Determining compliance with the Swiss Federal Act on Data Protection (FADP) or the European Union's General Data Protection Regulation (GDPR) depends on several factors related to your company's business. Here are some guidelines to help you determine which regulations your company must comply with:
If your company is based in Switzerland:
- FADP: All Swiss-based companies must comply with the FADP when processing personal data. The FADP is the main data protection legislation in Switzerland. It aims to protect the privacy of individuals by regulating the way in which personal data is processed by private entities and federal authorities.
If your company operates within the EU or offers services to EU residents:
- RGPD: The RGPD applies to all companies that process personal data of EU residents, regardless of where the company is based. This includes Swiss companies that offer goods or services to people in the EU or monitor their behavior (e.g. online tracking of their activities within the EU).
Key points for determining compliance:
1. Location of your company: If your company is based in Switzerland and does not process data from EU residents, you will mainly need to comply with the FADP. 2. Target audience: If your company targets or provides services to EU residents, you must comply with the GDPR, in addition to the FADP. 3. Personal data processing: Assess the nature of the data processing carried out by your company. If the processing includes data from EU residents, the GDPR applies. 4. Presence in the EU: Having a physical presence or legal representatives in the EU to process personal data also implies compliance with the GDPR.
Compliance with the FADP and the GDPR are not contradictory. In many cases, Swiss companies interacting with EU residents need to ensure that they comply with both the FADP and the GDPR. A clear understanding of your business model and data processing operations is essential to determine specific regulatory obligations.
Differences between FADP and GDPR:
Although their objectives are similar, there are several key differences between the two regulations:
1. Consent: - GDPR: requires explicit and clear consent from individuals for the processing of their personal data for one or more specific purposes. - FADP: consent is only required when it serves to justify data processing that infringes on personality. For example, if sensitive data is communicated to third parties, or if the data is reused in campaigns. Consent should not be confused with the duty to inform, which applies prior to consent. The duty to inform applies even when personal data is not collected directly from the data subject, but via third parties (art. 19, para. 1, FADP).
2. Individual rights: - GDPR: offers extensive rights to individuals, including the right to be forgotten, the right to data portability, and the right of access and rectification. - FADP: provides similar rights, but there may be nuances in how these rights can be exercised. For example, the data controller may now refuse, restrict or defer the communication of information when the request for access is manifestly unfounded or procedural. (art. 26, para. 1, let. c, FADP).
3. Data breaches: - GDPR: companies must notify data breaches to the supervisory authorities within 72 hours of their discovery, and, in some cases, to the individuals affected. - FADP: notification of data breaches is also required, as soon as possible, without any particular specification.
4. Sanctions: - GDPR: penalties for non-compliance can reach up to 4% of the company's worldwide annual sales or €20 million, whichever is higher. - FADP: sanctions under the FADP are generally less severe than under the GDPR, although they can include fines and penalties for data controllers.
5. Data Protection Officer (DPO): - GDPR: organizations may need to appoint a DPO to oversee compliance with the GDPR. - FADP: the need for a DPO is not mandatory, but strongly recommended for large companies.
6. International data transfer: - GDPR: the transfer of data outside the EU is strictly regulated and may only take place to countries recognized as offering an adequate level of protection, or through specific data protection mechanisms. - FADP: requirements for international data transfers may be less stringent, but transfers must always guarantee an adequate level of protection. It is important to consult the list of states and international organizations offering an adequate level of protection, defined by the Federal Council.
In reality, for many small and medium-sized businesses, appointing an in-house Data Protection Officer is not always a wise decision. Indeed, depending on the density of processing, the actions to be undertaken are limited and do not justify a dedicated position over the long term.
Companies can, however, benefit from the support of consultants specialized in compliance with legal requirements. Calling on external experts to take on the role of DPO offers access to precise expertise when specific needs arise.
Click here to find out more about WEDO's commitment to safety.
Related posts
Get the latest tips sent straight to your inbox: Subscribe to our newsletter
Héléna Galera
Héléna Galera