alt text
alt text

Login as existing user

Get started free
  • Blog
  • Swiss Data Protection Act Ushers in New Online Privacy Era
Categories

Swiss Data Protection Act Ushers in New Online Privacy Era

TWIPLA Editorial Team August 10, 2023

5-minute read
GDPR & Data Privacy Regulations
CONTENTS

The Swiss Data Protection Act - a revision of its Federal Data Protection Act - will come into force on September 1st, 2023.

This, in essence, is the most substantial reform to national data protection legislation in over three decades. It closely aligns Switzerland with strict EU data privacy requirements, and also further tightens the global network of laws that protect internet users.

Read more about this development on the Swiss government’s website.

revFADP and GDPR: Bridging the Gap

The Swiss revFADP is a revision of the Federal Data Protection Act, which dates back to 1992.

This update brings the Swiss law closer in scope to the General Data Protection Regulation (GDPR). It integrates many of the core principles of this EU personal data protection law, while equally adding a distinctly “Swiss finish” to certain areas.

Key Legal Implications

  • The Swiss Data Protection Act introduces a “risk-based” approach that obliges businesses to assess the risks associated with their data practices and then implement preventative measures.
  • The definition of “sensitive data” has been extended to also include genetic and biometric data, which cannot be processed without explicit user consent.
  • The reform introduces privacy-by-design and also privacy-by-default to Swiss national law, as well as data protection through technology design.
  • Records of processing activities must now be maintained by data controllers and processors, though businesses engaged in low-risk processing activities and with fewer than 250 employees are exempt.
  • Any data breach (regardless of risk level) must now be reported to the supervisory authority - a stricter requirement than GDPR, which limits this obligation to high-risk breaches.
  • Businesses must now obtain explicit consent for profiling, either in high-risk scenarios, or when executed by a federal body.
  • Businesses deliberately violating revFADP face fines of up to CHF 250,000 (approximately €260,000).

Cross-Border Transfers under revFADP

Crucially, the Swiss Data Protection Act applies to the processing of personal data that has actual or potential effects in Switzerland.

This means that it impacts any business that processes the personal data of Swiss residents. It also affects companies outside of Switzerland who process this data, and they now need to designate a representative in-country to avoid legal consequences in the long run.

Web Analytics Under the Swiss Law

Analytics software can collect large amounts of personal data from website visitors. For businesses that use these third-party platforms, this means that they fall under the scope of the Swiss Data Protection Act if their website is visited by a resident of Switzerland.

Analytics Best Practices

  • User Consent: Businesses must obtain explicit consent before analyzing on-site behavior, especially when processing genetic, biometric or any other sensitive personal data.
  • Privacy-centric Design: Businesses must use analytics integrations that exhibit privacy by both design and default, and must also limit data collection to what is crucial to the specific purpose consented to by the data subject.
  • Data Access: Businesses must have systems in place that enable them to respond quicky to user inquiries about their data practices.
  • Breach Response: In the event of any data breach, businesses must have robust incident response mechanisms in place, and also notify their supervisory authority as soon as possible.
  • User Profiling: Businesses leveraging analytics software as a tool for evaluating user behavior or preferences must now obtain consent from users, particularly in high-risk situations.

Finally, businesses must also exercise caution with regard to transferring the personal data of Swiss nationals outside of Switzerland. Under the Swiss Data Protection Act, this data can only be transferred to a recipient country that the Swiss Federal Council recognizes as having an adequate data protection level for Switzerland.

TWIPLA: revFADP-Compliant

Businesses looking to use analytics legitimately under the Swiss Data Protection Act should consider TWIPLA. We offer a comprehensive intelligence solution, providing complete statistics, visitor behavior analytics, and visitor communication tools.

The platform has privacy-by-design, and data is stored in Germany - a country with adequate data protection under Swiss law. Advanced cookieless tracking enables TWIPLA to provide insight accuracy without collecting personal data.

It is built around a dynamic privacy center that can be calibrated to the national privacy laws of individual website visitors. In default Maximum Privacy Mode, it completely anonymizes user data.

This ensures that TWIPLA doesn't violate the Swiss Data Protection Act or any other global law. Sign up today and start leveraging all your website traffic data while keeping visitors safe.

Get Started for Free

Gain World-Class Insights & Offer Innovative Privacy & Security

house-bg.png

Stay Updated & Get Inbox Insights

Keep pace with the world of privacy-first analytics with a monthly round-up of news, advices and updates!

Categories
You might also like
Why You Don't Actually Need a Cookie Banner
Why cookie banners aren't necessary
05 April 2024 - by Simon Coulthard
Why You Don't Actually Need a Cookie Banner
What is GDPR. Implications of GDPR on Marketers
what-is-gdpr-implications-of-gdpr-on-marketers.jpg
09 February 2022
What is GDPR. Implications of GDPR on Marketers
Cookieless Tracking - the Privacy-First Solution to Website Analytics
cookieless-tracking-the-privacy-first-solution-to-website-analytics.jpg
17 March 2023
Cookieless Tracking - the Privacy-First Solution to Website Analytics

Read next

SCHUFA: ECJ Rules Credit Agency Processes Violate GDPR
SCHUFA - GDPR - Court Decisionn
11 December 2023 - by Simon Coulthard
SCHUFA: ECJ Rules Credit Agency Processes Violate GDPR
Meta's 2024 Twist: Facebook Subscription with Opt-Out Tracking Charges
Facebook Subscription - Meta Charging Users Who Want Their Privacy Rights - TWIPLA Website Intelligence
23 October 2023 - by Simon Coulthard
Meta's 2024 Twist: Facebook Subscription with Opt-Out Tracking Charges
23andMe Privacy Mess: Hacker Steals Millions of Profiles
23andMe privacy - customer profiles available on Dark Web - TWIPLA Website Intelligence blog
16 October 2023 - by Simon Coulthard
23andMe Privacy Mess: Hacker Steals Millions of Profiles
German Data Privacy Laws: Why They’re So Uncompromising
German data privacy laws - why privacy matters in Germany - TWIPLA website intelligence
05 October 2023 - by Simon Coulthard
German Data Privacy Laws: Why They’re So Uncompromising
up-arrow.svg