Compliance with European Union (EU) privacy laws poses a challenge for many companies in non-EU countries. This includes companies from regions with relatively strong data protection regimes, such as Switzerland.
Switzerland is neither an EU member nor a member of the larger European Economic Area (EEA), which consists of all EU member states plus Norway, Iceland and Liechtenstein. Switzerland is a member of the European Free Trade Area (EFTA) along with Norway, Iceland and Liechtenstein. As an EFTA member, Switzerland is part of the EU’s “internal market.”
In this article:
In this article, we look at how companies in Switzerland can work toward compliance with EU privacy laws (GDPR). Since Sept. 1, 2023, the new Swiss Data Protection Act (FDAP) has been in effect; we will compare this law to GDPR in this article.
May EU companies transfer personal data to companies in Switzerland?
Switzerland is neither an EU member nor a member of the larger European Economic Area (EEA). Switzerland is thus a third country.
The EU has established strict rules for transferring personal data to such third countries.
If your company collects personal data within the EEA, you may not normally transfer it to another company outside the EEA without appropriate safeguards. For example, the parties involved in the transfer may have to sign a standardized contract to ensure the security of personal data after the transfer is completed.
Why is the FADP review important?
The original FADP dates back to 1992; with the revision of the FADP, the Swiss government is responding to the fundamental changes in the technological and social landscape since 1992. The goal is to give data subjects more self-determination regarding their data.
Moreover, by aligning this new FADP with the GDPR, Switzerland is recognized as a third country with an adequate level of data protection.
Because Switzerland has received an adequacy decision, EEA companies are not required to take special measures to secure the transfer of personal data to Switzerland. They can transfer personal data in the normal way, just as within the EEA.
Differences between the FADP and GDPR
The GDPR and the FADP have many similarities, including strict penalties for violations and a focus on data privacy and protection (privacy laws). However, the provisions of the two regulations differ in detail in some key areas.
The 7 main differences are:
-
Sanctions
The privacy legislation states that the supervisory authorities of each EU member state can impose administrative fines and periodic penalty payments for failure to comply with the provisions of the GDPR. This includes fines of up to 4% of a company’s annual global turnover or EUR 20 million (whichever is higher) for the most serious violations, e.g., processing personal data without consent or failing to implement adequate security measures. The new FADP does not want absurdly high fines to be imposed, in fact, individuals can be fined up to CHF 250,000, equivalent to 257,588.32 Euros.
-
Appointment of a data protection officer (DPO)
Article 37 of the GDPR states that the appointment of a data protection officer (DPO) is mandatory under certain circumstances. By contrast, the FADP does not provide for the obligation to appoint a data protection officer – in Switzerland Data Protection Advisor (DPA) – but it is strongly recommended. The DPA is the single point of contact in Switzerland for the federal data protection and information commissioner FDPIC.
-
Data breach reports
The GDPR states that data breaches must be reported to the appropriate EU supervisory authority within 72 hours. The FADP states that data breaches should be reported to the FDPIC as soon as possible.
-
Exporting data
Adequacy of data exports is determined in Europe by the European Commission. Standard contract provisions and binding company rules apply. In Switzerland, the appropriateness of data exports is determined by the Swiss Federal Council. EU model contract provisions and binding business rules can be applied.
-
Data protection impact assessment
The GDPR stipulates that a Data Protection Impact Assessment (DPIA) must be carried out if there is a high risk to the privacy or fundamental rights of data subjects. If the risk persists despite the measures, the supervisory data protection authority should be consulted. The FADP provides a similar provision but adds that if the risk remains despite the measures taken, one may opt to consult a GBA instead of the FDPIC.
-
Profiling
The GDPR provides for a general consent requirement. The FADPR takes a slightly different approach to this, as the revised law regulates profiling, i.e. automated data processing to evaluate personal aspects of an individual, such as economic conditions, health, interests, behavior or location. A general consent requirement is provided for in the FADP only in cases of high-risk profiling
-
Sensitive data
Sensitive data under the GDPR includes the following data: racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data, data about a natural person’s health or sex life or sexual orientation.
Sensitive personal data under the FADP also include data on administrative or criminal proceedings and sanctions, as well as data on social security measures. This means that the FADP provides for two additional categories compared to the GDPR.
Appoint an EU representative
The new FADP is aligned with the GDPR as much as possible so that Swiss companies maintain their competitive advantage.
Despite this fact, Switzerland is still a non-EEA country. Most non-EEA companies operating in the EU must appoint an EU representative. This applies to Swiss companies as well as those from other non-EEA countries.
An EU representative serves as your company’s main point of contact with the EU.
If you have further questions about this, please contact one of our
EU representatives
contact