On 1 September 2023, the new Federal Act on Data Protection (nFADP), together with its accompanying
ordinances came into force in Switzerland. The nFADP introduces a number of obligations on companies (data controllers/data processors) to protect the personal data of natural persons and provide them with greater transparency.
nFADP: what changes at a glance
On 1 September 2023, the new Federal Act on Data Protection (nFADP), together with its accompanying
ordinances came into force in Switzerland. The nFADP introduces a number of obligations on companies (data controllers/data processors) to protect the personal data of natural persons and provide them with greater transparency.
The nFADP moves the responsibility for personal data processing involving natural persons onto companies. In this case, companies must take measures to protect the security of personal data and
in particular to avoid privacy risks (loss of confidentiality, integrity and availability) that may occur during the processing cycle. At the same time, the nFADP has strengthened data subjects self-determination, and more specifically informational selfdetermination, by allowing the individual to control the data concerning him or her and, if necessary, to request action in the event of a breach.
For convenience, we set out below both the new obligations introduced and the criminal sanctions
applicable in the event of wilful violations of certain obligations.
New obligations introduced
- Obligation to protect data by design (privacy by design) and by default (privacy by default) Art. 7 nFADP;
- Minimum Security Standards Art. 8 nFADP;
- Record of processing activities Art. 12 nFADP;
- Generalised duty to provide information on all data processing Art. 19 nFADP;
- Data Protection Impact Assessment (DPIA) for high-risk processing operations Art. 22 nFADP;
- Duty of notification and disclosure in the event of a data breach Art. 24 nFADP.
Criminal sanctions
In the event of a breach of the following obligations, a fine of up to CHF 250,000 shall be imposed on managers:
- Obligation to inform, to grant access and to cooperate;
- Obligation of care (non-compliance with the conditions of data transfer abroad, the appointment
of the data processor and minimum security requirements);
- Obligation of confidentiality;
- Failure to comply with a decision of the Federal Data Protection and Information Commissioner (FDPIC) or the appeal authority.
The Fidinam Group's commitment
Fidinam is committed to protecting the personal data that it collects and processes as part of its business and operational activities. We invite you to consult our Privacy Policy to find out how and for what purposes we process your personal data and what rights you are entitled to.
For more information on the new features introduced by the nFADP, we invite you to read the in-depth article on our blog (in italian) and the dedicated page on our website.
Fidinam can help you
This article is edited by
Isabel Costa, Vice Director and Privacy Manager of
Fidinam & Partners.
Get in touch if you have any questions or to request an advice.
