New Swiss data protection law entered into force
The Federal Data Protection Act (FADP) and the associated ordinances have been completely revised and entered into force on 1 September 2023. The revised FADP aims to strengthen the protection of private information by enhancing the transparency of data processing and the control individuals have over their own data. This includes both the data processor’s obligation to provide information and the data subject’s right to be informed. A person can only exercise their legal rights if they are aware of the data processing. Additionally, data protection is strengthened by two additional elements: First, the Federal Data Protection and Information Commissioner (FDPIC) is granted expanded oversight authority. In addition, the penalties for data protection violations were strengthened.
With the new FADP, planning for future data processing must also consider data protection regulations. Data controllers must ensure that the minimum amount of personal data is processed. If a planned data processing poses a high risk to the person’s personality or fundamental rights, the data controller is required to conduct a data protection impact assessment (DPIA). There is a high risk, for instance, if public areas like a train station’s lobby are monitored or if highly sensitive data is processed extensively. Particularly worthy of protection are, among other things, information pertaining to religious or political beliefs as well as medical data. At its meeting on 28 June 2023, the Federal Council issued DPIA administration guidelines for the federal government.
The importance of cross-border data flows is growing, especially due to the rise of digitalization. Therefore, the provisions regarding the disclosure of personal data abroad were revised. Since 1 September 2023, the Federal Council determines which states offer adequate data protection. The list of countries is publicly accessible and legally binding for data controllers as an annex to the data protection ordinance. Until the revised FADP entered into force, the FDPIC maintained this list. However, the latter was not legally binding.