With the new FADP, the private sector and federal authorities have to adapt their processing of personal data to the new provisions. The Commissioner has recorded what he considers to be the most significant changes:
Criminal aspects of breaches of obligations under the FADP.
The certification of systems, products and services promotes transparency in data processing.
Private- and public-sector data controllers must carry out a data protection impact assessment (DPIA) if data processing is likely to result in a high risk to the personality or fundamental rights of the data subjects.
Notification of data protection officers (DPO) to the FDPIC pursuant to Art. 10 para. 3 FADP for private persons and Art. 10 para. 4 FADP for federal bodies.
The duty to provide information ensures that data processing is transparent and that the data subject’s rights are respected.
In future, the FDPIC will charge private data processors for a number of his services.
Information and instructions relating to IT and information security.
Supervisory activities include investigating violations of data protection regulations and, if necessary, ordering administrative measures to enforce these regulations.
In accordance with the Federal Act on Data Protection, any person may request information from the controller of a data file as to whether their personal data is being processed.
Article 11 FADP allows professional, industry and trade associations, not to mention federal bodies, to draw up their own codes of conduct and submit it to the FDPIC for an opinion.
Article 14 of the Swiss Data Protection Act (DPA), which came into force on 1 September 2023, regulates the representation of data controllers that are registered or domiciled abroad but which process personal data in Switzerland.