As we gear up for the revised Federal Act on Data Protection (FADP), effective 1st September 2023, one key aspect that requires attention is the extended territorial scope of the FADP. Particularly noteworthy is the new obligation for certain organizations based outside Switzerland, which mandates them to appoint a Data Protection Representative.

Context Matters

In a world characterized by digital transformation and borderless data flows, robust data protection regulations have never been more crucial. The FADP is an update of the initial Swiss federal law of 19 June 1992 and aims to ensure that Swiss data protection regulations align with our modern digital reality. The FADP also underscores Switzerland’s commitment to maintaining its adequacy status with the European Union (EU), ensuring smooth cross-border data transfers.

The Global Reach of Switzerland’s Data Protection Law

Switzerland’s revamped FADP casts a wide net. Notably, the law’s influence goes beyond Swiss borders and applies to “circumstances that have an effect in Switzerland, even if they were initiated abroad”.

This broader jurisdiction reflects the interconnectedness of today’s data-driven global landscape and the need to ensure individuals’ data rights remain intact, no matter where the data processing originates. Additionally, the updated act introduces measures that require foreign entities handling personal data of individuals in Switzerland to comply with the law’s mandates, solidifying the commitment to safeguard data privacy across international boundaries.

Appointing a Data Protection Representative for Foreign Entities

The obligation to appoint a Data Protection Representative in Switzerland applies to specific foreign entities.

Your organization falls under this purview if it meets the following criteria:.

• You are a private controller.

Processors do not have to appoint a Representative.

• Your registered office or domicile is based outside Switzerland.

Switzerland’s stance on this aspect is less straightforward than under the GDPR, which stipulates that foreign organizations do not have to appoint a Representative in the EU if they have an “establishment” there. An establishment in that context “implies the effective and real exercise of activities through stable arrangements.” This can be a branch or a subsidiary, but the legal form (i.e. whether it’s with or without a legal personality) is not the determining factor, so it can also be, for example, a sales office. Under the FADP, there is no specific reference to the term “establishment” and no guidance on the type of “domicile” or organizational structure necessary in Switzerland to exempt foreign companies from the obligation to appoint a Representative.

• Your processing relates to the offering of goods or services to individuals in Switzerland and/or to the monitoring of the behavior of these individuals

As in the GDPR, examples of monitoring can be tracking or profiling.

• You are processing personal data on a large scale.

According to the Swiss authorities’ FAQs, the term “on a large scale” pertains to situations where data processing is not isolated or where data processing constitutes a substantial part of the activities conducted by the individual or entity in question.

• Your processing activities are done on a regular basis.

The FAQs cite online commerce as an example of regular processing, or when personal data is used as the “raw material” of an activity (e.g., for social networks). Processing is not considered regular when data is only processed for a limited duration or on an occasional basis.

• Your processing poses a high risk for individuals.

The FAQs state that this needs to be determined on a case-by-case basis. The high risk may stem from the quantity and type of data processed (especially if it involves sensitive data), the purpose of the processing, the manner in which the data is processed (e.g. use of new technologies), potential transfers of data abroad, and the accessibility rights related to the data (e.g. if a significant or even unlimited number of individuals can access the data).

The Role of the Data Protection Representative

The Data Protection Representative acts as a vital link, connecting data subjects, data controllers, and the Federal Data Protection and Information Commissioner (FDPIC).

The role of the Swiss Data Protection Representative is to:

• Act as a conduit for communication with data subjects and the FDPIC.
• Maintain a copy of the foreign controller’s record of processing activities (ROPA).
• Make the ROPA available to the FDPIC upon request

Unique Enforcement Dynamics under the FADP

The FDPIC has the power to issue orders for foreign organizations to appoint a Representative. Additionally, the FDPIC can collaborate with foreign data protection authorities to share information or personal data to ensure their legal obligations are fulfilled, under specific conditions. Non-compliance with the FADP can result in fines, with a maximum penalty of 250,000 CHF (approximately 260,000 EUR). Notably, these fines are categorized as criminal fines, rather than administrative fines, and they generally target individuals rather than organizations. When obligations pertain exclusively to companies, criminal liability rests with the directors. This implies that company leaders, governing body members, managing partners, and directors bear the responsibility. Employees are excluded. Irrespective of the circumstances, the individual in question must hold autonomous decision-making authority within a specific domain of the company. If the responsible individual within an organization can’t be identified during an investigation, companies may face fines of up to 50,000 CHF (approximately 52,400 EUR).

In Conclusion

Switzerland’s progressive strides in data protection present a dynamic framework that transcends borders. As the global data landscape evolves, foreign entities find themselves subject to Swiss regulations, underscoring the need for a Data Protection Representative. This crucial role not only ensures compliance but also serves as a bridge between data subjects, controllers, and supervisory bodies. With fines and enforcement mechanisms designed to safeguard privacy and accountability, the changed data protection landscape invites international organizations to navigate these complex waters while upholding the fundamental rights of individuals. As the FADP takes effect, the realm of data protection will extend beyond mere compliance towards a trusted and responsible digital future.

Feel free to reach out if you’d like to discuss this topic and its implications further.