05 April 2023

New Data Protection Act in Switzerland – Implications for EU companies

  • Articles
  • Legal
  • Data / Technology / IP

On 1 September 2023, a new Data Protection Act (here: "DPA") together with the associated Data Protection Ordinance will enter into force in Switzerland.

  • Dr. Martin Eckert

    Legal Partner

The aim of the revision was to align the level of data protection with the GDPR. What does the new Data Protection Act mean for German and Austrian companies that have business activities in Switzerland?

Attention: The new law provides for fines (up to CHF 250,000) which, in contrast to EU law, do not affect the company, but the management persons (board of directors, management).

In Switzerland, any processing of data is permitted as long as it complies with data protection and the processing principles of articles 6 and 8 FADP (Swiss Federal Act on Data Protection). A justification is not required for every processing of personal data.

What does the new Data Protection Act mean for EU companies that have business activities in Switzerland?

The following constellations must be distinguished:

  • Subsidiaries in Switzerland (AG; GmbH)
  • Branch offices in Switzerland
  • Serving the Swiss market from the EU

The new Data Protection Act is fully applicable to subsidiaries or branches in Switzerland. To ensure compliance in a timely manner, we recommend the following steps:

  • Gap analysis, followed by implementation of the necessary measures and, if necessary, preparation of documents. Business groups that comply with the GDPR standards generally have not much to adapt or "helvetise".
  • Typically, the following measures are required:
    • Adaptation of the data protection declaration (extended information obligations, e.g. regarding countries to which data is transferred)
    • Creation of the directory of processing activities according to article 12 FADP
    • Ensuring the duty to report breaches of data security according to Swiss law (including the duty of the data processor to report to the data controller)
    • Clarification of whether profiling is involved (automated processing of personal data). If profiling is involved, consent of the data subject is required for processing
    • Adaptation of processes (right to information, data portability, data protection impact assessment)
    • Identify, check for new requirements and adapt processing of genetic and biometric data as well as for non-personal and creditworthiness purposes
    • Adapt training and instructions
    • If the IT services for the Swiss operations are provided from EU countries or from other countries outside Switzerland (or otherwise by third parties), a commissioned data processing contract must be concluded with the service provider
  • Recommendation: Appointment of an external data protection advisor in accordance with article 10 FADP. What the data protection officer (DPO) is in the GDPR, the data protection advisor is in Switzerland. However, the tasks of the data protection advisor are more narrowly defined. MME Compliance AG offers this services.

If the Swiss market is processed from outside Switzerland and personal data is processed in the process, it must be analysed whether Swiss law is applicable. This is usually the case. The FADP applies to matters that have an impact in Switzerland, even if they are initiated abroad (Art. 3 para. 1 FADP). It must also be examined whether a representation in Switzerland must be designated. According to article 14 FADP, foreign controllers with their registered office abroad must designate a representative in Switzerland if the data processing fulfils the following requirements (cumulatively):

  • The processing is related to the offering of goods and services or the observation of the behaviour of persons in Switzerland
  • The processing is extensive
  • It is a case of regular processing
  • The processing involves a high risk to the personality of the data subjects

The representative serves as a contact point for the data subjects and the Swiss supervisory authority (FDPIC) and keeps a register of the processing activities. Further obligations are set out in article 14 and 15 FADP. MME Compliance AG acts as a Swiss representative for foreign companies.
Back