top of page

MENU

Becoming GDPR /FADP Compliant

How to protect your data and those of your customers in Switzerland

The European GDPR (General Data Protection Regulation) is a European regulation that aims to harmonize data protection rules across the European Union. The revision of the FADP (Swiss Federal Act on Data Protection), which came into force in 2023, modernized the 1992 FADP that had been in force until then. It incorporates many of the principles of the GDPR, without however being its copy. As of 2024, the revised FADP is recognised as equivalent to the European GDPR. As a result, a company based in Switzerland that complies with the FADP should not have any problems with non-compliance with the European GDPR.

Data protection law aims to guarantee the personality rights of individuals in relation to the use of their personal data. Data protection law sets rules for companies in the development of their activities.

Contact us to find out more

Learn more

  • The implementation of data protection measures by an organization is a way of respecting people linked to the company, such as customers, employees or website visitors. What's more, these measures give an organization a competitive advantage by ensuring its resilience in the event of a data breach, such as a computer attack, thus preventing damage to its image and loss of market share. Finally, certain data protection measures must be taken to comply with the legal framework and avoid legal proceedings.

  • Compliance with the FADP (but also with the GDPR where applicable) is essential for several reasons:

    • Avoiding financial penalties: Supervisory authorities can impose heavy fines on companies that fail to comply with regulations.

    • Preserve corporate reputation: A data breach can have disastrous consequences for brand image and customer confidence.

    • Improving customer relations: By demonstrating their commitment to data protection, companies strengthen the trust of their customers.

    • Foster innovation: A proactive approach to data protection can stimulate innovation and the development of new products and services.

    The General Data Protection Regulation has revolutionized the way companies manage personal data. To comply with this regulation, it's essential to understand the specific issues at stake in each business sector. In its wake the revision of the FADP, which comes into force in 2023, has imposed many new obligations on companies.

  • Certain business sectors are particularly concerned by data protection standards (GDPR or FADP), due to the particular nature of the data they process:

    • Healthcare: In the medical sector, patient data is considered particularly sensitive. To guarantee the confidentiality of their patients' data, healthcare establishments, health insurance companies and pharmaceutical firms are subject to strict rules. They must pay particular attention to protecting this information.

    • Public organisations: Public institutions may only process personal data if they are required to do so by law. The law guarantees the principle of transparency of processing. The federal administration must comply with the requirements of the FADP. Cantonal and communal administrations must comply with the requirements of cantonal data protection laws. There are 26 such laws. According to the FADP, when the state processes company data, it must protect it as if it were personal data.

    • Tech sectors: Technology companies collect and process vast quantities of personal data, particularly in connection with their online services (social networks, search engines, etc.). They have set up transparent consent mechanisms and are committed to guaranteeing the confidentiality of user data, as well as its security.

    • The financial sector: Financial institutions also process sensitive personal data such as bank details, transaction histories and financial information about their customers. This sector is subject to special regulations, in particular by the Swiss Financial Market Supervisory Authority (FINMA).

  • Compliance with the FADP is an ongoing process that requires a holistic approach. At Secure4u, we recommend the following steps:

    1. Performing a compliance audit: The first step is to assess your organization's current state of data protection and data security. This audit will help you identify any gaps in compliance and define an action plan.

    2. Drawing up a register of processing activities: It is essential to keep a record of all data processing operations carried out within your organization. An announcement must be made to the Federal Data Protection and Information Commissioner in certain cases.

    3. Assessing the risks associated with each processing operation: Each data processing operation presents specific risks. It is important to assess these risks and put in place the appropriate technical and organizational measures.

    4. Adoption of privacy policies: Privacy policies must be clear, understandable, simple and easily accessible. In particular, they must inform data subjects about how their data is processed, their rights and who to contact if they have any questions.

    5. Employee training: Raising employee awareness of data protection and data security issues is essential to ensure day-to-day compliance with data protection within the organization.

    The role of the DPO: an asset for compliance with the FADP and GDPR.

    The Data Protection Officer (DPO) plays a key role in supporting an organization on data protection issues. In particular, the DPO provides expertise in:

    • Advise management on organizational data governance.

    • Ensure compliance with legal obligations and best practices in the organization's activities.

    • Advise on IT projects to ensure compliance with data protection requirements right from the design stage of information systems (data protection by design).

    • Ongoing training in data protection and data security.

    • Conduct audits to assess organizational compliance.

    • Manage security incidents involving personal data.

    • Liaise with supervisory authorities (in particular the Federal Data Protection and Information Commissioner).

    Calling in an external DPO guarantees independence, and is often recommended for medium-sized organizations. It has become essential for large organizations handling large quantities of personal data. Federal bodies are even required to have a DPO.

  • Transparency is a fundamental principle of the FADP. Data subjects must be provided with comprehensive and comprehensible information on how their data is processed. Moreover, they can assert rights against organizations at any time, starting by asking whether personal data concerning them is being processed. To this end, we recommend:

    • Publish a clear and accessible privacy policy for each stakeholder group.

    • Inform people when collecting data.

    • Keep an internal process in place in the event of a request from a data subject in order to respond within the given timeframe.

    Compliance with data protection standards (FADP/GDPR) is a major issue for all organizations that process personal data. As such, it is important to involve all hierarchical levels in their implementation. For example: the approval of a general data protection directive by a company's Board of Directors is a necessary step, as it sets expectations for the operational level.

    Making data protection a strategic priority is essential to preserve your customers' trust, strengthen your brand image and avoid sometimes very high financial penalties.

bottom of page