of your data security measures (if possible)
  • If you share data abroad, details about the country and the safeguards in place

As a data processor working on behalf of a controller, your RoPA must include:

  • Your identity and that of the controller on behalf of whom you process data
  • What types of processing tasks you perform for the controller
  • Details about your data security measures (if possible)
  • A description of your international data transfer activities (if applicable)

Note: Organizations with fewer than 250 employees or low-risk data processing activities may be exempted from the duty to maintain a RoPA.

Observe the Principle of Privacy by Design and by Default

Privacy by Design means incorporating privacy protection into the initial setup (or "design") of your product or service that collects consumers' data.

On the other hand, "Privacy by Default" entails ensuring the highest level of privacy and security upon launching your product or service (i.e., without user intervention).

Keep in mind that your privacy and security measures must be proportionate to:

  • The current technological environment
  • The nature and scale of your processing activities
  • The level of risk involved

Importantly, you must ensure that, by default, you collect and use only the minimum amount of personal data necessary for intended purposes (unless the data subject expressly states otherwise).

Establish Safeguards for Cross-Border Data Disclosures

Like the GDPR, the nFADP permits international data disclosures if the receiving country offers "adequate" data protection by Swiss standards.

In the absence of such, you can still transfer data internationally as long as you ensure adequate data protection through any of the following mechanisms:

  • Standard contractual clauses supported, issued, or acknowledged by the FDPIC
  • Binding corporate rules pre-approved by the FDPIC or the data protection authority in a country with adequate data protection
  • International law treaties
  • Specific contracts established by the relevant federal authority, with prior notice to the FDPIC
  • Data protection clauses within an agreement between you and a third-party contractor with prior notice to the FDPIC

Here's how Cognician explains its international data transfer mechanisms in its Privacy Policy:

Enforcement and Penalties for Non-compliance Under the Swiss New Federal Act on Data Protection (nFADP)

The FDPIC is primarily responsible for enforcing the nFADP's provisions and may launch investigations independently or in response to alerts.

For organizations, non-compliance with nFADP's requirements to provide necessary information and exercise due diligence carries significant consequences, with fines reaching up to CHF 250,000.

Unlike the GDPR, private individuals can bear personal liability under the nFADP. In cases where identifying the responsible individual within an organization proves challenging, fines of up to CHF 50,000 may be imposed on the organization.

These penalties highlight the importance of transparent data governance and accountability within an organization.

Chart: Swiss New Federal Act on Data Protection (nFADP) vs. EU General Data Protection Regulation (GDPR)

The Swiss nFADP is often compared to the EU's GDPR, given its many similarities with the European law. In the following chart, we provide a breakdown of their major differences.

Areas of law Swiss nFADP EU GDPR
Scope Protects the personal data of natural persons in Switzerland Protects the personal data of natural persons in the EU and EEA
Penalties for non-compliance Maximum fine of CHF 250,000 against responsible private individuals Maximum fine of EUR 20 million or 4% of the company's worldwide annual revenue
Record of processing activities (RoPA) Provide a list of export countries Provide all information specified under Article 30
Appointment of a Data Protection Officer (DPO) Not mandatory but highly recommended Mandatory for some organizations under Article 37
Data breach notification timeline Report to the relevant authority as soon as possible Report to the supervisory authority within 72 hours
Privacy Policy content Shorter list of minimum content in Privacy Policy, but all recipient countries of data must be specified Include the minimum content of a Privacy Policy under Article 13
Data Protection Impact Assessment Can consult a DPO instead of the FDPIC for high-risk cases despite actions taken Must consult the supervisory authority for high-risk cases despite actions taken
International data transfers Adequacy is determined by the Swiss Federal Council Adequacy is determined by the European Commission

Summary

The nFADP is Switzerland's regulatory framework that was enacted to enhance privacy rights, regulate data processing, and align Swiss data protection with international standards.

The law applies to private entities and federal authorities that collect and process Swiss personal data regardless of location.

The nFADP sets out a number of data processing principles while granting new rights to Swiss data subjects. It also imposes new data protection responsibilities on businesses under its scope.

To recap, businesses must observe the following requirements:

  • Provide a nFADP-compliant Privacy Policy
  • Facilitate and help exercise Swiss data subject's rights
  • Implement appropriate data security safeguards
  • Appoint a Data Protection Officer (if needed)
  • Conduct DPIAs for complex or high-risk data processing activities
  • Notify the FDPIC and relevant parties of data breaches
  • Keep a record of processing activities
  • Observe the principles of Privacy by Design and by Default
  • Establish safeguards for cross-border data disclosures (if applicable)

By and large, the Swiss nFADP is closely aligned with the EU GDPR, making compliance easier for GDPR-compliant businesses. That said, there are a few unique provisions organizations must pay attention to under the nFADP (even GDPR-compliant ones).

Failing to comply satisfactorily may result in penalties maxing out at CHF 250,000 for businesses and CHF 50,000 for private individuals.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy