The main provisions

With the new FADP, the private sector and federal authorities have to adapt their processing of personal data to the new provisions. The Commissioner has recorded what he considers to be the most significant changes:

Criminal law

Criminal aspects of breaches of obligations under the FADP.

Data protection certification

The certification of systems, products and services promotes transparency in data processing.

Data protection impact assessment

Private- and public-sector data controllers must carry out a data protection impact assessment (DPIA) if data processing is likely to result in a high risk to the personality or fundamental rights of the data subjects.

Data protection officer

Notification of data protection officers (DPO) to the FDPIC pursuant to Art. 10 para. 3 FADP for private persons and Art. 10 para. 4 FADP for federal bodies.

Duty to provide information

The duty to provide information ensures that data processing is transparent and that the data subject’s rights are respected.

Fees

In future, the FDPIC will charge private data processors for a number of his services.

Information security

Information and instructions relating to IT and information security.

Investigations of violations of data protection regulations

Supervisory activities include investigating violations of data protection regulations and, if necessary, ordering administrative measures to enforce these regulations.

Right to information

In accordance with the Federal Act on Data Protection, any person may request information from the controller of a data file as to whether their personal data is being processed.

Codes of Conduct

Article 11 FADP allows professional, industry and trade associations, not to mention federal bodies, to draw up their own codes of conduct and submit it to the FDPIC for an opinion.

Representatives in accordance with Article 14 FADP

Article 14 of the Swiss Data Protection Act (DPA), which came into force on 1 September 2023, regulates the representation of data controllers that are registered or domiciled abroad but which process personal data in Switzerland.