On September 1st, 2023, the revised Federal Act on Data Protection (FADP) will come into force. The Swiss FADP has existed since 1992 but has been updated to meet the requirement of the digital world in 2023. In many ways, the FADP shows similarities with the European GDPR ensuring Switzerland is considered a country with adequate levels of data protection, making it easier to process data of EU citizens in Switzerland, and vice-versa.
What do I need to do to comply with the Swiss FADP?
For Complianz users, there is no need to take any action if you have already configured your site for the European Union. While not strictly required until September 2023, Complianz has always applied the EU consent banner, opt-in mechanism, and legal documentation for Switzerland as well. This is confirmed by the first sentence in the Complianz-generated Cookie Policy and Privacy Statement:
This Cookie Policy was last updated on [date] and applies to citizens and legal permanent residents of the European Economic Area and Switzerland.
What are the most important similarities and differences between the GDPR and the FADP?
As mentioned before, Complianz treats Swiss visitors to your site just like it would for EU citizens. In terms of cookies and data processing, there are a lot of similarities:
- Opt-in for non-functional cookies is required
- Data subjects can express similar rights of access, rectification, deletion, etcetera.
- The requirement of the legal basis for data processing (one of which is consent)
- Application of the Privacy by Design Principle
But there are also some subtle differences:
- Fines are lower, but also private persons can be sanctioned.
- Data breach notifications have to be as soon as possible (as opposed to 72 hours)
- A broader definition of sensitive personal data (including criminal, genetic, and biometric data)
- The GDPR contains some extra requirements for the Privacy Statement
Please note that this is not a complete list, but just a short overview to show that the updated Swiss legislation is very similar to the GDPR but also shows some subtle differences.