Does the FADP apply to my company?

The FADP applies to the processing of personal data by private controllers and federal bodies. Like the GDPR, the FADP has extra-territorial scope, meaning that it applies to companies located outside of Switzerland. The extra-territorial scope of the FADP is, however, broader than that of the GDPR because it covers all circumstances that have an effect in Switzerland, even if the action was initiated from abroad. This is known as the “effect doctrine”. According to the effect doctrine not just data processing activities related to Swiss individuals are subject to the FADP. Any processing operations performed on servers in Switzerland will be caught by the FADP, even if such operations are carried out from abroad.

There is one significant difference between the requirement to appoint a representative under the GDPR (Art 27) and the requirement under Art. 14 of the FADP. Whereas the GDPR requires companies without an establishment in the EU to appoint a representative, the requirement to appoint a representative is triggered under the FADP by an organisation not having a corporate seat in Switzerland. What does this mean? It means that companies with a branch or any other type of establishment in Switzerland that are not a corporate seat are still required to appoint a Swiss representative if they:

• offer goods or services to individuals in Switzerland (targeting criterion) or monitor their behaviour (monitoring criterion); and
• their processing activities are regular, on a large scale and pose a high risk to data subjects.

The wording of the targeting criterion under Art 14 FADP is nearly identical to the wording of Art 3(2) GDPR. For that reason, and in the absence of any guidance from the Swiss authorities, we can assume that the same types of activities as those set out in guidance from the European Data Protection Board will trigger the targeting criterion under Swiss law. It is expected that the Swiss authorities will publish their own guidelines in due course. Until then, factors that may be considered to result in an “offering of goods or services” to individuals in Switzerland could be:

• using languages used in Switzerland and offering payments in CHF;
• using ads to address Swiss individuals or other marketing tools directed towards Swiss customers;
• mentioning addresses or phone numbers to be reached from Switzerland;
• use of Swiss top-level domains;
• offering delivery of goods to Switzerland.

Again, until such a time as there is guidance from Swiss officials on the interpretation of the monitoring criterion, we assume the following activities, as set out in guidance relating to the GDPR, are likely to trigger the requirement to appoint a representative:

• behavioural advertisement
• geo-localisation activities
• online tracking by using cookies or other tracking technologies
• market surveys and other behavioural studies based on individual profiles

The FADP carries heavy penalties. In contrast to GDPR, however, these are not directed at companies, but at the responsible natural persons behind the breaching organisation. Instead of administrative fines, the FADP sanctions violations with criminal liabilities. The penalties can amount to up to CHF 250,000.