On 25 September 2020, the Swiss Parliament adopted the revised Federal Act on Data Protection (FADP-new) (final voting text in French). The federal law is subject to an optional referendum. The Federal Council decides on the entry into force after the 100-day referendum period has expired.

 

After disagreeing until the very end on the issue of profiling, the Councils finally agreed on the introduction of the concept of “high-risk profiling”. The consequence of this type of profiling is that consent, if required, must be explicit (see below the relevant legal articles concerning profiling and consent).

 

It remains to be seen how companies will assess the risk level of profiling in practice. In any case, this exercise will be a challenge for companies.

 

It should be noted that the revised FADP does not introduce a consent requirement for high-risk profiling, but only requires that consent, if at all required as a justification under Art. 31 FADP-new, must be given explicitly. It must be reminded that the basic concept of the FADP and FADP-new is different from that of the GDPR. While under the GDPR, a legal ground is always required for the processing of personal data (Art. 6 and 9 GDPR), the processing of personal data under the FADP and FADP-new is, in principle, permitted as long as the personality of the data subjects is not unlawfully violated. According to the FADP-new, the “permission principle subject to prohibition” continues to apply, while the GDPR applies the “prohibition principle subject to permission”.

 

The revised Data Protection Act will in future apply to the processing of personal data of natural persons (today also legal entities). It introduces specific terms such as “controller” and “processor” and extends the term “sensitive personal data” to include “genetic data” and “biometric data that uniquely identifies a natural person”. Concepts, as already known from the GDPR, are now enshrined in the law, such as Privacy by Design, the inventory of processing activities, data protection impact assessments, the general duty to provide information when collecting personal data and the notification of data security breaches. In the future, under certain conditions, controllers located abroad will also have to appoint a representative in Switzerland if they process personal data of persons in Switzerland. The new law tightens the penal provisions with fines of up to 250,000 Swiss francs for private individuals who violate specific provisions, such as the obligation to inform, consult and cooperate with the FDPIC, the provisions on the transfer of personal data abroad and the assignment of processors, as well as non-compliance with minimum data security requirements.

 

A detailed summary and analysis of the revised law and its principles will follow.

 

Relevant articles in the FADP-new concerning profiling (unofficial translation):

 

Art. 5 lit f:

Profiling Is any automated processing of personal data consisting in the use of such data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the performance of work, economic situation, health, personal preferences, interests, reliability, behaviour, whereabouts or movements of that natural person.

 

Art. 5 lit g:

High-risk profiling: profiling which involves a high risk to the personality or fundamental rights of the data subject, by creating a link between data which allows an assessment of substantial aspects of the personality of a natural person.

 

Art. 6 para 6:

If the consent of the data subject is required, this consent is only valid if it is given voluntarily for one or more specific processing operations after adequate information has been provided.

 

Art. 6 para. 7:

Consent must be given explicitly for: a. the processing of sensitive personal data; b. high risk profiling by a private person; or c. profiling by a federal body.

 

Art. 30 Violation of the personality

1 Anyone who processes personal data must not unlawfully violate the personality of the data subjects.

2 A violation of personality exists in particular if:

a. personal data is processed in violation of the principles set out in Articles 6 and 8;

b. personal data is processed contrary to the data subject’s express declaration of intent;

c. sensitive personal data is disclosed to third parties.

3 As a rule, there is no violation of personality if the data subject has made the personal data generally accessible and has not expressly prohibited its processing.

 

Art. 31 para 1

A violation of privacy is unlawful if it is not justified by the consent of the person concerned, by an overriding private or public interest or by law.