The new Federal Act on Data Protection will come into force on 1 September 2023. It introduces changes for data processors and data subjects and provides the FDPIC with additional duties and powers, who will thus intensify his supervisory activities and increase the number of investigations.
The FDPIC’s role
In future, the Federal Data Protection and Information Commissioner (FDPIC) will be elected by Parliament. Up until now, the FDPIC was elected by the Federal Council and was merely confirmed by the Federal Assembly. This new rule increases the office’s independence from the executive and enhances its democratic legitimacy. The elected Commissioner recruits their own staff and has their own budget, the draft of which is still submitted to the Federal Assembly.
The FDPIC remains assigned to the Federal Chancellery for administrative purposes, especially since the FDPIC communicates with the Federal Council via the Federal Chancellor. The Federal Chancellery provides the FDPIC with a range of services in personnel administration, finance and office automation on the basis of a service level agreement.
From now on, it will be up to the Federal Council to decide whether or not the legislation of a third country provides adequate protection, allowing data to be transferred from Switzerland to that country without additional measures. A list of countries providing adequate protection will be annexed to the Data Protection Ordinance.
If the planned processing of personal data is likely to involve a high risk to the privacy or fundamental rights of data subjects, private- and public-sector data controllers are required to carry out a data protection impact assessment (DPIA). If the DPIA shows that the planned processing still results in a high risk to the privacy or fundamental rights of data subjects despite appropriate measures being put in place, the data controller must seek a prior opinion from the FDPIC. The FDPIC will examine the DPIA and inform the data controller of any objections within two months. The FDPIC’s opinion is not an authorisation to carry out the planned data processing. His opinion is not appealable but is subject to a fee.
The revised Act gives the FDPIC new duties. Professional, industry and trade associations can draw up their own codes of conduct and submit them to the FDPIC for an opinion. The FDPIC publishes his opinions along with a list of standard data protection clauses that he has approved, issued or recognised. In future, the FDPIC will be able to charge fees for the opinions that he issues on codes of conduct and for the approval of standard data protection clauses and binding corporate data protection rules.
Under the revised Act, data controllers have a duty to report to the FDPIC any data breaches that may result in a high risk to the privacy or fundamental rights of data subjects. The FDPIC provides a reporting portal on his website for that purpose.
As a supervisory body, the FDPIC is responsible for ensuring that federal bodies and individuals comply with the federal provisions on data protection, in particular the Federal Act on Data Protection (FADP). If there are sufficient elements to suggest that data processing may violate data protection regulations, the FDPIC will open an investigation, unless the violation is minor. In his investigation, the FDPIC determines the way in which a federal body or a private company or individual processes data relating to a natural person. On the basis of his findings, he will then assess whether or not there has been a breach of federal data protection regulations.
When the revised Data Protection Act comes into force, Switzerland will ratify the Council of Europe’s Convention 108+. This is a legally-binding multilateral instrument on the protection of privacy and personal data that was opened for signature in 1981 and has recently been modernised to address the challenges of the digital age. In order to meet the requirements of Convention 108+, legislators have extended the investigative powers of the FDPIC. In the past, the FDPIC could only investigate the data processing activities of individuals in cases where the methods of processing were capable of breaching the privacy of a large number of individuals. This limitation (‘system error’) will no longer exist in the future.
The Commissioner will thus intensify the FDPIC's supervisory activities from the entry into force of the new law and gradually increase the number of formal investigations. The authority has been provided with additional staff resources for the enforcement of the new law and was able to successfully complete the corresponding recruitments in spring 2023.
Elements indicating a possible breach of data protection regulations may arise during ongoing supervisory activities or may be reported to the FDPIC by data subjects themselves or by third parties such as media companies or consumer protection organisations. If the FDPIC finds indications of a breach of data protection regulations, he begins by conducting an informal investigation to verify whether or not the matter is within his remit, whether there is sufficient evidence of a breach, and whether the breach is more than just a minor one. The FDPIC may informally ask the data controller to voluntarily answer questions if, for example, it is unclear whether the matter falls within his remit or if he believes that an investigation could be avoided by contacting the data controller. An investigation can be avoided, for example, if the data controller is able to immediately refute the existence of a breach or if they voluntarily take measures within a reasonable time frame to ensure compliance with the data protection regulations.
Under existing law, a case investigation is carried out to establish the facts and to determine whether or not a breach of data protection regulations has occurred. After the investigation, if necessary, the FDPIC issues a legally non-binding recommendation that specific data processing activities be modified or suspended. Under the new law, investigations are governed by the Federal Act on Administrative Procedure (APA). If the FDPIC identifies a breach of data protection regulations during an investigation, he will have the authority to issue a legally binding order under Article 5 APA, which the data controller needs to challenge before the Federal Administrative Court if they do not wish to comply with it. The FDPIC may order that data processing activities be modified, suspended or discontinued, or that personal data be deleted.
The revised Act contains two provisions specifically regarding the FDPIC’s cooperation with Swiss and foreign authorities. Swiss authorities are obliged to provide administrative assistance to the FDPIC, while the FDPIC has a duty to provide administrative assistance only to the Swiss data protection authorities, the law enforcement authorities in connection with his reports, and the federal authorities and police bodies involved in enforcing the measures ordered.
The FDPIC’s administrative assistance to foreign authorities extends to data protection authorities. He may provide information and personal data required by the authorities for the performance of their respective statutory duties. A number of conditions need to be met, including reciprocal administrative assistance, confidentiality, and use of the information strictly for the proceedings in question.
As before, unlike his EU counterparts, the FDPIC has no power to impose sanctions under the new law. However, the supplementary criminal provisions in the FADP have been extended. The wilful disregard of notification, disclosure and reporting obligations and the intentional violation of due diligence obligations are punishable. This applies in particular to the disclosure of personal data abroad, order processing and the provision of data security. Fines of up to CHF250,000 may be imposed on the natural person responsible for the offence. Legal persons can be fined up to CHF50,000, only as a subsidiary measure.
During the parliamentary consultations on the new FADP, the Federal Council announced that it would consider introducing administrative penalties for offending companies as part of a new federal act.
Last modification 10.05.2023