The 8 Most Important Changes You Need to Be Aware of in the New FADP.

The preparatory phase is over, and the totally revised Data Protection Act ( FADP) will enter into force on September 1. The FADP has been adapted to reflect technological developments and is designed to ensure the better protection of personal data. Self-determination is strengthened and transparency in the acquisition of personal data will be increased. Stricter rules now apply to companies. Therefore, existing organizational data protection declarations and guidelines had to be adapted. Below you will find the most important eight modifications.

  #Cloud Governance   #Cloud Security   #Company  
Marceline Ritter
+41 58 510 12 24

Modification number 1

New scope of application: The revised FADP only concerns the data of natural persons - legal entities will no longer be protected by the FADP in the future. The revised FADP must be applied by all Swiss companies as well as international organizations that process personal data of Swiss residents and conduct cross-border business. The FADP is based on the EU's General Data Protection Regulation (GDPR).


Modification number 2

Genetic and biometric data will be included in the definition of data requiring special protection. Genetic data, which can be obtained with a biological sample, for example, can provide information about a person's genetic characteristics, such as physiology or health. Examples include DNA analyses and similar tests. Biometric data enable the unique identification of individuals. Examples are facial images or fingerprints.


Modification number 3

The principles of " privacy by design" and "privacy by default" now apply. For developers, this means building privacy protection and respect into the structure of products or services from the outset. The principle of "privacy by default" ensures that the highest level of security is already in place when the product or service is put on the market. All necessary measures for data protection and restriction of data use are activated by default, i.e., without user intervention. Software, hardware, and services must be configured in such a way that data is protected and the privacy of the users is safeguarded.


Modification number 4

Impact assessments must be carried out if there is a high risk to the personal or fundamental rights of the individuals concerned. A data protection impact assessment is a risk assessment of the processing of personal data in the company. It involves the assessment of potential damage that could be caused if data security were deficient.


Modification number 5

The obligation to provide information will be significantly expanded; every time personal data is obtained, the individual concerned must be informed in advance. The existing law only provided for a duty to inform if particularly sensitive personal data was collected. Under the revised FADP, the scope of the duty to inform has also been expanded. At a minimum, information must now be provided on the identity and contact details of the data controller, the purpose of processing and the recipient groups. If data flows abroad, additional information obligations and provisions must be complied with.


Modification number 6

A comprehensive register of processing activities becomes mandatory - except for SMEs. Such a directory must contain an inventory of all data processing. It contributes to transparency and helps to determine whether the data processing was lawful. In addition to the processing methods used, the directory must also name the persons responsible for them. The type and scope of the personal data processed and their recipients must also be shown. The ordinance to the revised law provides for an exception for companies that employ fewer than 250 employees and whose data processing involves a low risk of violations of the personal rights of the individuals concerned.


Modification number 7

In the event of a data breach, rapid notification must be provided to the Federal Data Protection and Information Commissioner (FDPIC). The notification obligation applies to every data breach and requires not only notification to the data protection officer, but also to the individuals whose data is no longer secure. However, these individuals need only be notified if their personal or fundamental rights are at risk as a result of the data breach.


Modification number 8

The term "profiling" (the automated evaluation of personal data) is included in the new law. Accordingly, profiling is considered to be:
"... any automated processing of personal data involving the use of such data to evaluate certain personal aspects relating to an individual, in particular to analyze or predict aspects relating to that individual's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or change of location." If clear traits of a person can be identified in a profile, it constitutes "high-risk profiling." For this, explicit consent of the individual concerned must always be obtained in advance.


The revised Federal Act on Data Protection provides for fines of up to 250,000 Swiss francs per violation for individuals who are responsible for processing activities, if the information and disclosure obligations as well as certain due diligence obligations are intentionally violated. Cantonal prosecution authorities are responsible for enforcing criminal sanctions. Civil actions for removal, injunctive relief or damages are also possible.