SWITZERLAND Trends and Developments Contributed by: Jürg Schneider, David Vasella and Hugh Reeves, Walder Wyss Ltd
FADP). The definition of sensitive personal data also goes slightly further than it does under the GDPR. Territorial scope of application of the revised FADP Although the FADP applies primarily to the ter - ritory of Switzerland, it has an extraterritorial scope of application. In particular, it can extend to processing that occurs abroad but has an effect in Switzerland. Consequently, if personal data is processed outside of Switzerland but affects natural persons in Switzerland, the con - troller or processor abroad must comply with the revised Swiss law. In addition, private control - lers with their domicile or residence abroad must designate a representative in Switzerland if they process personal data of persons in Switzerland and the data processing meets all of the follow - ing requirements: • the data processing is connected to offering goods or services in Switzerland or to moni - toring the behaviour of these persons; • the processing is extensive; • data is processed regularly; and • the processing involves a high risk to the personality of the data subjects. The Swiss representative keeps the records of processing activities (ROPA) and serves as a point of contact for data subjects and the Fed - eral Data Protection and Information Commis - sioner (FDPIC). The controller must publish the name and address of such representative. Key changes in the revised FADP Many of the changes in the revised FADP are inspired by the GDPR and will look familiar to data protection experts who have been work - ing with the GDPR. The following changes with respect to the former FADP should be noted.
Sensitive personal data The list of sensitive personal data (data that requires special protection) has been expand - ed. The FADP also includes data on ethnicity, genetic data and biometric data that identifies a natural person, but also data relating to the intimate sphere of the data subject and data on social security measures. Profiling The FADP includes a legal definition of profiling that is identical to that of the GDPR, but there is also “high-risk profiling”, a special category of profiling with slightly tighter restrictions. Privacy by design and privacy by default The principles of “privacy by design” and “priva - cy by default”, which can be found in the GDPR, are introduced in the FADP. Data protection adviser Data controllers may, but are not obliged to, appoint an independent data protection advis - er as a point of contact for data subjects and authorities responsible for data protection in Switzerland. The tasks of the data protection adviser consist of educating and advising the data controller on data protection issues and assisting in the compliance with data protection legislation. Records of processing activities Like the GDPR, the FADP requires that data controllers and processors keep an inventory (ROPA). This inventory is intended to record the various processing activities and provide the controller and the processor with an overview of the data protection-relevant activities. If the FDPIC investigates a case, the first thing they will likely ask for is the inventory of processing activities. The FDPIC can therefore request this inventory at any time, even if they are not obliged
435 CHAMBERS.COM
Powered by FlippingBook