The Swiss Data Protection Act (FADP), in short
On 25 September 2020, Switzerland adopted a new version of the Federal Data Protection Act (FADP), replacing the 1992 Act in order to reach a level of data protection close to that of the EU’s GDPR.
Aligning its data privacy laws with those of the EU – namely the EU’s General Data Protection Regulation (GDPR) – was a driving force behind the revision of the 1992 Data Protection Act, ensuring continued flow of personal data in and out of Switzerland.
The result – the new Swiss FADP – is a data privacy law that has similarities with the EU’s GDPR, such as requiring consent in certain cases.
If you have users inside of Switzerland, being compliant with the new Swiss FADP is an obligation. Steep fines are levied against non-compliant domains. But the good news is, if you’re already compliant with the EU’s GDPR, you are almost certainly compliant with the Swiss FADP too.
Scan for free to see your website’s GDPR compliance level
Try Cookiebot CMP free for 14 days – or forever if you have a small website.
The Swiss privacy law – quick breakdown
- The Swiss FADP (Federal Data Protection Act) was adopted on September 25 2020, replaces the previous 1992 Act, and will come into force in September 2023. It will not provide for a grace period, meaning businesses will have to be in compliance on the date of effect.
- The Swiss FADP enhances data protection in Switzerland and aligns it with the EU’s GDPR to ensure the continued flow of personal data from the European Economic Area to Switzerland.
- The Swiss FADP requires a website to obtain the consent from users inside Switzerland if e.g. they process – sensitive personal data or transfers data to a third country without adequate protection. It also requires your website to have a privacy policy.
- The Swiss FADP defines personal data as any information relating to an identified or identifiable natural person, e.g. IP addresses. Additionally, the Swiss FADP defines sensitive personal data to include information about race, health, religious or political convictions, genetics and biometrics, social security and sexual life.
- The Swiss FADP applies to both the private and public sector and has extraterritorial scope, i.e. applies to any website that processes personal data from individuals inside Switzerland, regardless of where in the world the website is located.
- The Swiss FADP allows transfers of personal data from within Switzerland to third countries if they have an adequate level of data protection.
- The Swiss FADP extends the investigative powers of the Federal Data Protection and Information Commissioner (FDPIC).
- The Swiss FADP punishes non-compliance with fines of up to CHF 250,000. It also enables criminal sanctions to be imposed on private individuals responsible for a potential breach, e.g., controllers and processors, and not only companies.
Scan for free to see your website’s GDPR compliance level
Try Cookiebot CMP free for 14 days – or forever if you have a small website.
Data subject rights under the Swiss data protection act
Swiss FADP compliance with Cookiebot CMP
Cookiebot CMP is a world-leading solution for making your website compliant with major data privacy laws, including the EU’s GDPR, Switzerland’s FADP, California’s CCPA/CPRA, Brazil’s LGPD, South Africa’s POPIA and many others.
Built around an unrivaled scanning technology that is able to scan and find all cookies and similar trackers in use on your website, Cookiebot CMP provides full transparency and control to your end-users, allowing them to make an easy and fast choice of consent, and enabling complete compliance for your website in the meantime.
Balance data privacy and data-driven business on your website with highly customizable consent interfaces, automatically generated cookie policies and regular renewal of end-user consent.
The geotargeting feature of Cookiebot CMP automatically determines where in the world a user of your website is located, e.g. in the EU or in Switzerland, and presents the correct compliance solution automatically.
The Swiss Federal Data Protection Act – in detail
Let’s have a closer look at the Swiss FADP and its requirements for your website.
Swiss FADP on consent, pre-ticked boxes and cookie walls
Under Switzerland’s Data Protection Act (FADP), websites that process personal data from users inside Switzerland might need to first obtain the prior, freely given and, informed consent from those users in order to do so.
This includes cookies that are not strictly necessary for the basic function of your website, but which process personal data for other purposes, such as analytics or marketing.
Consent is required in the case of processing of particularly sensitive personal data, high-risk profiling by a private person or profiling by a federal body.
Additionally consent might be needed if data is transferred to a country without an adequate level of protection.
Consent to cookies is only valid if it is a real choice, i.e. if the user consents without coercion, pressure or other external influence. This means that a user who refuses a cookie that requires consent should not be denied certain services or benefits, such as access to the site.
When a user refuses cookies, they should not be exposed to any negative consequences and should be able to continue accessing the website.
Like the EU’s GDPR, the Swiss FADP requires that end-user consent to cookies be specific, i.e. the user’s consent must be sought for each type of purpose pursued by cookies.
Consent cannot be given for a general use of all cookies without further specification of what data is collected via those cookies and for what purposes. Rather, the Swiss FADP requires a more detailed choice than a simple “all or nothing”, i.e. consent for each category of cookies.
Consent information should be visible, complete and noticeable. It should be written in simple terms that any user can understand and be available in all the languages of the website, e.g. if the website is aimed at a French- and German-speaking audience, the information on the consent banner should be written both in French and in German.
This information is usually grouped in a website’s privacy or cookie policy and should at least include:
- the identity and contact details of the controller (own or third party),
- the purposes of the cookies that are going to be deposited and/or read,
- recipients or categories of recipients of the data.
Additionally it might be necessary to include the categories of the data which is processed and the countries to which the data is transferred to, in case the country does not have an adequate level of security, as well as the garanties the data transfer is based on.
Get an automatic cookie policy with Cookiebot CMP
Try Cookiebot CMP free for 14 days – or forever if you have a small website.
Main changes to the Swiss data protection act
As expected, there are quite a few changes to the new FADP from the previous regulation. Some of the most notable are as follows:
Privacy by design: Data privacy and protection must be a part of the process beginning with the planning stages of projects. Organizations must keep data subjects’ privacy in mind at all stages of development.
Enhanced consent requirements: The updated law pays greater attention to data subjects’ awareness of and education about collection and usage of their personal data. Organizations must clearly communicate about the data collected, purposes, and more, as well as users rights and options to exercise them. Consent requirements are also expanded to more cases.
Easier to exercise data subject rights: Data subjects can more easily make access requests to exercise their rights under the law. The process for individuals to request details about their personal data with any organization has been streamlined.
Data breach notifications: Organizations are required to notify users and other relevant stakeholders about a data breach or related violation as soon as possible. The FDPIC must also be notified immediately. There are clear and specific requirements for information that must be communicated about the breach.
Expanded powers and more severe penalties: Individuals have more options to restrict or reject the processing of their personal data. The FDPIC has expanded enforcement powers for violations of the law, and authorities can enact more severe penalties.
The new revised FADP compliance requirements
The Swiss data protection act is extraterritorial, so it applies to organizations both based in Switzerland and outside of it if they provide goods or services and process Swiss residents’ personal data. Companies subject to the FADP that are based outside of Switzerland need to designate a Swiss representative. This individual will liaise with the Swiss authorities and data subjects.
Organizations also need to potentially make changes to their operations end to end if their data privacy and protection practices have not been sufficiently robust. These include:
- building “privacy by design” into planning, design, and development of projects
- fully understanding consent requirements for data subjects and personal data processing and implementing the required measures
- ensuring it is clear and simple for data subjects to exercise their rights and contact the organization
- having strong policies and procedures for data breaches and ensuring fast notification and other required actions in the event of a violation
Obligations for companies under FADP
Organizations processing the personal data of Swiss residents will be required to comply as of September 2023; there will not be a grace period before enforcement. Companies that already comply with the GDPR will not have much additional work to do, but it is important that they familiarize themselves with FADP requirements. There are also some exemptions to some FADP requirements for SMEs up to 250 employees that organizations should be clear on.
Data subjects must be informed about all instances of collection and use of their personal data, whether collected directly or indirectly. Organizations also need to maintain a register of processing activities, and both controllers and processors have data privacy and protection responsibilities, particularly with regards to third-party access to the data , e.g. vendors.
Why is it so important to comply with the new FADP?
Ensuring compliance helps organizations ensure that their data processing is done securely and responsibly, and that use of personal data is legal. FADP compliance provides data subjects with control over their privacy and personal data.
Fines for violations are one of the most important reasons compliance is important, but additionally a data breach or other violation can result in damage to a company’s reputation and loss of user trust. Companies can create a competitive advantage by being clear and transparent in their communications with users and showing respect for data privacy and managing consent requirements compliantly.
Achieving and maintaining FADP compliance also enables companies to compete better in the European Union, as they will meet stringent privacy requirements that enable cross-border data transfer and other common functions of doing business globally.
GDPR vs. new FADP
Requirement | GDPR | FADP |
---|---|---|
Penalties | For first or less serious violations: 2% of global annual turnover or €10 million For repeat or more serious violations: 4% of global annual turnover or €20 million. | Up to CHF 250,000 against a responsible individual, or if it would be too difficult to identify the individual, up to CHF 50,000 against the company. |
Information requirements | Art. 13 GDPR specifies the minimum information that a privacy policy must include. | A privacy policy has less required information than under the GDPR. Must list all countries to which personal data is transferred. |
Records of processing activities | Art. 30 GDPR specifies all information that must be included in the records. | Must include a list of countries to which data is exported. |
Data Protection Impact Assessments | In cases of high risk, the supervisory authority must be consulted. | In cases of high risk, Data Protection Officer (DPO) can be consulted instead of the FDPIC. |
Data export | Adequacy of export partners determined by the European Commission. Standard contractual clauses or other binding corporate rules. | Adequacy of export partners is determined by the Swiss Federal Council. EU standard contractual clauses or other binding corporate rules. |
Data breach notification | Mandatory within 72 hours. | Mandatory “as soon as possible”. |
Data Protection Officer | Mandatory. | Recommended. |
FDPIC recommendations on web tracking in Switzerland
In Switzerland, the Federal Data Protection and Information Commissioner (FDPIC) is responsible for monitoring the compliance of companies and organizations with the Federal Data Protection Act (FADP)
The FDPIC has published guides for how your website use web-tracking tools to monitor user activity on your domain in a way that is compliant with the Swiss FADP.
Your website’s end-users must be informed in a transparent manner about the fact that their personal data is collected, the purpose of the data processing, the analysis of the data and the possibilities given to the user to object to tracking.
Learn more about how to make a cookie policy for your website
In the case of sensitive personal data, end-users must explicitly confirm that they have been informed and that they agree to web-tracking, for example by a mouse click.
The FDPIC states that you, as website owner or operator, are responsible for any processing of personal data from individuals inside Switzerland, even if you are using web tracking service providers. Additionally, the FDPIC points out that even the processing of a user’s IP address is subject to the Federal Data Protection Act, since this address is considered personal data.
The FDPIC also states that when using cookies for web-tracking purposes, a website operator must take into account the requirements of the ePrivacy Directive of the European Parliament and of the Council concerning the processing of personal data as well as the protection of privacy in the electronic communications sector.
Transfer of personal data between the EU, the US and Switzerland
On 16 July 2020, the Court of Justice of the European Union (CJEU) ended the Privacy Shield, which until then allowed data transfers from the EU to the US.
The CJEU requires data controllers to assess the level of data protection in the recipient’s country and suspend the transfer if such country is found to be inadequate. EU-Swiss transfers are also subject to these requirements as well.
On 8 September 2020, following an evaluation of the EU-US Privacy Shield, the Federal Data Protection and Information Commissioner (FDPIC) also declared the Swiss-US transfer regime inadequate.
In line with the CJEU, the FDPIC found that the level of data protection in the US was insufficient and the transfer mechanism under the Swiss-US Privacy Shield was invalidated.
Learn more about the Switzerland-US Privacy Shield decision
Google Consent Mode and Cookiebot CMP
With Google Consent Mode and Cookiebot CMP, you can make all your website’s Google-services run based on the consent state of your end-users – full GDPR compliance with optimized analytics data and ads revenue in one simple solution.
Cookiebot CMP manages the consent of your website’s users, and communicates the consent states to the API running Google Consent Mode which then governs all your favorite services (like Google Analytics and Google Ads) based on the consent state of each individual user on your website.
Did a user not consent to statistics or marketing cookies? Cookiebot CMP informs Google Consent Mode which then makes sure that you still get aggregate and non-identifying insights into your website’s performance and the possibility of showing contextual ads instead of targeted ads – respecting user privacy while optimizing your website.
With Cookiebot CMP and Google Consent Mode, get instant and simple GDPR compliance plus optimized analytics data and ads revenue in one solution.
Get started with Google Consent Mode
Scan your website for free to see what cookies and trackers are in use
Try Cookiebot CMP free for 14 days – or forever if you have a small website.
Penalties for non-compliance with the Swiss data protection act
Swiss privacy laws – summarized
In this blogpost, we looked at the new Swiss FADP, coming into effect in 2022, and its requirements for your website’s use of cookies and trackers that process personal data from users inside Switzerland.
Formed in the shape of the EU’s GDPR and adopting a lot of its core definitions, the Swiss FADP is a data privacy law that requires your website to obtain consent if processing sensitive personal data from users inside Switzerland or in the case of profiling through a private person or a federal body.
Like its EU sibling, it also comes with several other requirements for your website, e.g. to have an up-to-date privacy policy available to your end-users and to renew consents on a regular basis.
Cookiebot CMP is a plug-and-play solution that automated this entire process for you – simply sign up and implement Cookiebot CMP straight from the cloud with a few lines of JavaScript.
Swiss FADP FAQ
What is the Swiss Data Protection Act (FADP)?
The Swiss FADP is the data privacy law of Switzerland which regulates the processing of personal data from individuals inside Switzerland. It requires any website in the world with users from inside Switzerland to obtain their consent if they process sensitive personal data or in the case of profiling.
Does Switzerland also have to comply with the GDPR?
Yes, if your website located inside Switzerland processes personal data from users inside the EU, the General Data Protection Regulation (GDPR) applies and you are required to obtain the prior consent before being legally allowed to process or share any personal data.
Try Cookiebot CMP free for 14 days… or forever if you have a small website.
Does Switzerland have an EU adequacy decision?
Yes, Switzerland is among the countries that the EU has granted an adequacy decision to, meaning that the EU has deemed Switzerland’s level of data protection as essentially equivalent and ensuring the continued free flow of personal data across the two regions.
Learn more about European privacy laws
What is a Swiss FADP compliant cookie banner?
A consent banner on your website should contain easy-to-understand information about your website’s cookie settings and personal data processing practices. A valid consent banner should not have pre-checked checkboxes (cookies enabled by default), should not push or force users to give consent (cookie walls), and should not interpret user activity such as scrolling or continuing to browse the domain as consent.
Try Cookiebot CMP free for 14 days – or forever if you have a small website.
Are cookie walls legal in Switzerland?
There is no special legislation on cookie walls in Switzerland. However, as many Swiss websites receive users from the EU, it is recommended for Swiss websites to follow the European Data Protection Board (EDPB) guidelines on valid consent in the EU, which define that cookie walls that condition consent on access to a website are an unlawful means of obtaining consent. Instead, consent must be granular and freely given. Users should be able to choose between some cookies and not others when giving consent.
Try Cookiebot CMP free for 14 days – or forever if you have a small website.
The most used solution for compliant use of cookies and online tracking
Resources
EDPB guidelines on cookies and other trackers
Federal Data Protection Act (FADP) (in French)
CNIL guidelines on the use of cookies in France (in French)
Planet49 and valid cookie consent in the EU