The scope of the revamped FADP is large. Notably, the law’s influence goes beyond Swiss borders, applying to «circumstances that have an effect in Switzerland, even if they were initiated abroad». This expanded jurisdiction ensures that individuals’ data rights remain intact, irrespective of where data processing originates. Moreover, the updated act introduces measures compelling foreign entities handling Swiss individuals’ personal data to comply with the law’s mandates, solidifying the commitment to safeguard data privacy across international boundaries.

Examples of the enlarged scope application:

🛍️ International E-commerce Platforms: Foreign online marketplaces catering to Swiss consumers.

📱 Social Media Networks: Overseas social media giants processing Swiss users’ data for tailored content and targeted ads.

☁️ Cloud Service Providers: Foreign cloud services storing or processing personal data of Swiss residents, even outside Swiss territory.

🏥 Healthcare Innovators: Foreign medical tech entities handling sensitive health data of Swiss patients, like telemedicine services.

💼 Financial Institutions: International financial players managing personal data of Swiss clients, be it for transactions, investments, or compliance.

🌐 IoT Innovations: Makers of IoT devices, no matter their location, collecting and processing personal data of Swiss individuals (like health trackers or smart home devices).

📢 Online Ad Networks: Foreign ad networks tracking Swiss internet users’ online behavior for customized ads or profiling.

📊 Data Analytics Pioneers: Overseas data analytics firms analyzing personal data for insights and decision-making.

Switzerland’s stance on this aspect is less straightforward than under the GDPR, which stipulates that foreign organizations do not have to appoint a Representative in the EU if they have an “establishment” there. An establishment in that context “implies the effective and real exercise of activities through stable arrangements.” This can be a branch or a subsidiary, but the legal form (i.e. whether it’s with or without a legal personality) is not the determining factor, so it can also be, for example, a sales office. Under the FADP, there is no specific reference to the term “establishment” and no guidance on the type of “domicile” or organizational structure necessary in Switzerland to exempt foreign companies from the obligation to appoint a Representative.

According to the Swiss authorities’ FAQs (in French), the term “on a large scale” refers to cases where data is not processed in isolation or when the processing of data forms a substantial part of the activities of the individual or entity in question.
For example, this can be the processing of patient data by a medical practice or hospital. On the other hand, the isolated processing of the data by a company of an employee who is absent due to illness does not constitute large-scale processing. Large-scale processing occurs in particular when the processing of data constitutes an essential part of the company’s activities.

According to the Swiss authorities’ FAQs (in French), processing is not considered regular when data is only processed for a limited duration or on an occasional basis. As per the FAQ, this condition should be met, for example, in online commerce. When personal data is the “raw material” for an activity (e.g. for social networks), this is also regular processing.

According to the Swiss authorities’ FAQs (in French), this needs to be examined on a case-by-case basis. The high risk may notably arise from the quantity and type of data processed (especially if it involves sensitive data), the purpose of the processing, and the manner in which the data is processed (e.g., use of new technologies), any potential transfer of data abroad, and the rights of access to the data (e.g., if a significant or even unlimited number of individuals can access the data).

The concept of sensitive data is defined exhaustively in Article 5(c) of the FADP. This includes data relating to religious, philosophical, political or trade union opinions or activities, as well as data relating to health, private life or racial origin, criminal or administrative proceedings or sanctions and social welfare measures.

The Representative serves as a bridge between data subjects, data controllers, and the Federal Data Protection and Information Commissioner (FDPIC).

The responsibilities of the Swiss Data Protection Representative are as follows:

• Acting as a conduit for communication with data subjects and the FDPIC.
• Maintaining a copy of the foreign company’s record of processing activities (ROPA).
• Making the ROPA available to the FDPIC upon request.

While both share a common goal of fostering data protection, they diverge in certain aspects. For instance, under the FADP, the requirement to appoint a representative applies to a narrower set of circumstances, particularly focusing on processing activities posing high privacy risks. This specificity in scope underlines Switzerland’s unique approach to balancing data protection with practical considerations.

In addition, although the representative acts as point of contact for data subjects, the data controller remains responsible for fulfilling the duty to provide information during the collection of personal data. Data subjects can only exercise their right of access with the data controller, and not with its representative.

Enforcement mechanisms under the FADP take a unique approach. The Federal Data Protection and Information Commissioner (FDPIC) has the power to issue orders for foreign organizations to appoint a Representative. Additionally, the FDPIC can collaborate with foreign data protection authorities to share information or personal data to ensure their legal obligations are fulfilled, under specific conditions.

Non-compliance with the FADP can result in fines, with a maximum penalty of 250,000 CHF (approximately 260,000 EUR or 278.000 USD). Notably, these fines are categorized as criminal fines, rather than administrative fines, and they generally target individuals rather than organizations. When obligations pertain exclusively to companies, criminal liability rests with the directors. This implies that company leaders, governing body members, managing partners, and directors bear the responsibility. Employees are excluded. Irrespective of the circumstances, the individual in question must hold autonomous decision-making authority within a specific domain of the company. If the responsible individual within an organization can’t be identified during an investigation, companies may face fines of up to 50,000 CHF (approximately 52,400 EUR or 56.000 USD).