Switzerland is adapting to the rapid digitisation of society. The new Federal Act on Data Protection strengthens the governance of personal data and ensures the compatibility of Swiss law with EU law. The entire life cycle of personal data is affected: collection, storage (including the retention period), use, transfer and deletion of data.

  • What impact does the nFADP have on Infomaniak, its partners and website owners?
  • How to comply with the nFADP?

We’ll take a look at this development with Tiago Pedro, Infomaniak’s Data Protection Officer (DPO). The information in this article is for information purposes only and is not a substitute for professional advice in your application case.

Protecting data is our prime responsibility

Data protection is at the heart of our business and our solutions. It guides our choices from the earliest stages of design and throughout the life cycle of our products.

As an Infomaniak customer, your data is processed and hosted:

  • by an independent Swiss company, in accordance with European law, whose business model is not the analysis and sale of data;
  • by technologies and software developed by Infomaniak or based on open source technologies;
  • in data centers managed exclusively by Infomaniak in Switzerland.

Our data confidentiality policy is clear and transparent:

  • We treat your personal information as if it were our own.
  • We only use personal data to provide your services and our activities (billing, customer support, etc.).
  • Each data processing procedure is recorded and documented.

As a cloud provider, we have a dual responsibility:

  1. when we process personal data related to our own business, we are the “data controller”;
  2. when we host the data that you entrust to us, we are “processors”.

We therefore implement the technical and organisational means to:

  • ensure a high level of protection of your personal data;
  • enable you to comply with your legal obligations related to the use of our services.

Understanding the new Swiss Federal Act on Data Protection

Who is affected? What data are we talking about? What’s changing? What do you need to know?

The nFADP applies to all Swiss or foreign organisations anywhere in the world that process the data of individuals located in Switzerland. This concerns employees, customers, prospects, administrated entities, their subcontractors, third parties, etc. Fines may be imposed on those who are actually responsible for an infringement / breach of the nFADP.

It concerns all personal data:

Personal data

  • Name, first name
  • Email address
  • Phone number
  • Postal address

Sensitive personal data

  • Biometric fingerprints
  • Medical Information
  • Criminal record
  • Ethnicity
  • Political opinion

4 concepts to understand the new FADP

  1. Impact assessment: if personal data processing entails a high risk of human rights violations, an impact assessment is required in the event of data leaks, malicious attacks, identity theft, etc.
  2. Proportionality: the data we need most must be destroyed. Appropriate security measures (technical and organisational) must be implemented with respect to the risks identified. Companies with 250 people or more must create a register of personal data processing activities.
  3. Transparency: comprehensive information about the processing of all personal data and its possible transfers is required. If there is a high risk of human rights violations, data security breaches must be reported to the Federal Data Protection and Information Commissioner (FDPIC) as soon as possible.
  4. Effectiveness: in the event of non-compliance with the nFADP, the FDPIC can act quickly by making decisions on its own. The criminal provisions are much stricter (from CHF 10,000 to CHF 250,000).

How to comply with the nFADP?

Depending on the location of the people whose data you process, you need to know whether your organisation is required to comply with the nFADP, the General Data Protection Regulation (GDPR) in Europe or both.

If your organisation is already GDPR compliant, it can reasonably be assumed that not much needs to be done. If your organisation only processes personal data of individuals located in Switzerland, a thorough check is required to ensure compliance with the nFADP.

Frequently asked questions concerning the nFADP

  1. Is it mandatory to designate a personal data controller? This is a wrong question. The “controller” (you) is a term that refers to a private person or a federal body that processes personal data and, by extension, its processors. Not to be confused with a “Data Protection Advisor” (DPO equivalent) whose appointment is optional for companies.
  2. Do I need a cookie / consent banner on a Swiss website? If your website is only intended for Swiss visitors, you do not need to obtain your users’ consent to use cookies (except for sensitive data, high risk and profiling). In all cases, information must be provided about the data processing and the right to object to the data processing.
  3. Can we use tools like Hotjar or GA4 with nFADP? In principle, these tools are treated in the same way as cookies. They are allowed in the same context as cookies as long as the user does not refuse this, for example via the data protection settings of their web browser.

Getting started with your compliance with the nFADP

Where to start? Here is a good basis for starting the process of compliance with the new Federal Act on Data Protection:

1. A transparent data protection policy

The first step is to map the processing of personal data to identify specific risks. Your organisation needs to develop a good understanding of itself when it comes to personal data.

There is no standard format, but your data confidentiality policy must contain all the detailed information, e.g.: explain what data is processed how, its purpose, how long it will be stored, how secure it is, with whom the data is shared, in which country and how it is used by third parties (e.g. vendors). Several scenarios require the creation of a register of processing activities containing a series of information described in Art. 12 nFADP. This is the case for companies with more than 250 employees, those that process sensitive data on a large scale or whose processing activity constitutes high-risk profiling.

2. Less data, less risk, less damage

Your organisation must act responsibly. It is necessary to consider whether some data may be superfluous and to delete it. Once processing activities have been identified and described, their security can be assessed. Your organisation is expected to adopt the appropriate technical and organisational measures: privacy by design, by default. It’s a process of continuous improvement.

3. Establish rules and a clear framework

Your organisation must establish rules and communicate them to all levels of the organisation. With the nFADP, liability may fall below management if breaches occur. Data protection should therefore be part of internal communication, recruitment, etc. This can take the form of role plays, quizzes, informative videos, etc. Data protection should be incorporated into all relevant processes and become a reflex at all levels of your organisation.

***

Data protection is a topic that needs to be taken seriously, and we hope that this article has helped you understand the challenges of the nFADP and has answered your questions.

Infomaniak is a cloud service provider committed to data protection, and it is important to take time in your organisation to ensure that you are in compliance with the nFADP and GDPR and, if in doubt, to seek professional assistance.

Find out more