New Data Protection Act in Switzerland – Implications for international businesses

On 1 September 2023, a new Data Protection Act (here: “DPA”) together with the associated Data Protection Ordinance will enter into force in Switzerland. 

On 1 September 2023, a new Act on Data Protection together with an associated Data Protection Ordinance will enter into force in Switzerland.

The aim of the revision was to align the level of data protection with the GDPR.

Please note: The new law provides for fines (up to CHF 250,000) which, in contrast to EU law, do not affect the company, but the management (directors and members of the board).

In Switzerland, any processing of data is permitted as long as it complies with data protection and the processing principles of articles 6 and 8 FADP (Swiss Federal Act on Data Protection). A justification is not required for every processing of personal data.

What does the new Data Protection Act mean for EU businesses that have activities in Switzerland?
 The following constellations must be distinguished:

  • subsidiaries in Switzerland (AG or GmbH)
  • branch offices in Switzerland
  • serving the Swiss market from within the EU or elsewhere

The new Data Protection Act is fully applicable to subsidiaries or branches in Switzerland. To ensure compliance in a timely manner, we recommend the following steps: 

  • FADP gap analysis, followed by implementation of the necessary measures and, if necessary, preparation of documents. Businesses that already comply with the GDPR generally do not have to go great lengths to adapt to the new Swiss law.
  • Typically, the following measures are required:
    • adaptation of the privacy notice (added information requirements, e.g. regarding countries to which data is transferred)
    • creation of a register of processing activities under art. 12 FADP
    • ensuring the reporting of data breaches according to Swiss law (including the duty of the data processor to report to the data controller)
    • clarification of whether profiling takes place (automated processing of personal data), profiling requires consent of the data subject
    • adaptation of certain documented procedures (right to information, data portability, data protection impact assessment)
    • adapt the processing of genetic and biometric data as well as the processing of data for credit scoring purposes
    • adapt training and instruction schemes
    • if the IT services for the Swiss operations are provided from EU countries or from other countries outside Switzerland (or otherwise by third parties), a data processing agreement must be concluded with the service provider
  •  Recommendation: Appointment of an external data protection advisor in accordance with article 10 FADP. The Swiss equivalent of the data protection officer (DPO) under the GDPR is the data protection advisor. However, the tasks of the data protection advisor are more narrowly defined. MME Compliance AG offers these services.

If your business is active on the Swiss market from outside Switzerland and if you process personal data to do so, it must be analysed whether Swiss law is applicable. This is usually the case in these situations. The FADP applies to matters that have an impact in Switzerland even if they are initiated abroad (art. 3 (1) FADP). It must also be examined whether a representation in Switzerland must be designated. According to article 14 FADP, foreign controllers with their registered office abroad must designate a representative in Switzerland if the data processing fulfils the following requirements (cumulatively):

  • the processing is related to the offering of goods and services to or to the monitoring of the behaviour of Swiss residents (tracking Swiss users)
  • the processing exceeds a minimal amount
  • the processing takes place on a regular basis
  • the processing creates a risk for the privacy of the data subjects

The representative serves as a contact point for data subjects and the Swiss supervisory authority (FDPIC) and keeps a register of the processing activities. Further obligations are set out in articles 14 and 15 FADP.

MME Compliance AG acts as a Swiss representative for foreign businesses. 

(Dr. Martin Eckert, MME Compliance AG)