January 18, 2023 par smartcockpit

New FADP: What are the expected changes?

You may have heard about the new Federal Act on Data Protection (nFADP) that will come into force on September 1, 2023 in Switzerland, but what does it mean for your company?

The current Federal Act on Data Protection dates back to 1992. This revision and the implementing provisions in the new Swiss Federal Ordinance on Data Protection (FODP) and the new Swiss Federal Ordinance on Data Protection Certifications (FODPC) adapt the law to new technological and social conditions. They strengthen transparency and protection of personal data in order to align with the General Data Protection Regulation (GDPR) which is applied in Europe. If the European Commission no longer recognizes Switzerland’s level of data protection as adequate, swiss companies could suffer significant losses and a huge competitive disadvantage.

In this article, we will therefore explore key changes introduced by the new FADP and the actions you will need to take to ensure that your company achieves a sufficient level of compliance and can maintain it.

What is the Federal Act on Data Protection Act?

The FADP is a complete data protection law that aims to protect the confidentiality of personal data and to ensure their lawful processing (collection, storage, use, transfer, retention).

Personal data means any information relating to an identified or identifiable natural person.

  •  Last Name
  • First name
  • Email address
  • Phone number
  • Mailing address
  • AHV number

Among these personal data, there are “sensitive” data such as criminal record, health data, ethnic origin, political opinion, etc. that require a special regime.

Therefore, The FADP applies to all companies and organizations processing personal and sensitive data that may have an effect on Switzerland, whether they are public or private, on Swiss territory or abroad.

What are the objectives of the new FADP?

Technological and social upheaval has been accelerated by the pandemic. As a result, the number of cyberattacks has increased. The new FADP aims to strengthen security and make companies more responsible by providing a regulatory framework for the collection, processing and use of personal data. This is a real challenge for the digital success of Switzerland and its companies.

Indeed, a smooth exchange of data between Switzerland and the EU must remain possible in the future. For this, organizations must maintain an adequate level of data protection. From an economic point of view, organizations that are already compliant with the FADP and the GDPR quickly differentiate themselves by their attractiveness and appear as a trusted partner.

The new FADP is also in line with the principle of informational self-determination by protecting the privacy rights of individuals. It gives individuals control over their personal data and allows them to choose who can access it.

data privacy

When will my organization have to adapt to these new provisions?

You only have a few months left to take the necessary measures before the new FADP comes into effect on September 1, 2023. There is no transitional period, i.e. the new law will be effective and must be respected as of the set start date. Many Swiss companies do business with the EU and are faced with increased data protection requirements.

If you are GDPR compliant, you are aware of most of the changes. However, there are still a few differences between the two laws, and swissprivacy.law has listed them in a complete comparison table.

20210211-Tableau-comparatif-nLPD-et-RGPD.pdf (swissprivacy.law)

For the rest, major changes are still to come.

What are the main changes in the new FADP?

The personal data of individuals will be governed by stricter rules. Here is a list of the main changes of the new DPA:

  1. The scope of the law has changed and no longer includes legal persons.
  2. Genetic and biometric data have been added to the list of sensitive data.
  3. Companies must now take into account data protection principles at the design stage of processing and applications – Privacy-by-Design and Privacy-by-Default (art. 7 nFADP).
  4. Keeping a record of processing activities has become mandatory ( except for SMEs with less than 250 employees).
  5. In order to increase transparency, the duty to adequately inform data subjects of any data collection has been reinforced and no longer applies only to sensitive data. The federal law is more specific on this point than the GDPR.
  6. When the intended processing entails a high risk, an impact assessment must be carried out.
  7. The notion of profiling is now part of the law. If decisions are taken on the basis of automated processing, the controller must inform the data subjects (art. 21 nFADP).
  8. The new FADP includes a right of access and a right to data portability.
  9. The Federal Data Protection and Information Commissioner (FDPIC) must be notified as soon as possible (72 hours for the GDPR) in case of a data security breach (art. 22 nFADP).

Find all the changes in the official document of the Federal Act on Data Protection.

https://fedlex.data.admin.ch/filestore/fedlex.data.admin.ch/eli/fga/2020/1998/fr/pdf-x/fedlex-data-admin-ch-eli-fga-2020-1998-fr-pdf-x.pdf

What do I need to do to comply with the requirements of the new FADP?

In the new FADP, there are 6 general principles to be respected which are included in the major changes mentioned above. These are transparency, purpose limitation, data minimization, confidentiality, storage limitation and accuracy.

The data controller must ensure that all privacy principles are met. Your company must be able to demonstrate compliance with all of them. It is therefore essential to put in place a governance framework.

Certifications already exist to become compliant with the new FADP. IS027001:2022 standard is a good way to address the information security aspects. ISAE 3000 could also address these needs.

Here is a checklist of basic precautions to prevent a data breach:

  • Raise awareness and train employees – set up procedures and documentation
  • Implement user authentication methods (tracking controls, multi-factor authentication, etc.)
  • Manage access rights – Open the system as needed and manage rights over time to avoid unexpected risk areas
  • Secure exchanges with external organizations (e.g., encrypt data before transmitting it)
  • Secure workstations (block certain ports, lock your workstation, update software, store data on a server)
  • Secure mobile computing (encryption, synchronization, locking, privacy filter)
  • Protect the internal computer network – block access, frequently change passwords, use a VPN and double authentication for remote connections, ensure that no administration interface can be accessed, limit external flows, install an intrusion detection system, partition the network
  • Perform frequent backups and write continuity plans
  • Manage subcontracting – supervise data security and verify their guarantees
  • Protect the premises (alarm, badge, codes, delimitation of risk zones)
  • Secure servers – use individual accounts for better traceability
  • Secure the website
  • Supervise IT developments (Security-by-design)
  • Appoint an internal Data Protection Officer (DPO) or call on a specialized external company

What are the risks and penalties for not complying with the FADP?

The powers of the Federal Data Protection and Information Commissioner (FDPIC) have been extended to enforce the new FADP. The supervisory authorities can now intervene when they notice irregularities or when a complaint is filed. Indeed, customers, employees or even competitors can highlight these facts and request for an examination or file a criminal complaint.

In the case of intentional violations of data protection regulations, strong measures can be taken, including the deletion of data. In addition to these sanctions, both the organization concerned and the data controller are liable to fines and criminal proceedings. Therefore, it is not only the company itself that can be targeted in the first instance by criminal proceedings. The maximum fine has increased from CHF 10,000 to CHF 250,000. This is a significant difference from the GDPR, which imposes much higher fines on companies, not individuals.

Foreign companies operating in the Swiss market or whose data processing has an effect in Switzerland are subject to the same measures. The new FADP is based on the so-called place-of-result principle.

sanctions

How to manage data protection compliance in my organization?

We accompany you, with a clear and efficient approach, in the stages the analysis, consulting, information gathering and implementation stages of the smartcockpit solution through workshops. Be ready for the new FADP and/or GDPR ➡️ Contact us !

We offer a privacy management cockpit specifically designed for the DPO (Data Protection Officer).

It allows you to manage, monitor and ensure compliance by:

  • Establishing good governance around data protection
  • Keeping a record of processing activities
  • Training and raising awareness among your employees
  • Aligning its processes to be compliant
  • Performing impact analyzes for high-risk activities (DPIA)
  • Reviewing contracts, agreements and terms and conditions
  • Having a process to manage incidents
  • And much more…