The data protection landscape in Switzerland will change from September 1, 2023 due to the new Swiss Federal Act on Data Protection (FADP or nFADP; in German DSG or nDSG). This article highlights the most important changes of the FADP and gives some advice on what you as a Swiss website operator need to adapt in the cookie banner and what European providers also need to consider now.
Changes in the new Swiss Act on Data Protection 2023
The main motivation behind the updates to the FADP (only in German) in Switzerland is to better protect personal data and self-determination in light of the latest technological developments, as well as to increase transparency when obtaining personal data. The FADP has received many aligning changes to the European General Data Protection Regulation (GDPR). We consider these to be the most important changes:
- The FADP now protects only natural persons and no longer legal persons. (Art.1, 2 FADP)
- Technological solutions must take data protection aspects into account from the outset. Data protection should therefore be ensured through technology and data protection-friendly default settings. (Art. 7 FADP)
- Companies must take concrete technical and organizational measures to ensure the protection of personal data. (Art. 8 FADP)
- A transparent directory of all processing activities becomes mandatory. (Art. 12 FADP)
- In certain cases, risk assessments must be carried out within the framework of so-called data protection impact assessments and, if necessary, the competent authority must be consulted. (Art. 22, 23 FADP)
- The adapted data subject rights ensure improved protection for the personal data of data subjects. (Art. 25 to 29 FADP)
To be in compliance with the new FADP, you must continue to provide clear and transparent information about the use and purpose of cookies and the processing of personal data. Under the new FADP, you can in principle process personal data of your website visitors without consent if you process it lawfully, fairly, proportionately and only for a specific and identifiable purpose for the data subject, in accordance with Art. 6 FADP. This applies, for example, to the use of a calendar tool or a chatbot on your website, which do not transmit personal data to an insecure third country.
However, if sensitive personal data, i.e. personal data requiring special protection according to Art. 5 lit. c FADP, is processed or data without adequate protection is transferred to an insecure third country, the explicit consent of the website visitor is required. That it is not so easy to distinguish between requiring consent and simply having an interest in processing data is shown in this contribution from the FDPIC on tracking on websites. The third countries designated as secure by Switzerland can be found in the annex to the new Swiss Data Protection Ordinance (only in German), which was published alongside the FADP.
Thus, for some Swiss websites, a simple information about data processing would suffice. Practically, however, this is not advisable, as we explain in the following section.
Why Swiss website operators should also comply with the GDPR and the ePrivacy Directive
The requirements of the FADP differ from the handling of personal data as described in the GDPR. For the processing of personal data according to the GDPR you need a so-called legal basis (Art. 6 GDPR), i.e. consent or a contract, and a legal basis must be given before you process such data or may set cookies. Although the FADP was developed specifically for Switzerland, Swiss operators should still comply with the requirements of the GDPR and the ePrivacy Directive. The reason: the market location principle. If your website with goods or services is also aimed at EU citizens, then it is also subject to the GDPR. Incidentally, the same also applies to EU companies that offer goods or services in Switzerland, which must then also comply with the GDPR.
However, for Swiss website owners who want to use Real Cookie Banner or are already using it, it is still easy to create a FADP-compliant cookie banner. Real Cookie Banner provides you with a simple user interface, a checklist for setup and service templates to ensure that the requirements of the GDPR and the FADP are met. You can adapt the suitable legal basis in your WordPress backend under Cookies > Settings > General > Legal basis to be applied. By selecting GDPR / ePrivacy Directive and DSG (Switzerland), the necessary texts are automatically adapted to both legal bases for you.
For websites that are actually exclusively aimed at Swiss people, for example by content only in Swiss German or by deliveries only within Switzerland, compliance with the FADP is sufficient. If you are unsure, we,, recommend that you comply with FADP and GDPR equally. However, if you are convinced that you only have to comply with the FADP, then you can adapt the following as a website operator:
- You can customize many of our service templates, where we recommend you to ask for consent, in your WordPress backend under Cookies > Services (Cookies) > [name of your service] > Edit > Legal basis to the legitimate interest and thus use them without a consent of your website visitors. However, your website visitor can still object to the use of a service.
- You should also adapt the suitable legal basis (in this case the Swiss FADP) in your WordPress backend under Cookies > Settings > General > Legal basis to be applied. This is especially important when you transfer personal data to an unsafe third country. The EDÖB describes which countries are considered safe on its website.
What EU companies need to look out for when targeting people from Switzerland
As we have described before, the new FADP means that the market location principle also applies in Switzerland. This means that you as a website operator from the European Union must also comply with the FADP if you also or especially address Swiss.
However, your advantage is that the GDPR is stricter than the Swiss FADP in many respects, especially regarding the need for consent from your website visitors. So, if you continue to comply with the GDPR, you will also comply with the FADP, at least as far as the cookie banner is concerned. However, you should also take a look at the section “Configuration of Real Cookie Banner GDPR and FADP” in this article and implement our recommendation. Also you should check legally if you need a permanent representation in Switzerland according to Art. 14 FADP.