New Federal Act on Data Protection in Switzerland

Effective September 1st, 2023, Switzerland will introduce the “nFADP” (meaning “New Federal Act on Data Protection”), a new data privacy regulation. This updated act brings several changes that can significantly impact business processes. While we are not legal consultants, we recommend seeking advice from a lawyer to ensure compliance with the new legal requirements. Nonetheless, we would like to offer valuable information on the measures and requirements that companies should consider implementing in light of this new regulation.

Key Points of the New Federal Act on Data Protection

• The scope of the policy is limited to physical individuals; it does not apply to legal entities.
• The definition of “extremely sensitive data” now includes Biometric or profiling data.
• Transparent data collection, storage, and usage practices must be enforced. Information should be easily retrievable from the system to address inquiries or requests from individuals. Companies must establish an internal information process, allowing customers to access details about their data usage and submit requests for reports, updates, or deletions. All requests should be documented in a dedicated file.
• Unlike the EU Protection Act, the privacy policy must clearly specify the location (countries) of all data storages, including third-party tools like Google Analytics.
• Third-party tools, such as Fusedeck (Tracking), must be explicitly mentioned in the privacy policy.
• Any breach of the New Federal Act on Data Protection must be promptly reported to the authorities by the designated “Datenschutzverantwortliche.”
• Business processes must adhere to Privacy Privacy requirements. Companies must ensure that the development or implementation of new tools or processes does not lead to any data breaches.
• Sanctions for violations are directed at individuals rather than legal entities. Breaches can result in up to 250,000 CHF in liability for physical persons. Liability extends to all those who “participate” in violating personality rights, with stricter sanctions than the EU protection Act.
• If applicable, create a Directory of all data processing, detailing the company’s data controller, data processing purposes, categories of personal data collected, etc. This requirement is waived for companies with fewer than 250 employees or those not handling “extremely sensitive data” (“besonders Schützenswerte Daten”).

Impact of the New Federal Act on Data Protection on Consent Management

According to the New Federal Act on Data Protection:

• For email subscription campaigns like “Get our Newsletter,” a single opt-in is sufficient. When potential subscribers fill out the subscription form and tick a standard consent box, it is acceptable to send them the emailing campaigns. The consent box can even be pre-ticked, as long as there is a confirming action (Accept Button) in compliance with Swiss laws.
• Regarding website visitors, general consent is assumed. Websites only need to inform visitors about any tracking or data storage activities, usually through a banner with a link to the privacy policy. Users can simply close the banner to make it disappear.
• The classic double Opt-In consent management process is legally required only when dealing with sensitive data storage and usage (e.g., religion, politics, etc.).

The case of leading corporations, including major E-commerce players:

• Opt for a double opt-in strategy when it comes to email subscription campaigns. This not only ensures full consent but also helps verify the authenticity of subscribers using genuine email accounts. Ensuring data quality is vital.
• Implement two data layers on their website, especially if their customers are located in Switzerland (CH) or the European Union (EU).
  — For Swiss law compliance, a clear information notice about the website’s use of Cookies is sufficient, along with a link to the Privacy Policy. No confirming action is required.
  — For EU law compliance, a clear confirmation is necessary from website visitors, and the option to decline must be equally accessible as the accept button. Avoid using color highlights, as it could be considered Nudging and not compliant with the law. Additionally, provide visitors with the option to adjust cookies and make the Privacy Policy readily available.

Recommended Measures for Companies Operating in Switzerland

• Switch to double-opt-in for email subscriptions, regardless of clients’ location, to mitigate risks associated with single-opt-in:
  — Easier documentation of Opt-in acquisition under the Transparency Act.
  — Reduced risk of bad data, ensuring subscribers’ authenticity through a confirming action.
  — Lower unsubscribe rates compared to single-opt-in.
  — Decreased likelihood of being flagged as a bad sender and landing in spam folders.
• Organize and streamline consent management, especially on the website, by adding relevant banners, links, and checkboxes. For example, implement two cookie banners: one for Swiss clients and another for non-Swiss clients, to ensure compliance with different legal requirements.
• Update and make all documentation available to the public, including websites, Cookie Banners, Email Footers, and the Privacy Policy.
• Develop and communicate internal data management processes to relevant stakeholders (e.g., customer service and sales).
• Review and collaborate with external suppliers to prevent any potential systematic breaches of the New Federal Act on Data Protection.
• Assess the impact of the new regulation on existing data sets and target groups.
• Inform internal stakeholders about their liability as physical persons in case of breaches, considering potential amendments to labor contracts to shift liability to senior management.
• Ensure that IT systems and software applications meet the security requirements of the new law.
• Run a simple multi-channel communication campaign (purely informative) to inform (potential) customers about the New Federal Act on Data Protection.
• Update Non-Disclosure Agreements (NDAs) and employee contracts to comply with the new legal requirements.
• Designate an internal “Datenschutzverantwortlicher” if not already assigned to oversee data protection responsibilities.
• Seek legal advice to ensure comprehensive exploration of compliance avenues and to mitigate potential future legal issues.

Ethical Aspects and User Acceptance

By incorporating the following ethical aspects into your data management and communication practices, you can not only comply with legal requirements but also build a strong foundation of trust with your customers. User acceptance is more likely when customers perceive that your company values their privacy, communicates transparently, and respects their choices and preferences regarding their personal data. Ethical data practices contribute to a positive brand image and can lead to increased customer loyalty and satisfaction.

• Data Minimization: Ensure that you only collect the data that is genuinely necessary for your business processes. Avoid gathering excessive or irrelevant information from users. Data minimization aligns with ethical principles and helps build trust by respecting users’ privacy.
• Transparency and Communication: Proactively inform your customers about your data management practices. Clearly state how you collect, store, and use their data, as well as the purpose behind it. Transparent communication builds trust and fosters a positive relationship between customers and your company.
• Ethical Decision-Making: When making internal decisions, consider ethical principles in handling customer data. Prioritize user privacy and data protection in your processes to demonstrate your commitment to ethical practices.
• Empathy with Target Audience: Put yourself in your customers’ shoes and consider how they would feel about the use of their data or the communication they receive from your brand. Empathizing with your target audience helps you align your practices with their expectations and preferences, enhancing user acceptance.
• Easy Unsubscribe Options: Respect user choices and privacy preferences by making the unsubscribe option easily accessible. Avoid hiding the unsubscribe link under too many clicks or complicated processes. Simplifying the opt-out procedure demonstrates respect for users’ decisions and fosters positive user experiences.

The Case of Liechtenstein

If your Swiss-based company serves customers from Liechtenstein, in addition to the Swiss market, it’s crucial to be mindful of aligning with GDPR (General Data Protection Regulation) regulations instead of the Swiss ones. Liechtenstein imposes higher expectations, often requiring systematic double opt-in processes, which are more stringent than those of the new New Federal Act on Data Protection. Given this, it is advisable to implement GDPR measures to ensure compliance with the stricter requirements, even though the New Federal Act on Data Protection is generally less restrictive in comparison.

Outlook

As the enforcement date of 01.09.2023 approaches, it is crucial to ensure that the measures and sanctions are operationally sound. Companies dealing with sensitive or large volumes of data may face limited understanding from authorities, making expert legal consultancy essential. However, if you operate a classic website with minimal data processing, implementing relevant standard measures and observing the outcomes could be an option. Nevertheless, we strongly recommend seeking guidance from legal experts who can provide tailored advice for your specific case. To assist you in preparing for the upcoming changes, our team can create engaging and standout “informative” email campaigns to be sent before September 1st, ensuring your communication stands out amidst the deluge of similar messages from other brands.