The Swiss Data Protection Act (FADP), in short
On 25 September 2020, Switzerland adopted a new version of the Federal Data Protection Act (FADP), replacing the 1992 Act in order to reach a level of data protection close to that of the EU’s GDPR.
Aligning its data privacy laws with those of the EU – namely the EU’s General Data Protection Regulation (GDPR) – was a driving force behind the revision of the 1992 Data Protection Act, ensuring continued flow of personal data in and out of Switzerland.
The result – the new Swiss FADP – is a data privacy law that has similarities with the EU’s GDPR, such as requiring consent in certain cases.
If you have users inside of Switzerland, being compliant with the new Swiss FADP is an obligation. Steep fines are levied against non-compliant domains. But the good news is, if you’re already compliant with the EU’s GDPR, you are almost certainly compliant with the Swiss FADP too.
Scan for free to see your website’s GDPR compliance level
Try Cookiebot CMP free for 30 days – or forever if you have a small website.
Switzerland’s Data Protection Act (FADP), quick breakdown –
- The Swiss FADP (Federal Data Protection Act) was adopted on September 25 2020, replaces the previous 1992 Act, and will come into force in September 2023. It will not provide for a grace period, meaning businesses will have to be in compliance on the date of effect.
- The Swiss FADP enhances data protection in Switzerland and aligns it with the EU’s GDPR to ensure the continued flow of personal data from the European Economic Area to Switzerland.
- The Swiss FADP requires a website to obtain the consent from users inside Switzerland if e.g. they process – sensitive personal data or transfers data to a third country without adequate protection. It also requires your website to have a privacy policy.
- The Swiss FADP defines personal data as any information relating to an identified or identifiable natural person, e.g. IP addresses. Additionally, the Swiss FADP defines sensitive personal data to include information about race, health, religious or political convictions, genetics and biometrics, social security and sexual life.
- The Swiss FADP applies to both the private and public sector and has extraterritorial scope, i.e. applies to any website that processes personal data from individuals inside Switzerland, regardless of where in the world the website is located.
- The Swiss FADP allows transfers of personal data from within Switzerland to third countries if they have an adequate level of data protection.
- The Swiss FADP extends the investigative powers of the Federal Data Protection and Information Commissioner (FDPIC).
- The Swiss FADP punishes non-compliance with fines of up to CHF 250,000. It also enables criminal sanctions to be imposed on private individuals responsible for a potential breach, e.g., controllers and processors, and not only companies.
Scan for free to see your website’s GDPR compliance level
Try Cookiebot CMP free for 30 days – or forever if you have a small website.
Swiss FADP compliance with Cookiebot CMP
Cookiebot CMP is a world-leading solution for making your website compliant with major data privacy laws, including the EU’s GDPR, Switzerland’s FADP, California’s CCPA/CPRA, Brazil’s LGPD, South Africa’s POPIA and many others.
Built around an unrivaled scanning technology that is able to scan and find all cookies and similar trackers in use on your website, Cookiebot CMP provides full transparency and control to your end-users, allowing them to make an easy and fast choice of consent, and enabling complete compliance for your website in the meantime.
Balance data privacy and data-driven business on your website with highly customizable consent interfaces, automatically generated cookie policies and regular renewal of end-user consent.
The geotargeting feature of Cookiebot CMP automatically determines where in the world a user of your website is located, e.g. in the EU or in Switzerland, and presents the correct compliance solution automatically.
The new Swiss Data Protection Act (FADP), in detail
Let’s have a closer look at the Swiss FADP and its requirements for your website.
Swiss FADP on consent, pre-ticked boxes and cookie walls
Under Switzerland’s Data Protection Act (FADP), websites that process personal data from users inside Switzerland might need to first obtain the prior, freely given and, informed consent from those users in order to do so.
This includes cookies that are not strictly necessary for the basic function of your website, but which process personal data for other purposes, such as analytics or marketing.
Consent is required in the case of processing of particularly sensitive personal data, high-risk profiling by a private person or profiling by a federal body.
Additionally consent might be needed if data is transferred to a country without an adequate level of protection.
Consent to cookies is only valid if it is a real choice, i.e. if the user consents without coercion, pressure or other external influence. This means that a user who refuses a cookie that requires consent should not be denied certain services or benefits, such as access to the site.
When a user refuses cookies, they should not be exposed to any negative consequences and should be able to continue accessing the website.
Like the EU’s GDPR, the Swiss FADP requires that end-user consent to cookies be specific, i.e. the user’s consent must be sought for each type of purpose pursued by cookies.
Consent cannot be given for a general use of all cookies without further specification of what data is collected via those cookies and for what purposes. Rather, the Swiss FADP requires a more detailed choice than a simple “all or nothing”, i.e. consent for each category of cookies.
Consent information should be visible, complete and noticeable. It should be written in simple terms that any user can understand and be available in all the languages of the website, e.g. if the website is aimed at a French- and German-speaking audience, the information on the consent banner should be written both in French and in German.
This information is usually grouped in a website’s privacy or cookie policy and should at least include:
- the identity and contact details of the controller (own or third party),
- the purposes of the cookies that are going to be deposited and/or read,
- recipients or categories of recipients of the data.
Additionally it might be necessary to include the categories of the data which is processed and the countries to which the data is transferred to, in case the country does not have an adequate level of security, as well as the garanties the data transfer is based on.
Get an automatic cookie policy with Cookiebot CMP
Try Cookiebot CMP free for 30 days – or forever if you have a small website.
FDPIC recommendations on web tracking in Switzerland
In Switzerland, the Federal Data Protection and Information Commissioner (FDPIC) is responsible for monitoring the compliance of companies and organisations with the Federal Data Protection Act (FADP)
The FDPIC has published guides for how your website use web-tracking tools to monitor user activity on your domain in a way that is compliant with the Swiss FADP.
Your website’s end-users must be informed in a transparent manner about the fact that their personal data is collected, the purpose of the data processing, the analysis of the data and the possibilities given to the user to object to tracking.
Learn more about how to make a cookie policy for your website
In the case of sensitive personal data, end-users must explicitly confirm that they have been informed and that they agree to web-tracking, for example by a mouse click.
The FDPIC states that you, as website owner or operator, are responsible for any processing of personal data from individuals inside Switzerland, even if you are using web tracking service providers. Additionally, the FDPIC points out that even the processing of a user’s IP address is subject to the Federal Data Protection Act, since this address is considered personal data.
The FDPIC also states that when using cookies for web-tracking purposes, a website operator must take into account the requirements of the ePrivacy Directive of the European Parliament and of the Council concerning the processing of personal data as well as the protection of privacy in the electronic communications sector.
Transfer of personal data between the EU, the US and Switzerland
On 16 July 2020, the Court of Justice of the European Union (CJEU) ended the Privacy Shield, which until then allowed data transfers from the EU to the US.
The CJEU requires data controllers to assess the level of data protection in the recipient’s country and suspend the transfer if such country is found to be inadequate. EU-Swiss transfers are also subject to these requirements as well.
On 8 September 2020, following an evaluation of the EU-US Privacy Shield, the Federal Data Protection and Information Commissioner (FDPIC) also declared the Swiss-US transfer regime inadequate.
In line with the CJEU, the FDPIC found that the level of data protection in the US was insufficient and the transfer mechanism under the Swiss-US Privacy Shield was invalidated.
Learn more about the Switzerland-US Privacy Shield decision
Google Consent Mode and Cookiebot CMP
With Google Consent Mode and Cookiebot CMP, you can make all your website’s Google-services run based on the consent state of your end-users – full GDPR compliance with optimized analytics data and ads revenue in one simple solution.
Cookiebot CMP manages the consent of your website’s users, and communicates the consent states to the API running Google Consent Mode which then governs all your favorite services (like Google Analytics and Google Ads) based on the consent state of each individual user on your website.
Did a user not consent to statistics or marketing cookies? Cookiebot CMP informs Google Consent Mode which then makes sure that you still get aggregate and non-identifying insights into your website’s performance and the possibility of showing contextual ads instead of targeted ads – respecting user privacy while optimizing your website.
With Cookiebot CMP and Google Consent Mode, get instant and simple GDPR compliance plus optimized analytics data and ads revenue in one solution.
Get started with Google Consent Mode
Scan your website for free to see what cookies and trackers are in use
Try Cookiebot CMP free for 30 days – or forever if you have a small website.
Swiss FADP, summarized
In this blogpost, we looked at the new Swiss FADP, coming into effect in 2022, and its requirements for your website’s use of cookies and trackers that process personal data from users inside Switzerland.
Formed in the shape of the EU’s GDPR and adopting a lot of its core definitions, the Swiss FADP is a data privacy law that requires your website to obtain consent if processing sensitive personal data from users inside Switzerland or in the case of profiling through a private person or a federal body.
Like its EU sibling, it also comes with several other requirements for your website, e.g. to have an up-to-date privacy policy available to your end-users and to renew consents on a regular basis.
Cookiebot CMP is a plug-and-play solution that automated this entire process for you – simply sign up and implement Cookiebot CMP straight from the cloud with a few lines of JavaScript.
FAQ
What is the Swiss Data Protection Act (FADP)?
The Swiss FADP is the data privacy law of Switzerland which regulates the processing of personal data from individuals inside Switzerland. It requires any website in the world with users from inside Switzerland to obtain their consent if they process sensitive personal data or in the case of profiling.
Does Switzerland also have to comply with the GDPR?
Yes, if your website located inside Switzerland processes personal data from users inside the EU, the General Data Protection Regulation (GDPR) applies and you are required to obtain the prior consent before being legally allowed to process or share any personal data.
Try Cookiebot CMP free for 30 days… or forever if you have a small website.
Does Switzerland have an EU adequacy decision?
Yes, Switzerland is among the countries that the EU has granted an adequacy decision to, meaning that the EU has deemed Switzerland’s level of data protection as essentially equivalent and ensuring the continued free flow of personal data across the two regions.
Scan your website for free to see all cookies and trackers in use
What is a Swiss FADP compliant cookie banner?
A consent banner on your website should contain easy-to-understand information about your website’s cookie settings and personal data processing practices. A valid consent banner should not have pre-checked checkboxes (cookies enabled by default), should not push or force users to give consent (cookie walls), and should not interpret user activity such as scrolling or continuing to browse the domain as consent.
Try Cookiebot CMP free for 30 days – or forever if you have a small website.
Are cookie walls legal in Switzerland?
There is no special legislation on cookie walls in Switzerland. However, as many Swiss websites receive users from the EU, it is recommended for Swiss websites to follow the European Data Protection Board (EDPB) guidelines on valid consent in the EU, which define that cookie walls that condition consent on access to a website are an unlawful means of obtaining consent. Instead, consent must be granular and freely given. Users should be able to choose between some cookies and not others when giving consent.
Try Cookiebot CMP free for 30 days – or forever if you have a small website.
Resources
EDPB guidelines on cookies and other trackers
Website of the Federal Data Protection and Information Commissioner (FDPIC)
FDPIC explanation of webtracking (in French)
Federal Data Protection Act (FADP) (in French)