Federal Act on Data Protection (FADP) - Switzerland
Overview and Scope
The data processing principles set out in the FADP provide for protection against infringements of personality rights (data privacy) through excessive use of personal data.
The FADP's jurisdiction is based on the principle of effects, which means it applies to the processing of personal data that has actual or potential consequences for individuals in Switzerland. This includes processing activities that take place outside of Switzerland but still have an impact on the privacy rights of people in Switzerland. According to previous legal decisions, this principle of effects already applies to investigation proceedings conducted by the FDPIC under the current FADP.
Does it require providing a privacy notice?
In Switzerland, businesses or organizations are generally not required to register with or notify the Federal Data Protection and Information Commissioner (FDPIC) in order to process personal data or perform data processing operations with effects in the country. However, under the current Federal Act on Data Protection (FADP), businesses or organizations must register their data files with the FDPIC if they regularly process sensitive personal data, personality profiles, or regularly disclose personal data to third parties.
The registration process requires the submission of certain information, including the name and address of the controller of the data file, the purpose of the data file, the categories of personal data processed, the categories of data recipients, and the categories of third parties who are permitted to access and modify the data file. The controller must also update this information on an ongoing basis.
Nature of consent under the FADP
The Federal Act on Data Protection (FADP) does not require a general consent for the processing of personal data. Instead, these provisions outline the conditions that must be met in order for consent to be considered a valid justification for processing personal data, in cases where the controller needs to justify the processing and cannot rely on other bases such as the performance of a contract or legitimate interests.
If a controller needs to justify the processing of personal data and intends to use consent as the basis for that justification, the consent must be informed, freely given, and specific to the processing activity in question. Additionally, if the processing involves sensitive personal data or high-risk profiling, the consent must be expressly given in order for it to be valid. These requirements are outlined in Article 6(6) and 6(7) of the Revised Federal Act on Data Protection (FADP).
What are the categories of sensitive personal data?
Under the FADP, the following categories of personal data qualify as 'sensitive':
- personal data concerning religious, ideological, political, or trade union-related views or activities;
- personal data concerning health, the intimate sphere, or the racial origin of an individual;
- personal data concerning social security measures; and
- personal data concerning administrative or criminal proceedings and sanctions
- genetic data
- biometric data that uniquely identifies an individual.
The disclosure of sensitive data to third parties must be justified, either through the consent of the data subject or through the necessity of the disclosure for the overriding interests of the controller or to fulfill legal obligations.
What exemptions, if any, are there for academic research?
No such exemption stated.
Does it require appointing representative in Switzerland?
According to the Revised Federal Act on Data Protection (FADP), businesses or organizations (private controllers) based outside of Switzerland may be required to appoint a representative in Switzerland under certain circumstances. This requirement applies if the controller regularly performs high-risk and large-scale processing of personal data in connection with the offering of goods or services in Switzerland, or in connection with the monitoring of individuals' behavior in Switzerland.
How is it enforced?
The Federal Data Protection and Information Commissioner (FDPIC) is responsible for monitoring compliance with the Federal Act on Data Protection (FADP) and the Federal Act on Data Protection in the Private Sector (FODP) by businesses, organizations, and Federal public authorities. State prosecutors in the Cantons are responsible for enforcing the criminal law provisions of the FADP, as well as data protection-related offenses under the Criminal Code. The data protection supervisory authorities of the Cantons oversee the data processing activities of Cantonal and communal authorities in accordance with Cantonal data protection laws.
What are the potential penalties?
Under the Federal Act on Data Protection (FADP) in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC) has the authority to correct, suspend, or stop certain processing of personal data, or to delete personal data entirely or partially, and to require businesses, organizations, or Federal authorities to comply with specific obligations. State prosecutors are responsible for enforcing the criminal law provisions of the FADP, including fines of up to CHF 10,000 for individuals responsible for violating certain information and notification requirements. Under the revised FADP, the maximum fine will be increased to CHF 250,000 and criminal liability will be extended to additional data protection obligations, including failure to ensure sufficient guarantees for international data transfers and failure to comply with minimum data security requirements. The revised FADP also introduces criminal liability for businesses and organizations, with natural persons primarily liable and the organization potentially liable for a fine of up to CHF 50,000 if determining who in the organization is responsible for the infringement would require disproportionate investigative efforts. Data subjects may also bring private actions against infringements of their personality rights protected under the FADP, including claims for compensatory damages, moral damages, and disgorgement of profits.