Switzerland’s new Federal Act on Data Protection (nFADP) - Actonic – Unfolding your potential
Become an Atlassian Knowledge Champion

Switzerland’s new Federal Act on Data Protection (nFADP)

The Swiss Parliament has adopted the new data protection law for Swiss citizens, the Act on Federal Data Protection (nFADP), which replaces the 30-year-old previous law. The implementation of this legal amendment is on September 1, 2023.

The new federal data protection law improves the processing of personal data. Giving new rights to the citizens of Switzerland and a series of new obligations to the companies.

With this law, Switzerland made a complete revision of the first Federal Law on Data Protection of 1992. A partial revision of it was done in 2009 and 2019.

The nFADP provides adequate data protection adapted to today’s technological and social development. The challenge is the compatibility of the law with the GDPR in order to enable the free flow of data with the European Union (EU), and consequently avoiding the competitiveness of Swiss companies.

Who does the nFADP apply to?

The FADP applies to organizations in and outside of Switzerland if they process the data of Swiss citizens. No matter where the headquarters of the company is located. Previously, it applied to both the public and private sectors. Let’s take a look at the changes that have been established in the new data protection law of Swiss citizens.

The main nFADP changes

  • In the new law, the data of juristic entities is not covered, but only of physical people
  • Genetic and biometric data are defined as sensitive data
  • Configuration of all software, hardware, and services for complete data protection and respect for user privacy. For this purpose, the principles “privacy by design” and “privacy by default” are introduced.
    • “Privacy by design” – user privacy protection must be built into the structure of services or products that collect personal data.
    • “Privacy by Default” – it is activated with no user intervention, while ensuring the highest level of security.
  • Keeping a register of processing activities is mandatory in the new law
  • Automated data processing is part of the nFADP
  • In the event of a data breach, immediate notification to the Federal Commissioner for Data and Information Protection is required.

 

The law is very similar to the European data protection law, GDPR. So, companies that have already complied with GDPR will need to make minimal changes.


Discover our Apps for Jira and Confluence