Unveiling the Swiss Data Protection Act (DPA)

Data protection has become an increasingly crucial issue in our interconnected world. As technology evolves and personal data becomes a valuable asset, governments worldwide are enacting legislation to ensure the privacy and security of individuals’ information. In Switzerland, the Swiss Data Protection Act (DPA) stands as a robust framework designed to protect citizens’ data rights and establish guidelines for responsible data handling. In this article, we delve into the key features of the Swiss DPA, how it compares to GDPR, and its significance in preserving privacy in the heart of Europe.

Historical Data Privacy Foundation

The Swiss DPA builds upon a rich history of data protection laws in Switzerland. Its roots trace back to the first Federal Data Protection Act dating back to 1992, when technology, data security, and privacy weren’t yet introduced into the daily lives of Swiss citizens. The Swiss Parliament drafted a new version of the revised Federal Data Protection Act (revFADP) on September 25, 2020— a complete overhaul of the data protection law. The Swiss Federal Council (Bundesrat) revised the law to strengthen the rights of consumers regarding their data and align Swiss data protection standards with evolving European Union regulations, such as the General Data Protection Regulation (GDPR) while maintaining Switzerland’s unique legal framework.

This legislative change comes with several obligations for businesses and will be fully enforced on 1 September 2023 without any grace period.

Accelerate Your Privacy Program

Swiss DPA applies to public and private entities processing personal data within Switzerland’s jurisdiction regardless of the data subjects’ nationality or location. Swiss DPA and GDPR share common principles concerning the processing of personal data. These include the principles of transparency, purpose limitation, data minimization, accuracy, storage limitation, and security. Both regulations emphasize the need for informed consent, individual rights, and accountability in data processing.

It’s important to clarify that the Swiss Federal Authorities were inspired by the EU General Data Protection Regulation to build a foundation for the DPA but there are important differences and similarities between the two data privacy laws.

Legal Basis: A major difference between GDPR and the Swiss DPA is the defined legal basis for data processing operations. Swiss law does not require a legal basis to process information but explicit consent is required for high-risk profiling or simply the processing of sensitive data.
Data Processing: The new DPA requires a registry of every data processing operation, similar to GDPR Article 30 which requires documenting a record of processing activities (RoPA).
Data Minimization: Similar to GDPR, under the Swiss DPA, data minimization is enshrined as a key principle for data processing. It requires organizations to collect and process only the personal data that is relevant, necessary, and proportionate to achieve the intended purpose.
Consent and Data Rights: Both regulations highlight the significance of obtaining explicit consent from data subjects for data processing activities. Individuals have the right to access, correct, and delete their personal data under both the Swiss DPA and GDPR. However, there are some variations in the details of consent requirements and individual rights, reflecting the nuanced approaches of each regulation.
Cross-Border Data Transfers: The GDPR provides a more extensive framework for regulating cross-border data transfers. It sets strict requirements for transferring personal data to countries outside the EU, ensuring that such countries offer an adequate level of data protection. The Swiss DPA, on the other hand, grants more flexibility, allowing transfers based on individual consent, protective measures such as Standard Contractual Clauses (SCC), or other legal grounds.
Data Breach Notifications: There are slight differences in reporting requirements between GDPR and the Swiss DPA. Under the DPA, prompt notifications are required only when the incident poses a high risk then it must be reported to the Federal Data Protection and Information Commissioner (FDPIC). The DPA doesn’t have a strict time limit on reporting, whereas, under GDPR, there is a 72-hour time limit to report a breach.

BigID Data Privacy Suite — Download the solution brief.

Accountability, Enforcement & Regulatory Authorities

Regulatory Authorities: The GDPR designates supervisory authorities in each EU member state to oversee compliance and enforce the regulation. In Switzerland, the Federal Data Protection and Information Commissioner (FDPIC) is responsible for enforcing the Swiss DPA. The FDPIC collaborates with other Swiss authorities and international bodies to ensure effective data protection. The FDPIC oversees compliance, investigates data breaches, and has the authority to issue fines and sanctions for non-compliance. Penalties can be significant, reinforcing the seriousness of data protection obligations.
Data Protection Officer (DPO): Under the DPA, organizations engaged in large-scale data processing or processing sensitive data are required to appoint a Data Protection Officer. This dedicated role ensures compliance with data protection laws, provides guidance on data processing activities, and serves as a point of contact for individuals and regulatory authorities.
Penalties & Fines: Under the GDPR, organizations that violate the regulation can face severe fines of up to 4% of their global annual turnover. The GDPR sanctions are against the legal entity or organization but the Swiss DPA punishes the individuals with the organization responsible for data protection. The Swiss DPA also imposes penalties for non-compliance but typically follows a more proportional approach, considering factors such as the organization’s size and resources.

See BigID in Action

How BigID Fulfills Compliance with the Swiss DPA

Swiss-based organizations need data privacy management solutions to cover a varying array of requirements similar to the GDPR. BigID can help organizations achieve Swiss DPA compliance with key features like:

Accurate Data Discovery: BigID helps organizations discover and inventory their personal and sensitive data.
Efficient Data Mapping: Automatically map PII and PI to identities, entities, and residencies to connect relationships in your data environments.
Fulfillment of Data Rights Request: Automate consent and data rights management with a privacy portal that provides a seamless U/X to manage data subject rights requests (DSAR).
Effective Privacy Impact Assessments (PIA/DPIA): Easily build seamless workflows and frameworks for privacy impact assessments (PIA) to estimate the risk associated with all data inventory.
Monitor Data Transfers: Track cross-border data transfers and create policies to enforce data residency and localization requirements.
Simplified Breach Response: Accurately identify affected individuals, meet breach notification reporting timeline requirements, and speed up investigation response to fully comply.