New Swiss Data Protection Regulation nFADP

The Swiss Federal Data Protection Act (nFADP) comes into force on September 1, 2023. It is a comprehensive revision of the previous FADP, which has been in force since 1992. The nFADP is designed to bring Swiss data protection law in line with the European General Data Protection Regulation (GDPR) and to address the challenges of the digital age.

In this blog, Clive Mackintosh, Founder of GDPR Rep, experts in GDPR Representative services gets into some of the details.

‍
The nFADP introduces a number of new provisions that will have a significant impact on the processing of personal data of Swiss citizens. These include:

• Extended user consent: The nFADP requires companies to obtain explicit consent from users before collecting or processing their personal data. This consent must be freely given, specific, informed, and unambiguous.
• Increased transparency: The nFADP requires companies to be more transparent about how they collect, use, and share personal data. This includes providing users with clear information about the purpose of the processing, the categories of personal data collected, and the recipients of the data.
• Enhanced data protection by design and default: The nFADP requires companies to take appropriate technical and organizational measures to ensure the protection of personal data by design and by default. This means that companies must build privacy into their products and services from the outset.
• Strengthened individual rights: The nFADP strengthens the rights of individuals to access, correct, delete, and restrict the processing of their personal data.

Individuals also have the right to object to the processing of their data and to file a complaint with the Swiss Data Protection Authority. The nFADP is a significant step forward in the protection of personal data in Switzerland. It will require companies to make changes to the way they collect, use, and share personal data. However, the new provisions are also designed to be flexible and scalable, so that they can be adapted to the needs of businesses of all sizes.

Here are some additional things to keep in mind about the nFADP:

• It applies to all organisations that process personal data of Swiss citizens, regardless of where the organisation is located.
• It includes a number of new enforcement provisions, including the possibility of fines of up to CHF 250,000.
• As it is new law there is still some uncertainty about how it will be applied in practice by the Swiss Data Protection Authority.

Overall, the nFADP is a significant development in Swiss data protection law. It will have a major impact on the way that organisations process personal data of Swiss citizens. Companies that are not already compliant with the nFADP should start taking steps to ensure that they are in compliance as soon as possible. This includes:

• Considering whether or not to carry out a Data Protection Impact Assessment to assess the risks of the organisations processing activities.
• Undertaking a Data Mapping exercise to understand and identify what personal data is processed, why, for how long and where it is stored.
• Preparing and maintaining a Record of Processing Activities ( ROPA ) and having a ROPA available for review by the Data Protection Authority and Data Subjects.
• Appointing a Swiss Data Protection Representative to act as the organisations point of contact for communicating with the Swiss Data Protection Authority and Data Subjects.

GDPR Rep is on a mission to help every business achieve and maintain GPDR representation. If you are looking into how your organisation can fulfil its requirements why not schedule a no-commitment call with a GDPR representative expert today, or get a quote to understand how our value pricing makes compliance simple.