Skip to main content
News

SWISS FADP: What life science companies should know

SWISS FADP: What life science companies should know

Newsletter

SWISS FADP:
What life science companies should know

13 February 2023

The revised Swiss Federal Act on Data Protection (“FADP”), was approved in 2020 by the Swiss Parliament and its related Ordinance; it will enter into force on the 1st of September 2023. As no grace period is foreseen, this is the time for companies to seriously think about being compliant.
The first goal of this revision was to bring the FADP in line with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) to maintain the adequacy decision in favor of Switzerland. However, while the FADP is very similar to the GDPR, it is still far from being identical in number of aspects…

1

SCOPE

The revised FADP applies to any actual or potential “effect” in Switzerland meaning that it includes processing activities that are conducted also outside of Switzerland. However, while it covers a far-reaching scope, we assume the practice (e.g, case-laws,...) will probably restrict it in certain situations.
2

SENSITIVE DATA

While sensitive data now include genetic and biometric data, they also include data related to the “intimate sphere”, social security measures and administrative and criminal proceedings and sanctions.
3

DPO

The appointment of a Data Protection Officer - also known as “Data Protection Advisor” - is not mandatory. However, it is recommended to appoint one as it provides further resources, knowledge and sometimes, credibility to your privacy team. Further, it enables more flexibility for companies by avoiding the prior consultation to the Federal Data Protection and Information Commissioner (“FDPIC”).
4

LAWFULNESS PRINCIPLE

The FADP has favored an “opt-out approach”. A processing of personal data does not need to be justified by a legal ground unless there is a violation of the personality of the data subjects. Such violation would occur where there is:
- A violation of the FADP principles; and/or
- A disclosure of sensitive data to a third party; and/or
- An express objection from the data subject.
5

DATA TRANSFERS

The Switzerland has adopted a similar approach as the EU. A transfer to a third country can be framed if:
1. Adequacy. The country is deemed as adequate by the Swiss Federal Council. A major differene is that the list is quite restrictive as it does not include some countries considered adequate in the EU such as the Japan and South Korea.
2. Safeguards. In absence of an adequacy decision, appropriate safeguards must be implemented (e.g., Standard Contractual Clauses (“SCCs”), Binding Corporate Rules, …)
3. Derogations. As last resort, derogations may be considered in specific circumstances (e.g., consent…).

It is worth noting additional Swiss specificities may be required – in particular - when implementing SCCs.

6

ENFORCEMENT

The Swiss data protection authority – commonly called, Federal Data Protection and Information Commissioner (“FDPIC”) – has administrative powers against violation of the FADP. However, it still has no power to issue monetary fines.
Besides, FADP specifically provides for criminal sanctions in case of:
- Violation of certain rights. Those rights are related to the right of access and information.
- Violation of duties of care. Those violations relate to data transfers, sub processor’s provisions and data security.
- Violation of duties of discretion. The latter relates to professional secrecy.
- Disregard of orders. This one is restricted to orders issued by FDPIC and courts of appeal.
The following are punishable by a fine of up to CHF 250 000 (EUR 249 000 – USD 270 000) only if it is about intentional action. They are imposed on the liable individual instead of the company with a few exceptions.

WHERE SHOULD WE GET STARTED?
So far, we recommend to take risk-based approach by focusing on duties which are sanctionable under the FADP and somewhat easy to audit (e.g., website notices).

This year’s plan should focus on the following actions:

2023 FADP Action Plan

Do you have further questions about your compliance with the FADP? Our Swiss Team will be happy to answer to any questions as well as providing you further support on this.

Aline Jouniaux

Aline Jouniaux

Data Protection Lawyer

Victoria Derumier

Data Protection Manager & Coordinator Associate

Contact Our Experts

Contact us