Companies handling data on an international scale have recently met with headwinds in the form of new legislation around the world. Among these are guidelines like those established in the new Swiss data protection act, which applies to anyone handling Swiss data.
This act has a number of unique requirements you’ll need to understand in order to avoid a multitude of legal risks.
We'll cover these unique factors, plus the best practices for compliance and more below.
In this article:
- What is the New Swiss Data Protection Act?
- FADP vs. GDPR
- Best Practices for Complying with the Swiss Data Protection Act
- Final Thoughts
- Frequently Asked Questions (FAQs)
Image by sdecoret via Shutterstock
What is the New Swiss Data Protection Act?
The new Swiss Data Protection Act is actually a revised version of the original Federal Act on Data Protection or "FADP." Established as law in Switzerland back in 1992, this act has seen significant revisions that went into effect on September 1, 2023.
These revisions include stricter regulation of personal data processing activities and the addition of new rights for Swiss citizens.
Additionally, it now requires a designated Swiss point of contact for authorities and individuals to interact with and the disclosure of third parties with which consumer data is shared. Businesses must also incorporate a number of details into their operations to maintain compliance in the country.
We’ll review the act’s most notable details and the challenges they present for companies below.
FADP vs. GDPR
The latest revision of the FADP became an acative law in Switzerland on September 1, 2023. This act introduces new fines for misuse of sensitive data and establishes guidelines that must be adhered to by companies handling Swiss data.
The following are a few of the most important differences between the FADP and the GDPR (General Data Protection Regulation):
Data exports overseen by Swiss Federal Council
While the primary regional authority over data export assessment is handled solely by the European Commission, the FADP establishes the Swiss Federal Council for this purpose in Switzerland.
This means the adequacy of exported data will likely need to be vetted by both authorities if information belonging to Swiss nationals is involved in any way.
Higher Sanctions
In the event of non-compliance, by the rules set forth in the GDPR, administrative fines of 20 million Euros or as much as 4% of a business's worldwide annual revenue can now be levied against offenders.
In the case of the FADP, additional fines can now be imposed on private persons. These can be as much as 250,000 CHF for serious offenses.
Photo by Vlada Karpovich via Pexels
Additional Sensitive Data Categories
The GDPR outlined the following special data categories as being sensitive:
- Racial or ethnic origin data - A person's racial background and ethnicity fall under this category.
- Religious or Philosophical belief data - An individual's religious beliefs or philosophical interests qualify as sensitive information.
- Political opinion data - Voting history, political leaning, etc. match this category.
- Trade union membership data - Information on a person's affiliation status with a trade union is considered sensitive.
- Genetic data - This category includes lineage and heritage data, etc.
- Biometric data - Information regarding a person's physical body and any of their unique identifying characteristics fits into this category.
- Health data - Private health information such as medical history, psychiatric diagnoses, etc., qualify for inclusion in this category.
- Sexual orientation data - Any information pertaining to an individual's sex life falls into this category.
The FADP contributes two more categories of sensitive data for companies to handle carefully in Switzerland. These are social security measures as well as administrative and criminal proceedings.
For a bit more information about this, check out the following video:
Best Practices for Complying with the Swiss Data Protection Act
Build Privacy into Your Products
The FADP pushes two key principles for product developers to consider as they build systems intended to handle Swiss data. These are:
- Privacy by Design - User privacy should be built into the underlying structure of your products and services to better safeguard their data.
- Privacy by Default - Strong data security measures should be activated by default, without the need for end users to choose them manually.
Maintain a Register of Data Processing Activity
All organizations, with the exception of small and midsize enterprises, must maintain an accurate register of all data processing activities they engage in.
Companies under the risk threshold are not required to do this, but it is mandatory for larger firms as well as those that present a greater risk to consumers.
Final Thoughts
Image by StartupStockPhotos from Pixabay
Handling sensitive data is likely to become an ever-more demanding task as time goes by. Nations around the world are taking an increasingly proactive stance on protecting their citizens from dangerous misuse of their private information.
Embracing safer data practices and implementing a robust data loss prevention solution, such as Digital Guardian, is the only future-proof way for international companies to proceed and succeed for years to come.