Understanding Data Protection

Switzerland, known for its precision and thoroughness, extends these qualities to its data protection legislation. The revised Swiss Federal Act on Data Protection (FADP), which came into force on September 1, 2023, represents a major modernization of Swiss data protection law, aligning it closely with the EU's General Data Protection Regulation (GDPR) while maintaining distinctly Swiss characteristics.

Overview of Swiss Data Protection Legislation

Swiss data protection laws are anchored in the revised Federal Act on Data Protection (FADP). This act sets the framework for data processing, emphasizing the protection of private individuals' personal data. The law applies to the processing of personal data by private persons and federal bodies.

More information: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch

Historical Context and Evolution

The Swiss data protection landscape underwent a transformative change with the revised FADP, which replaced the original 1992 law. Key milestones include:

1992: Original Federal Act on Data Protection enacted
2017: Revision process began to modernize the law
September 1, 2023: Revised FADP and new Ordinance (OFADP) came into force

This revision brought Swiss law in line with international standards, particularly the GDPR, ensuring that the European Commission continues to recognize Switzerland as providing adequate data protection — a critical requirement for cross-border data flows.

International Implications and Alignment with EU GDPR

Switzerland, though not an EU member, recognizes the importance of aligning its data protection laws with the GDPR. This alignment facilitates smoother data exchanges with EU countries and ensures a high level of data protection. Key points of alignment include:

Enhanced transparency obligations for data controllers
Data Protection Impact Assessments (DPIAs) for high-risk processing
Mandatory data breach notification to the FDPIC
Strengthened rights for data subjects, including data portability
Extraterritorial application to foreign companies processing Swiss residents' data

Key Provisions of the Revised Swiss Data Protection Act

Scope and Applicability

The revised FADP applies to all data processing by private persons and federal bodies that has an effect in Switzerland. Importantly, it now has extraterritorial reach — meaning foreign companies that process data of people in Switzerland must also comply.

Key Changes Under the Revised FADP (2023)

Scope Narrowed to Natural Persons: Only the data of natural persons (individuals) is now protected. Legal entities are no longer covered.
Expanded Definition of Sensitive Data: 'Sensitive personal data' now includes genetic and biometric data, in addition to health data, religious beliefs, and other previously covered categories.
Profiling and Automated Decision-Making: High-risk profiling (creating a profile of a person's essential characteristics) requires explicit consent or a legal basis.
Data Protection Impact Assessments (DPIAs): Data controllers must conduct DPIAs when processing poses a high risk to the rights of data subjects.
Mandatory Breach Notification: Data breaches that pose a high risk to affected persons must be reported to the FDPIC as quickly as possible.
Criminal Penalties: Willful violations can result in fines of up to CHF 250,000 for the responsible individual (not the company). This differs from the GDPR, which fines the organization.
Data Transfers Abroad: When personal data is transferred to a country without adequate data protection, appropriate safeguards (such as Standard Contractual Clauses) must be in place.

Rights of Data Subjects

Under the revised FADP, individuals have the following rights:

Right to Information: The right to know what personal data is being processed, by whom, and for what purpose.
Right of Access: The right to obtain a copy of your personal data, free of charge, within 30 days.
Right to Rectification: The right to have inaccurate data corrected.
Right to Erasure: The right to have your data deleted when it is no longer needed or when processing is unlawful.
Right to Data Portability: The right to receive your personal data in a commonly used electronic format.
Right to Object: The right to object to processing, particularly for direct marketing.
Right Regarding Automated Decisions: The right not to be subject to decisions based solely on automated processing (including AI) that significantly affect you.

Compliance with Personal Information Removal

Requirements for Removing Personal Information

The revised FADP specifies conditions under which personal data must be deleted:

The data is no longer necessary for the purpose for which it was collected
The data subject withdraws consent and there is no other legal basis for processing
The data was processed unlawfully
Deletion is required to comply with a legal obligation

Best Practices for Ensuring Compliance

Conduct Data Audits: Regularly review what personal data you hold and whether it is still necessary.
Clear Privacy Policies: Maintain clear, accessible privacy policies that explain what data you collect and why.
Robust Data Security: Implement encryption, access controls, and regular security assessments.
Documentation: Maintain records of processing activities as required by the revised FADP.
Appoint a Representative: For organizations outside Switzerland processing Swiss data, appoint a representative in Switzerland.

New: AI, Automated Processing, and Data Protection

The rise of AI systems has introduced new data protection challenges that the revised FADP addresses:

AI systems that process personal data must comply with all FADP principles, including transparency, purpose limitation, and data minimization.
Individuals have the right to know if decisions affecting them are made by automated systems, and to request human review of such decisions.
Companies using AI for profiling must ensure they have a lawful basis and must inform data subjects about the logic involved.
Web scraping of personal data for AI training purposes may violate the FADP if done without a lawful basis.
The FDPIC has indicated it will actively monitor AI-related data protection issues.

Navigating Swiss and International Regulations

Comparing Swiss Data Protection Laws with GDPR

While similar to the GDPR, the revised FADP has important differences:

Penalties: FADP fines target individuals (up to CHF 250,000); GDPR fines target organizations (up to EUR 20 million or 4% of global turnover).
Consent: Under the FADP, consent is one of several lawful bases; it does not always need to be explicit (except for sensitive data and high-risk profiling).
Enforcement: The FDPIC has advisory and investigative powers but cannot issue binding orders (unlike many EU DPAs). Enforcement relies on criminal prosecution.
Data Protection Officer (DPO): Under the FADP, a DPO is optional but recommended. Under the GDPR, it is mandatory in many cases.

Cross-Border Data Transfers

The Swiss-U.S. Data Privacy Framework (DPF), which replaced the invalidated Swiss-U.S. Privacy Shield, governs data transfers between Switzerland and the United States. The Swiss Federal Council recognized the DPF as providing adequate protection in 2024. For transfers to other countries without adequate protection, Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) must be used.

Conclusion and Recommendations

Navigating Swiss and international data protection laws, particularly regarding personal information removal, requires a thorough understanding of the legal landscape, a commitment to best practices, and awareness of evolving challenges — especially those posed by AI and automated processing. For businesses and individuals alike, staying informed and proactive is key to successful data protection compliance.