• Blog
  • Swiss Data Protection Act Ushers in New Online Privacy Era

Swiss Data Protection Act Ushers in New Online Privacy Era

TWIPLA Editorial Team August 10, 2023

5 Minute Read

The Swiss Data Protection Act - a revision of its Federal Data Protection Act - will come into force on September 1st, 2023.

This, in essence, is the most substantial reform to national data protection legislation in over three decades. It closely aligns Switzerland with strict EU data privacy requirements, and also further tightens the global network of laws that protect internet users.

Read more about this development on the Swiss government’s website.

revFADP and GDPR: Bridging the Gap

The Swiss revFADP is a revision of the Federal Data Protection Act, which dates back to 1992.

This update brings the Swiss law closer in scope to the General Data Protection Regulation (GDPR). It integrates many of the core principles of this EU personal data protection law, while equally adding a distinctly “Swiss finish” to certain areas.

Key Legal Implications

  • The Swiss Data Protection Act introduces a “risk-based” approach that obliges businesses to assess the risks associated with their data practices and then implement preventative measures.
  • The definition of “sensitive data” has been extended to also include genetic and biometric data, which cannot be processed without explicit user consent.
  • The reform introduces privacy-by-design and also privacy-by-default to Swiss national law, as well as data protection through technology design.
  • Records of processing activities must now be maintained by data controllers and processors, though businesses engaged in low-risk processing activities and with fewer than 250 employees are exempt.
  • Any data breach (regardless of risk level) must now be reported to the supervisory authority - a stricter requirement than GDPR, which limits this obligation to high-risk breaches.
  • Businesses must now obtain explicit consent for profiling, either in high-risk scenarios, or when executed by a federal body.
  • Businesses deliberately violating revFADP face fines of up to CHF 250,000 (approximately €260,000).

Cross-Border Transfers under revFADP

Crucially, the Swiss Data Protection Act applies to the processing of personal data that has actual or potential effects in Switzerland.

This means that it impacts any business that processes the personal data of Swiss residents. It also affects companies outside of Switzerland who process this data, and they now need to designate a representative in-country to avoid legal consequences in the long run.

Web Analytics Under the Swiss Law

Analytics software can collect large amounts of personal data from website visitors. For businesses that use these third-party platforms, this means that they fall under the scope of the Swiss Data Protection Act if their website is visited by a resident of Switzerland.

Analytics Best Practices

  • User Consent: Businesses must obtain explicit consent before analyzing on-site behavior, especially when processing genetic, biometric or any other sensitive personal data.
  • Privacy-centric Design: Businesses must use analytics integrations that exhibit privacy by both design and default, and must also limit data collection to what is crucial to the specific purpose consented to by the data subject.
  • Data Access: Businesses must have systems in place that enable them to respond quicky to user inquiries about their data practices.
  • Breach Response: In the event of any data breach, businesses must have robust incident response mechanisms in place, and also notify their supervisory authority as soon as possible.
  • User Profiling: Businesses leveraging analytics software as a tool for evaluating user behavior or preferences must now obtain consent from users, particularly in high-risk situations.

Finally, businesses must also exercise caution with regard to transferring the personal data of Swiss nationals outside of Switzerland. Under the Swiss Data Protection Act, this data can only be transferred to a recipient country that the Swiss Federal Council recognizes as having an adequate data protection level for Switzerland.

TWIPLA: revFADP-Compliant

Businesses looking to use analytics legitimately under the Swiss Data Protection Act should consider TWIPLA. We offer a comprehensive intelligence solution, providing complete statistics, visitor behavior analytics, and visitor communication tools.

The platform has privacy-by-design, and data is stored in Germany - a country with adequate data protection under Swiss law. Advanced cookieless tracking enables TWIPLA to provide insight accuracy without collecting personal data.

It is built around a dynamic privacy center that can be calibrated to the national privacy laws of individual website visitors. In default Maximum Privacy Mode, it completely anonymizes user data.

This ensures that TWIPLA doesn't violate the Swiss Data Protection Act or any other global law. Sign up today and start leveraging all your website traffic data while keeping visitors safe.

Get Started for Free

Gain World-Class Insights & Offer Innovative Privacy & Security