Revision of Swiss Federal Act on Data Protection adopted

After tough negotiations, both chambers of Swiss Parliament – the National Council and the Council of States – adopted the final text of the totally revised Swiss Federal Data Protection Act (hereinafter “FADP”) on 25th of September 2020 – after more than three years of legislative process (the new revised FADP hereinafter “nFADP”).

The concept of high-risk profiling, which will be enshrined in law in the future, gave inter alia rise to debates: There have been extremely controversial discussions regarding the regulation of so-called “high-risk profiling”. In the end, those parliamentary supporters who insisted on an explicit introduction of this concept in the revised law prevailed by pointing out its relevance for a level of data protection equivalent to that of the General Data Protection Regulation of the European Union (hereinafter “GDPR”). The nFADP now defines “high-risk profiling” in Art. 5 lit. f nFADP as “profiling which involves a high risk to the personality or fundamental rights of the data subject by creating a link between data which allows an assessment of substantial aspects of a natural person’s personality”. This is relevant to the extent that the revised nFADP – in future under Art. 6 para. 7 lit. b. nFADP – requires that processing of such data may only take place with the express consent of the data subject.

In the end, the Swiss Parliament was also able to agree on the definition of sensitive personal data and the prerequisites of an overriding interest in a credit assessment. During the legislative process, it was also disputed whether all genetic data or only genetic data which uniquely may identify a natural person should be regarded as personal data requiring special protection. The revision has now shown that in future, according to Art. 5 lit. c. No. 3 nFADP, all genetic data will be regarded as sensitive personal data. Furthermore, the revision takes over numerous provisions from the GDPR, such as the obligations to keep a register of data processing operations and to carry out data protection impact assessments. However, the Swiss Parliament renounced to require data processors to provide data subjects with a list of their rights. It also waived the requirement for data controllers to inform data subjects about their possible intention to process personal data for the purpose of credit assessment or to disclose such data to third parties.

With the adoption of the text by both Chambers of the Swiss Parliament, the regulations to which companies’ data processing operations in Switzerland must comply in future are thus clear. However, it is still unclear when the Federal Council will bring the nFADP into force.

Find the provisional new text of the nFADP here: