Switzerland’s Federal Act on Data Protection (nFADP & FADP) Compliance
Please note that the information provided below is not intended as legal advice and we cannot be held legally responsible for it. We have sought legal counsel and the content on this page reflects our interpretation of the law. If you have any concerns about compliance with FADP, we recommend sharing this page with your legal team.
The Switzerland’s Federal Act on Data Protection (FADP) is a Swiss data protection law that aims to protect the personal data of Swiss citizens. It has many similarities with the EU's General Data Protection Regulation (GDPR). However, in order to improve the protection of personal data in Switzerland, the Federal Council passed the new Federal Act on Data Protection (nFADP) in September 2020. The nFADP introduces new provisions on consent, processing records, data breaches, and data protection impact assessments, among others. The nFADP is enforced by the Swiss Federal Data Protection and Information Commissioner (FDPIC), which is responsible for ensuring compliance with the Act.
Companies that are already compliant with the GDPR will have an advantage in preparing for the nFADP, as the two laws are quite similar. However, it is still important for companies to familiarise themselves with the specific requirements of the nFADP in order to ensure compliance. The Federal Administration is currently in the process of drafting the implementing ordinances for the nFADP, which will provide further guidance on how the law should be applied in practice.
How nFADP Handles Privacy?
The nFADP defines personal data as any information relating to an identified or identifiable natural person, including both personal characteristics such as name, address, and date of birth, as well as characteristics that can be linked to an individual, such as IP addresses and cookie data. This means that any data collected through the use of cookies or other tracking technologies that can be linked to a specific individual would be considered personal data under nFADP.
To ensure compliance with nFADP, companies must follow the principles of privacy by design and privacy by default. This means taking appropriate measures to reduce the risk of privacy breaches during data processing as early as the planning stage, and ensuring that any required personal data is processed solely for the relevant purpose through the use of default settings.
Unfortunately, neither the current FADP nor nFADP provide detailed specifications for the content of a data processing agreement (DPA). This lack of precise guidance may lead to uncertainties in interpreting and applying the law. It is important for companies to seek legal advice and ensure they are in compliance with all relevant provisions of the nFADP.
Data Transfers According to nFADP
Under the Swiss Federal Act on Data Protection (nFADP), personal data can only be transferred to countries outside the European Economic Area (EEA) if the recipient country ensures an adequate level of data protection. This means that personal data can only be transferred to countries that have data protection laws that are considered equivalent to those in the EEA. In practice, this means that personal data can only be transferred to countries that have been approved by the European Commission as providing an adequate level of data protection, or to countries that have signed the EU-US Privacy Shield Framework.
As a company hosting our services in the EU, Proxima Analytics is able to transfer personal data to countries within the EEA without the need for additional safeguards. This means that we can continue to process and analyse personal data collected through the use of cookies or other tracking technologies without the need to seek additional consent or implement additional safeguards. However, we are always mindful of the need to protect personal data and take appropriate measures to ensure that personal data is processed in a secure and confidential manner.
Does Proxima Comply with nFADP?
Proxima Analytics is fully compliant with the Swiss Federal Act on Data Protection (nFADP). We take the privacy of our users very seriously and have implemented various measures to ensure that we are in compliance with the law.
Firstly, we do not collect any personal data from our users. We only collect data that is necessary for the functioning of our analytics software, such as IP addresses and user agents. We do not store any additional personal data or identifiers, and we anonymise all data collected through the use of hashing techniques.
Secondly, we are hosting our services in the EU, which means that all data collected and processed by Proxima Analytics remains within the EU. This ensures that we are in compliance with the data transfer provisions of nFADP and that our users' data is protected at all times. We also have strict data security measures in place to protect against any potential data breaches or unauthorised access to our users' data.