You can view the official version of the revised Swiss FADP here.
Termly updates our policy generators whenever a new law enters into force or gets amended that may impact our users. When those changes occur, we send an email to our users about the updates. It is your responsibility to log into your Termly Dashboard and make the necessary edits, revisions, or changes to your policies.
1.1 Key changes
On September 1, 2023, the revised Federal Act on Data Protection (FADP) came into effect.
The Swiss FADP applies to businesses that process the personal information of Swiss residents, whether the business is based in Switzerland or not.
If your business falls under this law, the key changes to be aware of include:
Only data of natural persons are now protected.
An extraterritorial scope has been added. The revised FADP applies to the processing of personal data with effects in Switzerland, even if the processing occurs abroad.
Biometric and genetic data are included in the definition of sensitive data.
Privacy by Design and Default principles are introduced.
A record of processing activities is now required for businesses that have more than 250 employees or process personal data in a manner that is high risk to the privacy or rights of data subjects.
The concept of profiling (i.e. the automated processing of personal data) is introduced. Data subjects have the right not to be subject to automated decision-making.
A representative in Switzerland must be provided if a foreign business processes personal data on a large scale regularly, which poses a high risk to data subjects.
Data security breaches must be reported as soon as possible to the Federal Data Protection and Information Commissioner (FDPIC).
Data Protection Impact Assessments (DPIAs) must be carried out if there is a high risk to the privacy or rights of data subjects.
Transparency of privacy policies to inform the data subject the businesses’ identity and contact information, the purpose of processing, to whom the data is disclosed to, the countries where the data will be transferred, and safeguards implemented for cross-border transfers.
1.2 Updating your policy to comply with the FADP
Select Yes to the question: “Do you have users in the EU, UK, Switzerland, Iceland, Liechtenstein, or Norway?”
See a screenshot example below.
If you collect biometric or genetic data, you must select them if you have not already done so.
See an example in the screenshot below.
If you originally selected No to the question: “Do you have users in the EU, UK, Switzerland, Iceland, Liechtenstein, or Norway?” then you must now complete the EU/UK Legal Bases for Processing section.
See all relevant screenshot examples below.
If applicable, include your Swiss representative’s contact details.
If you have different EEA and Swiss representatives, select No to “Is your Swiss representative the same as your EEA representative?” and enter each representative’s contact details.
See examples of all relevant questions regarding your Swiss representative in the screenshots below.
It should now account for the revisions to the Swiss FADP.