Federal Act on Data Protection and GDPR Key Differences

The revised Swiss Federal Act on Data Protection (FADP) took effect in September 2023. Businesses that operate in or interact with Swiss users must adjust to these updated privacy regulations. The Federal Act on Data Protection (FADP) closely follows the EU’s General Data Protection Regulation (GDPR). This alignment helps Switzerland stay a trusted partner for cross-border data transfers. However, the FADP introduces unique requirements that organizations need to address.

In this article, we will examine the main differences between the GDPR and the Swiss FADP. We will also discuss how these changes impact your compliance strategy.

Key Differences: GDPR vs. FADP

The GDPR and FADP both focus on protecting individual privacy rights. They also regulate how personal data is processed. However, some important distinctions set them apart:

What does this mean for your organization?

If you are already Swiss GDPR-compliant, much of your current compliance framework may match the Swiss data protection act, FADP. However, reviewing specific requirements, such as data transfer rules and privacy policy adjustments, is crucial.

Consent Requirements Under the FADP

The revised FADP emphasizes the need for clear, freely given, and informed consent for data processing. This includes cookies and other technologies that collect personal data.

Explicit Consent for Specific Scenarios

Consent is required for:

• Processing sensitive personal data, such as health information or political opinions.
• High-risk profiling activities conducted by private entities or federal bodies.
• Data transfers to countries without adequate data protection.

Granular Consent Choices: Like Swiss GDPR, the FADP demands that users be able to provide consent for each purpose of data collection. Blanket approvals for all cookies are no longer valid under the FADP.

No Pre-Ticked Boxes or Coercion: Users must actively give consent without being forced or penalized for refusing. For instance, access to a website cannot be denied if a user declines non-essential cookies.

Practical Implementation:

Websites that target Swiss users need to use consent banners. These banners should be easy to understand. They must also be available in all relevant languages, including French, German, and Italian. The banners should also link to a detailed privacy or cookie policy, outlining:

• The identity and contact information of the data controller.
• The purposes of the data collected through cookies.
• Any recipients or categories of recipients of the data.
• Details of data transfers to third countries, including applicable safeguards.

Obligations for Companies Under the FADP

Organizations that process personal data of Swiss users must fulfill specific obligations by September 2023. There is no grace period for compliance

Transparency Requirements:

• Inform users about all personal data collection and processing activities, whether direct (e.g., website forms) or indirect (e.g., cookies).
• Maintain clear and accessible privacy notices tailored to FADP standards.

Records of Processing Activities:

• Keep a detailed register of all data processing activities, including third-party access to the data.
• List all countries to which data is transferred, ensuring compliance with adequacy requirements.

Data Breach Notifications:

• Notify the FDPIC and affected individuals promptly in the event of a data breach. The FADP does not specify a fixed timeline like GDPR but requires notification “as soon as possible.”

Adopt Privacy by Design and Default:

• Incorporate data protection into the design phase of projects, ensuring privacy is a priority from the start.

Simplify compliance: CookieInfo provides tools such as Cookiebot CMP and Usercentrics CMP. These tools automate many tasks, including cookie scanning and consent management.

International Data Transfers

The FADP closely mirrors Swiss GDPR standards for data transfers, with a few key distinctions:

• Transfers to countries considered inadequate by the Swiss Federal Council, like the US, need extra protections. These can include standard contractual clauses or binding corporate rules.
• Organizations must assess the data protection measures in the recipient country before proceeding with a transfer.

The invalidation of the Swiss-US Privacy Shield in 2020 highlights the importance of reassessing data transfer mechanisms regularly. For companies reliant on cross-border data flows, compliance tools like Cookiebot CMP provide much-needed support.

FDPIC Recommendations for Web Tracking

The Swiss Federal Data Protection and Information Commissioner (FDPIC) provides clear guidance on web tracking. This guidance is based on the Federal Act on Data Protection (FADP). This guidance highlights the importance of user transparency and control. Websites must:

• Clearly inform users about tracking purposes and allow them to object.
• Obtain explicit consent for tracking involving sensitive data or high-risk profiling.
• Ensure compliance even when using third-party tracking services, as the website operator remains accountable.

Additionally, the processing of IP addresses is subject to the FADP, as these are considered personal data. Websites should evaluate all tracking practices to ensure full compliance.

Learn more about creating a compliant cookie policy with Cookiebot CMP.

Why Compliance with the FADP Matters

Adhering to the Federal Act on Data Protection is about more than avoiding penalties. Compliance demonstrates your commitment to respecting user privacy and fostering trust with your audience. Key benefits include:

• Enhanced Reputation: Transparent data practices strengthen your brand and customer relationships.
• International Competitiveness: Meeting stringent Swiss and EU standards facilitates seamless cross-border operations.
• Reduced Risk: Proactive privacy measures minimize the likelihood of breaches and regulatory action.

Need Help with Compliance?

Navigating the complexities of the FADP doesn’t have to be daunting. CookieInfo aims to simplify compliance. We offer solutions like Cookiebot CMP, privacy audits, and expert guidance. Our services are tailored to meet your organization’s needs.

Contact us today to get started on your compliance journey.