08 Nov New requirement to appoint a Swiss Data Protection representative
The growing awareness of the importance of data protection in the last decade – as well as the overall changes brought about by the General Data Protection Regulation (GDPR) – have influenced the way many countries view their privacy legislation.
Switzerland followed suit when the Swiss Federal Council proposed plans to modernise the Swiss data protection regime back in 2017. On 1 September 2023, the revised Federal Act on Data Protection (FADP) came into force.
Territorial scope of the revised FDAP
One of the primary objectives of the new FDAP was to align the Swiss data protection regime more closely with the GDPR. In addition to imposing stricter reporting requirements for data breaches and placing greater emphasis on the rights of data subjects, the FDAP also introduces new obligations for companies worldwide to ensure the protection of personal information belonging to Swiss individuals.
However, the FDAP seems to go further than GDPR with its territorial scope, covering activities that have an impact in Switzerland, even if initiated from abroad. Therefore, organisations storing personal data on servers located in Switzerland will also be required to comply with the revised FDAP.
The requirement to appoint a Swiss representative
The new FDAP expands the territorial scope of the Swiss data protection regime by imposing various data protection-related obligations on non-Swiss companies, including the requirement to appoint a Swiss representative for data protection purposes.
Do we need a Swiss representative?
The requirement to appoint a Swiss representative is triggered when a non-Swiss company – without a corporate seat in Switzerland – is processing personal data of individuals in Switzerland, and such processing is:
- for the purpose of offering goods or services to such individuals, or monitoring their behaviour; and
- on a large scale, carried out regularly and posing a high risk to the data subject in question.
Fines for non-compliance
Unlike the GDPR, the revised FDAP does not impose civil penalties on non-compliant organisations. Instead, it introduces criminal sanctions for intentional violations of the revised FDAP in the form of fines, which can reach up to CHF 250,000 for individuals responsible for the organisation’s data protection programme (usually C-level executives or DPOs). This is something senior management needs to be mindful of.
How we can help
- We can act as your Swiss representative under Article 14 of the FDAP
- We can act as your UK and EU representative, too
- Having offices in the UK, Ireland and Switzerland, we are the one-stop shop for companies requiring complex representative solutions in Europe
- Together with our sister law firm, Willans LLP, we can assist companies with a wide range of data privacy related queries and provide complex representative solutions.
Founded by legal and data protection experts recognised by the world’s largest global information privacy community, Willans Data Protection Services provides organisations operating on a multi-national basis with EU and UK Representative solutions, Data Protection Officer services and training solutions under the GDPR.
Through its affiliation with UK law firm Willans LLP, it also provides organisations with wider advisory services concerning GDPR compliance such as GDPR audits, drafting policies, preparing legal documentation and bespoke legal advice.
Contact us for all things concerning data protection.