Specific Amendments and Measures under the revised FADP – Risk-based-Approach in Light of the new Criminal Offences

by András Gurovits, Clara-Ann Gordon, Janine Reudt-Demont

The revised Swiss Federal Act on Data Protection (“revFADP”) is expected to enter into force in the course of 2022. The revFADP has been adapted to the EU General Data Protection Regulation (“GDPR”). Companies that are GDPR-compliant therefore have less need to adapt. However, there are some “Swiss Finishes” that must be observed and implemented. Since no transition periods are provided, it is advisable to start as soon as possible with the specific amendments of the existing data protection-relevant documents and processes and to take appropriate measures or introduce respective mechanisms.

The revFADP provides for fines of up to CHF 250,000, which are not imposed on the company, but on the relevant decision-makers and/or the management / board of directors (depending on the internal set-up of the company). When implementing the necessary measures, it may be expedient, in the sense of a risk-based approach, to focus in a first step on those provisions of the revFADP whose violation may result in a fine. The following overview is therefore based on the new offences of the revFADP and lists the specific measures that will be necessary to comply with these.

In order to ensure comprehensive compliance with the revFADP, additional steps are necessary. In this context, we refer to the NKF checklists.

Practice Areas