Understanding GDPR & nFADP
Since May 25, 2018, the General Data Protection Regulation (GDPR) has been in force to protect personal data and prevent mass data mining by companies without users’ consent. This regulation applies to all companies, including those acting as subcontractors for EU countries.
Similarly, from 1 September 2023, Switzerland has implemented the New Federal Act on Data Protection (nFADP), which brings Swiss law in line with the GDPR to:
✅ Ensure stronger personal data protection
✅ Adapt to technological and social changes
✅ Maintain free data exchange with the EU
✅ Strengthen the competitiveness of Swiss companies
Who Does It Affect?
🔹 Companies processing personal data
🔹 Websites using cookies, tracking, analytics, or online forms
🔹 Businesses handling EU or Swiss customer data
What Is Personal Data?
Personal data refers to any information that identifies a person directly or indirectly, including:
📌 Names & addresses
📌 Phone numbers & emails
📌 IP addresses & device identifiers
📌 Fingerprints & voice recordings
📌 Social security numbers
📌 Any Tracking Analytics tool
Compliance & Responsibilities
Organisations and private must:
✔️ Obtain explicit consent before collecting data
✔️ Allow users to manage their data rights (access, modification, deletion)
✔️ Secure personal data with appropriate safeguards
✔️ Maintain transparency in data collection & processing
Key Changes in the New Federal Act on Data Protection (nFADP)
- Protection Focus
Only data of physical persons is protected, excluding data of legal entities. - Sensitive Data Expansion
Genetic and biometric data are now explicitly classified as sensitive data.
🔹 Data protection must be built into products & services from the start.
🔹 User privacy is automatically enforced, with minimal user intervention.
🔹 Businesses must ensure websites, marketing tools, and social platforms meet the new privacy standards.
🇪🇺 Differences with the EU (GDPR vs. nFADP)
Right to Be Forgotten & Data Portability
Under the GDPR, individuals have the right to be forgotten, allowing them to request the deletion of their personal data in cases where privacy is compromised. Additionally, the right to data portability enables users to transfer their data between online platforms, such as moving from one social network to another.
⚠️ Data Breach Notification Obligation
Businesses must promptly inform users in the event of a data leak whether due to hacking, server vulnerabilities, or application flaws.
✅ Ensure compliance by implementing robust security measures and maintaining transparent user communication.
Who Has Distinct Obligations to Inform?
Under GDPR & nFADP, Swiss companies handling EU residents’ personal data have specific legal obligations, particularly when acting as subcontractors or engaging in business within the EU.
Swiss Company Processing Personal Data on Behalf of an EU Business
🔹 A Swiss company acting as a subcontractor for a European company must comply with GDPR as a data processor.
🔹 It must inform the EU data controller of any data breach and follow the contractual obligations under the Data Processing Agreement (DPA).
Swiss-Based Company Processing EU Residents’ Data
🔹 If a Swiss company collects and processes EU residents’ data for offering goods or services, even without payment, GDPR applies.
🔹 The company must inform users about data collection, usage, storage, and their rights (e.g., access, rectification, deletion).
🔹 Transparency & consent are mandatory before processing personal data.
Customer Profiling in the EU for Business & Sales
🔹 If a Swiss company profiles EU customers, particularly for targeted marketing or reselling data to third parties, GDPR strictly applies.
🔹 Explicit consent is required before profiling or selling data.
🔹 Users must be informed of how their data is used and have the right to opt out of profiling.
Any Swiss company dealing with EU residents’ personal data must comply with GDPR, ensuring transparency, user rights, and breach notifications.
Key Principles of Data Protection
Ensuring compliance with GDPR & nFADP requires transparency in data processing. Below are the fundamental principles companies must follow when collecting and handling personal data:
1️⃣ Consent & Acceptance Policy (Essential for E-Commerce)
Users must explicitly agree to data collection via clear, informed, and unambiguous consent. No pre-checked boxes or hidden terms!
2️⃣ Who Is Processing the Data?
Clearly identify your company as the data controller and specify any third-party processors.
3️⃣ Legal Basis for Data Collection
Companies must justify WHY they collect data based on one of these legal grounds:
✔ User consent (opt-in required)
✔ Contractual necessity (e.g., order processing)
✔ Legal obligation (e.g., tax records)
✔ Legitimate interest (business needs balanced with user rights)
4️⃣ Purpose of Data Collection
Explain WHY you collect data whether for transaction processing, marketing, security, or legal compliance.
5️⃣ Types of Personal Data Collected
Specify what data is collected, such as:
📌 Basic identifiers (name, email, phone, address)
📌 Sensitive data (biometric, health, financial)
📌 Online identifiers (IP address, cookies, browsing history)
6️⃣ Data Retention Period
Define HOW LONG data is stored and the criteria for deletion after its purpose is fulfilled.
7️⃣ International Data Transfers
If you transfer data outside Switzerland or the EU, specify the destination and protection measures (e.g., Standard Contractual Clauses).
8️⃣ Automated Decision-Making & Profiling
If you use AI, automated scoring, or behavioral profiling, users must be informed and have the right to opt-out or request human intervention.
9️⃣ Data Sharing with Third Parties
Disclose WHO you share data with (e.g., payment providers, cloud services) and ensure they comply with data protection laws.
🔟 Data Subjects’ Rights
Inform users of their rights:
✅ Access their data
✅ Rectify inaccurate data
✅ Delete data (“Right to be forgotten”)
✅ Object to data processing
✅ Data portability (transfer their data)
How Users Are Notified About Policy Changes
Following these principles ensures trust, compliance, and user confidence in how you handle personal data.
How to Apply Data Protection in Practice?
Ensuring GDPR & nFADP compliance requires a proactive approach in managing personal data. Here’s how to effectively implement data protection policies in your business:
1️⃣ Online Communication (Website & Digital Platforms)
✔ Ensure your website and online services clearly state how user data is collected and processed.
✔ Use encrypted connections (HTTPS, SSL/TLS) for secure data transmission.
✔ Implement user consent banners for cookies and tracking tools.
2️⃣ Raise Awareness, Inform & Train Your Team
✔ Train employees and collaborators on the importance of data protection and cybersecurity.
✔ Organise workshops on secure data handling and recognising phishing attempts.
✔ Ensure internal policies align with legal standards.
3️⃣ Secure Data Storage & Transfer
✔ Never store or transfer personal data that is freely accessible on the internet.
✔ Implement data minimisation only collect what is strictly necessary.
✔ Use encrypted storage solutions and regularly update security patches.
4️⃣ Be Cautious with Marketing Databases
✔ Ensure customer consent before using their data for marketing purposes.
✔ Regularly audit third-party tools (CRMs, analytics) for compliance.
✔ Delete outdated or unnecessary personal data.
5️⃣ Privacy Policy & Data Protection Statement
Your website must include:
✔ A Privacy Policy detailing data collection, usage, and retention policies.
✔ A Data Protection Statement covering:
- Files & cookies usage
- Analytics tools (e.g., Google Analytics, Matomo)
- Contact form handling
- Marketing & social media interactions
Take Action
🔹 Review your data collection policies
🔹 Update your website with a clear Privacy Policy
🔹 Train your team on data security best practices
Need a DPO? We’ve Got You Covered
If your company does not have a Data Protection Officer (DPO), DIGITALABS helps you:
✔ Assess your GDPR/nFADP compliance.
✔ Implement best practices for data collection and processing.
✔ Define internal policies and staff training programs.
Useful External Sources
- CNIL: GDPR toolkit.
- Fédération des Entreprises Romandes: Découvrir la protection des données. (FR)
- Swiss Confederation: New Federal Act on Data Protection (nFADP). (DE, FR, IT, EN)
- Infomaniak Network SA: Protection of your personal data. (FR, EN, DE, IT, ES)
- ThinkData: Data Protection and Transparency Awareness Service. (FR, EN, DE, IT)
- Preparing for the GDPR: Guide to the GDPR. (PDF)
