Ready for the new Swiss Data Protection Law? Implications for organizations outside Switzerland
The revised Swiss Federal Act on Data Protection (“RevFADP”) comes into force on 1 September 2023. Unsurprisingly perhaps, this upgrade to the 1992 version brings Switzerland’s data protection regime into greater alignment with the provisions of the GDPR. This includes the introduction of new, more stringent obligations on non-Swiss companies doing business in Switzerland, such as the requirement to appoint a Swiss representative. There is also an increased emphasis on the commitment to data subject rights as well as new requirements in respect of data breach reporting, both of which organizations will need to be prepared for. We look here at the key implications of these changes for companies outside of Switzerland.
Expansion of the territorial scope
The RevFADP significantly broadens the territorial scope of application of the Swiss data protection regime, taking inspiration from the GDPR, to ensure that companies worldwide remain accountable for the protection of Swiss individual’s personal information. The extra-territorial scope of the RevFADP is, however, wider than that of its European muse in that the new Swiss law applies to circumstances that have an effect in Switzerland even if such activities are initiated from abroad. This means that the Swiss supervisory authority, the FDPIC, is competent to enforce the RevFADP in respect of any activity with an impact in Switzerland even if such effect is caused outside of Swiss borders. In practice this means that, like the GDPR, organizations targeting goods or services to Swiss individuals or monitoring their behaviour will now have to comply with the requirements of RevFADP. In addition to that, it means that organizations storing personal data on servers located in Switzerland will be caught by the new Swiss data protection legislation.
New obligation to appoint a representative in Switzerland
An important change to note for organizations caught by the extra-territorial scope of the RevFADP is the new requirement to appoint a representative in Switzerland. Such requirement is triggered if an organization without a corporate seat in Switzerland is processing personal data of individuals in Switzerland and such processing activities are connected to:
- the offer of goods and/or services to those individuals (targeting criterion) or the monitoring of the behaviours of those individuals (monitoring criterion)
- and where such data processing is
- on a large scale
- carried out regularly
- and poses a high risk to the data subject
While the requirement to appoint a Swiss representative is no doubt inspired by the GDPR, there are again some noteworthy differences. The two major differences to highlight are:
- the kind of organizational structure which is required to be considered as a local controller, namely the difference between the corporate seat under the RevFADP in contrast to the establishment under GDPR
- the qualification of the data processing being on a large scale, regularly and posing a high risk are application criteria under the RevFADP whereas in the GDPR these criteria are turned around and formulated as exemption
An establishment under the GDPR is any kind of stable arrangement, for example a branch or office, but the incorporation of an entity is not necessarily required. In contrast, the wording of the RevFADP requires a corporate seat, the unofficial English translation translates this as a “registered office”.
There is no commentary literature so far to provide clarity as to what kind of structure is required in Switzerland to not fall under the requirement to appoint a representative. The wording itself suggests that there needs to be at least some kind of registration either as separate entity or a registered office which is why in this aspect the requirement to appoint a representative under the RevFADP is wider than under the GDPR. Companies with an entity in Switzerland can also appoint their subsidiary as representative but should consider the subsidiaries ability to deal with data protection matters in Switzerland before doing so.
On the other hand, the additional qualifications of the data processing narrow the scope because they target the data intense and risky business models. In contrast, under the GDPR the same criteria stipulated as exemptions are very rarely ever triggered.
Find more information on the Swiss representation here.
Role of the representative
The role of the Swiss representative has plainly evolved from the GDPR. The representative exists to act a local, accessible point of contact for Swiss data subjects and for the Swiss supervisory authority (the FDPIC). The representative is designed to be a public appointment and the RevFADP requires controllers to publish the name and address of their designated rep to ensure that data subjects wishing to exercise their rights via the representative can easily do so. While there is no express requirement under the RevFADP to include this information in the controller’s privacy notice as there is under the GDPR, nevertheless this remains an obvious place to include such information. The inclusion of the requirement to appoint a representative reflects the broader data subject rights set out under the RevFADP compared to the 1992 Swiss laws, highlighting the focus on empowering individuals to remain in control of their personal information. The representative must be on hand to provide data subjects with information on how they can exercise their rights and enable the communication of such requests to controllers outside of Switzerland to preserve such rights for Swiss individuals.
For this reason, the representative needs to be a company established in Switzerland or an individual living there. Post-box solutions would not be able to fill the role of a representative and are therefore not suitable to comply with the requirement to appoint a representative in Switzerland.
In addition to ensuring the facilitation of communication between non-Swiss organizations and the FDPIC, the representative will also be responsible for maintaining the controller’s record of processing activities and will be required to provide these to the supervisory authority on request.
New provisions for data breaches
New data breach notification requirements mean that controllers are obliged to inform the FDPIC of a breach having occurred as soon as possible where the breach is likely to result in a high risk to the data subject’s personality or fundamental rights. In the absence of any guidance from the FDPIC, at this stage it is unclear whether there will be any time limit in respect of making such notifications “as soon as possible” in the same way as the GDPR stipulates that such notifications must be made within 72 hours. Controllers are also required to inform data subjects affected by the breach if required for the data subjects’ protection, for example where such notification enables data subjects to take measures to limit the impact to them of the breach. Non-Swiss organizations can look to their Swiss representative for support in the notification of data breaches where required.
Fines for non-compliance
In contrast to the GDPR, the RevFADP does not create civil penalties for non-compliant organizations. Instead, intentional violations of the revised Swiss law by individuals acting for private controllers may result in criminal sanctions in the form of fines of up to CHF 250,000. Such fines will most likely be levied against C-Level executives and those responsible for an organization’s data protection program (e.g., DPOs) and include fines for:
- wilfully providing false or incomplete information (i) at the point personal data is collected (Art 19), (ii) in respect of automated decision making (Art 21) and (iii) in breach of privacy notice obligations (Arts 25-27) – see Art 60(1&2)
- wilfully providing false information and failing to cooperate with an FDPIC investigation, including failing to provide the FDPIC with the requisite information (Art 49(3)) - see Art 60(2)
- wilful disclosure of personal data outside of Swiss boarders in violation of the provisions on cross-boarder transfers (Art 16 & 17) and to wilful failure to satisfy the requirements of Art 9 in relation to the appointment of data processors – Art 61
- violations of professional duty of confidentiality in respect of personal data (Art 62)
- wilful failure to comply with an order of the DPIC (Art 63)
Where the individuals responsible for such failings or intentional breaches of the RevFADP cannot be reasonably determined then the organization itself may be fined in lieu. Fines of this nature for private controllers will not exceed CHF 50,000, however.
Comparison of the RevFADP with the GDPR
The following table gives an overview of the differences between the GDPR and the Swiss RevFADP regarding the topics mentioned in this article:
| GDPR | RevFADP | Notable Difference |
|---|---|---|
| Material Scope | ||
| Art 2 (1): the processing of personal data | Art 2 (1): the processing of personal data | The RevFADP has a more pragmatic approach when it comes to identifiable data. Only if someone is willing and, with reasonable efforts, able to link data back to an individual, is the data considered identifiable. In Case T‑557/20 European General Court (EGC) took a similar approach. |
| Territorial Scope | ||
| Art 3 (2): controllers and processors without an establishment when targeting or monitoring data subjects in the EU | Art 3 (1): circumstances which have an effect in Switzerland | Whereas the GDPR ties the applicability to actions taken by a controller or processor, the Swiss effect doctrine takes a passive approach and includes circumstances which do not relate to selling good/service in the Swiss market or monitoring the behaviour of Swiss data subjects. |
| Representation | ||
| Art 27: appoint a representative if: - no establishment in the EU; - targeting or monitoring EU data subjects. | Art 14: appoint a representative if: - no corporate seat in Switzerland; - targeting or monitoring individuals in Switzerland; - processing being on a large scale, regularly and posing a high risk. | The fact that the requirement to appoint a representative under the RevFADP applies to all organizations without a corporate seat in contrast to an establishment under the GDPR results in a broader applicability whereas the additional qualifications narrow the scope again. |
| Data Breach Reporting | ||
| Art 33(1): obligation to report data breaches posing any risk within 72 hours. | Art 24(1): obligation to report data breaches which pose a high risk as soon as possible. | The RevFADP excludes all breaches below the threshold of “high risk” and is more flexible on the timing of the notification. |
| Fines | ||
| Art 83(4,5): administrative fines addressed to companies depending on the type of violation either € 10 Mio/2% global turnover or € 20 Mio/4% global turnover | Arts 60-63 criminal liability of responsible person with fines of up to CHF 250,000. | The GDPR became famous because of the exorbitant fines, Swiss RevFADP frightens C-levels because of the criminal liability. |
Summary
Switzerland is surrounded by the EU so it is no wonder that the Swiss RevFADP takes its inspirations from the GDPR. It also makes perfect sense to bring a greater level of harmonisation between the EU and Swiss the data protections regimes to make compliance easier. However, there are some significant differences companies should be aware of. Non-Swiss organizations need to consider the appointment of a representative ready for the 1 September.
Contact Prighter for more information on the Swiss RevFADP and to appoint a reputable provider as your representative in Switzerland here.