The new Swiss new Federal Act on Data Protection (nFADP) will come into force on 1 September 2023. It was time to give a facelift to the current text, introduced in 1992 – before the arrival of the Internet! This update is also necessary considering the standards established by the European Union (EU) with the General Data Protection Regulation (GDPR), which came into effect in 2018.
Companies have until the end of the summer to comply with the new law, as well as the accompanying ordinances on data protection (OPDo) and data protection certification (OCPD).
Don’t know where to start? This article reviews the goals of the federal law and gives you practical tips for implementing them.
The new data protection law introduces structural changes. The areas already covered in the current version are often treated more strictly, and several topics that were previously left out of the legislation are now included.
Senior Manager Wavestone, Switzerland
This review suggests important challenges for companies that would have left the subject of data protection aside until now.
Companies with more than 250 employees that process personal data are now required to create, and keep up to date, a record of processing activities. The same obligation applies to smaller companies when they meet certain conditions: large-scale processing, high risk profiling, etc.
This register must describe in detail all processes involving personal data within the organization. It serves as a basis for identifying sensitive processing operations and for conducting a Data Protection Impact Assessment (DPIA). This detailed analysis is justified by the possibility that the processing operation creates a high risk for the rights and freedoms of the data subjects.
The new law introduces new requirements for personal data security and privacy: transparency obligations towards the data subjects, supervision of subcontracting, notification in the event of a data breach, logging and implementation of technical and organizational measures…
From their conception, data processing measures must reinforce the rights of the persons concerned, the protection of personal data but also the obligations of the data controllers. These are the principles of Privacy by Design and Privacy by Default.