Jusletter IT

New Draft of Federal Act on Data Protection (FADP)

  • Author: Daniel Ronzani
  • Category: News
  • Region: Switzerland
  • Field of law: Data Protection
  • Citation: Daniel Ronzani, New Draft of Federal Act on Data Protection (FADP), in: Jusletter IT 21 September 2017
[1]

The approximately 15 years old Swiss Federal Act on Data Protection (FADP)1 is currently being revised. The new FADP is planned to come into force before or on 1 August 20182, a couple of months after the European General Data Protection Regulation (GDPR)3, which comes into force on 25 May 2018.4

[2]

On 21 December 2016 the Federal Council released a preliminary draft of the new FADP for consultation.5 Recently, on 15 September 2017, the Federal Council released the draft of the new FADP, accompanied by its dispatch. A first goal of the new FADP is to adapt data protection to the digital age, thereby increasing protection of, and transparency for, individuals. A second goal is to adapt Swiss legislation to the European GDPR to ensure free data transmission between Switzerland and member states of the EU.6 Here are some selected highlights of the FADP draft:

  • Limitation to individuals: unlike the current FADP, which protects data of individuals and legal entities, the protection of the new FADP shall be limited to natural persons.7 Most countries worldwide do not foresee the protection of personal data of legal entities.8
  • Profiling: the static result of a «personality profile» in the current FADP is replaced with a dynamic process of «profiling».9 The new term10 is defined as assessment of certain characteristics of a person on the basis of automated personal data, in particular analyzing or predicting the work performance, economic circumstances, health, behaviour, interests, whereabouts or mobility. Profiling is defined as high risk processing that requires an impact assessment. This impact assessment must describe the planned processing, an assessment of the risks for the personality or the fundamental rights of the affected person as well as measures for the protection of her personality and fundamental rights.11
  • Cross-border transfer: generally, personal data of individuals can still be transferred abroad if certain protection measures are in place, e.g. country approved by Federal Council or agreed model clauses with foreign contracting partner.12 But there is a new notification obligation upon request by the Federal Data Protection and Informaption Commissioner (FDPIC) if the personal data transferred abroad relates to, and is in the interest of, a third party (i.e. not the contracting party). Finally, cross-border data transmission cannot yet be justified merely by private interests.13
  • Deceased Person: the regulation regarding disclosure of personal data of a deceased person currently regulated at ordinance level14 is elevated to statute level. The FDAP draft now also foresees the possibility of requesting deletion of personal data of a deceased person by her heirs, with exceptions.15
  • Information duty: the information duty has been extended insofar as a person must be informed about the collection of any of her personal data (and not only, as in the current FADP, about the collection of sensitive data or personality profiles). The information to the affected person includes, among others, the processing scope, the recipient of the personal data, and the country to which the personal data are exported.16 There are numerous exceptions to this information duty.17
  • Fines: in deviation to the European GDPR, which foresees fines up to several million Euros, the FADP draft limits fines in the event of breach of duties to CHF 250’000.–. It is an offence requiring complaint and the breach must have been committed intentionally.18

Daniel Ronzani

  1. 1 SR 235.1, in force as of 1 July 1993.
  2. 2 Dispatch of the Federal Council of 15 September 2017 regarding the Total Revision of the Federal Act on Data Protection and Related Laws on Data Protection, p. 238.
  3. 3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  4. 4 Cf. Art. 99 (2) GDPR.
  5. 5 Federal Department of Justice and Police (FDJP), press release 21 December 2016, tinyurl.com/y96ckybk.
  6. 6 Federal Department of Justice and Police (FDJP), press release 15 September 2017, tinyurl.com/ybrxrvjs.
  7. 7 Art. 4 (1) (b) FADP draft.
  8. 8 Supra at note 2, p. 73.
  9. 9 Ibid. at 83.
  10. 10 Art. 4 (1) (f) FADP draft.
  11. 11 Art. 20 FADP draft.
  12. 12 Art. 13–15 FADP draft.
  13. 13 Art. 14 (1) (b) (2) in connection with art. 14 (2) FADP draft.
  14. 14 Art. 1 (7) Ordinance of the FADP (SR 235.11).
  15. 15 Art. 16 (3) FADP draft.
  16. 16 Art. 17 FADP draft.
  17. 17 Art. 18 FADP draft.
  18. 18 Art. 54 FADP draft.