Switzerland’s Federal Act on Data Protection (FADP) was approved in Switzerland on 25 September 2020 and will take effect in September 2023. It will replace the outdated 1992 Act.
Switzerland’s Federal Data Protection Act is largely compatible with the EU’s General Data Protection Regulation (GDPR). The law guarantees Swiss citizens’ rights regarding personal data protection and creates new requirements for companies processing that data.
If you are operating your website from Switzerland, or have users from Switzerland, you must comply with Switzerland’s FADP. Additionally, if you are operating your website from Switzerland, but have users from the European Union, you must also comply with the GDPR.
What Is Switzerland’s Federal Act on Data Protection?
Switzerland’s Federal Data Protection Act protects the personal data processing of Swiss citizens and provides requirements for companies processing that data. The FADP applies to both private and public entities processing personal data of Swiss citizens. It also regulates the processing of the personal data by Swiss entities, irrespective of the data processing place. Switzerland’s FADP is extraterritorial, meaning that it applies to entities inside and outside of Switzerland if they process Swiss citizens’ data.
Under Switzerland’s Data Protection Act, websites that process the personal data of Swiss citizens must obtain explicit, freely given, and informed user consent to collect and process their personal data prior to the data processing occurs. This requirement also applies to cookies, used for analytics or marketing purposes. Strictly necessary cookies, needed for your website to function normally, are exempt from the requirement to get user consent.
If a user refuses cookies, they should not meet any negative consequences and should be able to access the website without being denied certain services or benefits of the website.
The cookie banner should present a gradual choice for Cookie Consent, meaning that a user should have the possibility to consent for each category of cookies, not just “accept” or “decline” all cookies.
Cookie Consent information should be visible and available in all the languages of the website. It should be written in simple terms so that any user can understand it.
Websites should have a Privacy Policy.
Use CookieScript Consent Management Platform, which provides Privacy Policy Generator and helps you to comply with all major privacy laws, including Switzerland’s FADP. Our Cookie Banner is translated into 30+ languages, so the right version of the banner is presented to the user.
Enforcement of Switzerland’s FADP
The Federal Data Protection and Information Commissioner (FDPIC) is responsible for monitoring compliance with Switzerland’s FADP. FDPIC regulates the enforcement of the FADP regulations by cooperating with domestic and foreign authorities and advises Swiss companies on how to process personal data to comply with the law. The entity is also responsible for advising, educating, and ensuring the protection of personal data in Switzerland. The Commissioner is appointed by the Federal Council for a four-year term.
Data Protection Officer (DPO)
Under the law, federal bodies are obliged to appoint a data protection officer (DPO).
Switzerland’s FADP allows companies to self-regulate. Private companies can appoint a data protection officer in accordance with Article 10 of the Data Protection Act. Those that appoint a data protection officer and notify the FDPIC will be subject to fewer data protection impact assessment requirements.
Private companies can use the FDPIC’s dedicated portal for reporting data protection officers and providing their contact details.
The DPO monitors the company’s compliance with data protection requirements and advises the data controller on personal data protection. The DPO basically ensures the entities' compliance with the FADP and acts as a means of communication between data subjects and supervisory authorities.
The data protection officer may be an employee of a company or a person outside of the company. Data protection should not be compromised based on the company’s other activities in any case. The data protection officer should present their point of view regarding data privacy in all cases, even when company management has a different view.
International Data Transfers
The FADP allows transfers of personal data to countries that ensure an adequate level of data protection. To perform international data transfers, entities must ensure appropriate safeguards, such as standard contractual clauses or binding corporate rules.
Penalties
The FDPIC can initiate an investigation into a company on its own or upon notification. Noncompliance with FADP responsibilities, including breaches of obligation to provide information or exercise duties of care, can result in fines to the controller of up to CHF 250,000.
In addition, infringements under business operations can result in fines of up to CHF 50,000 to the company if considerable effort would be required to identify the responsible person for the data breach within the organization.
Note that the FDPIC can fine companies, organizations, and private individuals, whereas the GDPR does not foresee fine natural persons, but only companies.
Reporting data protection breaches
In the event of a data protection breach, data controllers must report such cases to the Swiss Federal Data Protection and Information Commissioner as soon as possible. If necessary, data controllers must also inform the affected individuals.
Companies and federal organizations could use the dedicated portal for reporting data protection breaches.
Fundamental Principles of Data Protection
Switzerland’s FADP contains the following principles:
- Lawfulness and fairness. Personal data must be processed lawfully, with the data subject’s explicit consent, and ensuring transparency.
- Purpose limitation. To collect personal data, entities must have specified and legitimate interests. They must not further process the data for any other reasons incompatible with those interests.
- Data minimization. The processing the personal data must be limited to what is necessary for the intended purposes upon data collection.
- Accuracy. Entities must keep personal data accurate and up-to-date, and rectify any inaccuracies of data upon request.
- Storage limitation. The personal data of data subjects should be stored only for as long as necessary for the specified purposes upon data collection.
- Security and confidentiality. Entities must implement appropriate technical and organizational measures to protect personal data from unauthorized access or disclosure.
Data Subject Rights
Data subjects have the following rights, which are very similar to the ones, protected by the GDPR:
- The right to be informed.
- The right to access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- The rights around automated decision-making and profiling.
How does the Federal Act on Data Protection Define Personal Data?
The Swiss FADP defines personal data as “all information relating to an identified or identifiable person”. This could include name, address, email address, date and place of birth, passport number, online identifiers, like Internet Protocol (IP) addresses, cookie identifiers, browser fingerprinting, ethnicity, race, religion, and other data.
Particularly sensitive personal data
The FADP expands the list of personal data to include sensitive personal data. The new law defines sensitive personal data as:
- data about racial or ethnic origins, religious or political convictions
- data relating to religious, philosophical, political or trade union beliefs or activities
- health data, genetic data, biometric data (e.g. fingerprints)
- data on administrative and criminal prosecutions or sanctions
- social security data and sexual life.
When does the Federal Act on Data Protection not Apply?
The FADP does not apply to:
- personal data that is processed by a natural person exclusively for personal use and which is not disclosed to outsiders
- deliberations of the Federal Assembly and in parliamentary committees.
Google Consent Mode and CookieScript CMP
With CookieScript CMP-enabled Google Consent Mode, you can run all your website’s Google advertisement and analytics services and comply with Switzerland’s FADP. CookieScript CMP manages the consent of your website’s users and communicates the consent choices through the API. Google Consent Mode then governs all Google services, like Google Analytics or Google Ads, based on the consent of each individual user on your website.
CookieScript CMP is a Google-certified CMP, it integrates with the IAB TCF V2.2 framework and supports all ad publisher products — Google AdSense, Ad Manager, and AdMob.
Get ready for your website's Switzerland’s FADP compliance while using Google ad publisher products with CookieScript!
Frequently Asked Questions
Does Switzerland have a data privacy law?
Yes, Switzerland’s Federal Act on Data Protection (FADP) law was approved in Switzerland on 25 September 2020 and will take effect in September 2023. It will replace the previous 1992 Act. The FADP protects the personal data processing of Swiss citizens and provides requirements for companies processing that data. Use CookieScript to comply with the FADP and other privacy laws.
Is GDPR valid in Switzerland?
Unlike in other EEA countries, Swiss companies and organizations don't have to obey the GDPR. Swiss companies and organizations must comply with Switzerland’s Federal Data Protection Act. However, Swiss companies operating in the EEA must comply with the GDPR, independently of where they're based.
What Is Switzerland’s Federal Act on Data Protection?
Switzerland’s Federal Act on Data Protection (FADP) protects the personal data processing of Swiss citizens and provides requirements for companies processing that data. It was approved in Switzerland on 25 September 2020 and will take effect in September 2023. Use CookieScript to comply with the FADP and other privacy laws.
What is the difference between the GDPR and the new FADP?
Switzerland’s FADP is similar to the GDPR. A company or organization must obtain explicit, freely given, and informed user consent to collect and process their personal data prior to the data processing occurs. Differently from the GDPR, the new FADP includes two additional categories of sensitive personal data, namely data on administrative or criminal proceedings and sanctions and data on social security measures. CookieScript CMP can help you to comply with the GDPR, FADP, and other privacy laws.
Does Switzerland’s FADP require companies to appoint a data protection officer?
No, it’s not obligatory. Under the law, only federal bodies are obliged to appoint a data protection officer. However, private companies can appoint a data protection officer if they wish. Those that appoint a data protection officer and notify the FDPIC will be subject to fewer data protection impact assessment requirements.
How to report data protection breaches under Switzerland’s FADP?
Companies and federal organizations could use the dedicated portal for reporting data protection breaches.
What are the penalties for non-compliance with Switzerland’s FADP?
Noncompliance with FADP responsibilities, including breaches of obligation to provide information or exercise duties of care, can result in fines to the controller of up to CHF 250,000. The FDPIC can fine companies, organizations, and private individuals, differently from the GDPR, which does not foresee fine natural persons, but only companies. Use CookieScript to comply with the FADP and GDPR, and avoid penalties.
How to use Google Consent Mode in Switzerland’s FADP-compliant way?
CookieScript CMP is a Google-certified CMP, it integrates with the IAB TCF V2.2 framework and supports all ad publisher products — Google AdSense, Ad Manager, and AdMob. It enables Google Consent Mode, so you can run all your website’s Google advertisement and analytics services and comply with Switzerland’s FADP. CookieScript CMP manages the consent of your website’s users and communicates the consent choices through the API to Google services.