New Federal Act on Data Protection (nFADP)
Switzerland is implementing new legislation to better protect its citizens’ data. Swiss companies will have to comply with this legislation from September 1, 2023.
In its fall 2020 session, Parliament passed the new Act on Federal Data Protection (nFADP). It improves the processing of personal data and grants Swiss citizens new rights. This important legislative change also comes with a number of obligations for companies. Implementation through the Data Protection Ordinance is on September 1, 2023.
A necessary new law
The first Federal Data Protection Act dates back to 1992. The Swiss population has since introduced into daily life the use of the Internet and smartphones and is increasingly using social networks, the Cloud or the Internet of Things. In this context, a complete overhaul of the data protection law – and not just a partial one as was the case in 2009 and 2019 – is essential to ensure that the population has adequate data protection adapted to the technological and social developments of our time.
Swiss law’s compatibility with European law, and in particular with the European General Data Protection Regulation (GDPR), is the nFADP’s other challenge. The nFADP should make it possible to maintain the free flow of data with the European Union (EU) and thus avoid a loss of competitiveness for Swiss companies.
What are the main changes?
The nFADP introduces the following eight major changes for businesses.
Only data of natural persons, and not those of legal persons, are now covered.
Genetic and biometric data fall under the definition of sensitive data.
The principles of “Privacy by Design” and “Privacy by Default” are introduced. As its name implies, the principle of “Privacy by Design” requires developers to integrate the protection and respect of users’ privacy into the very structure of the products or services that collects personal data. The principle of “Privacy by Default” ensures the highest level of security as soon as the products or services are released, by activating by default, i.e. without any intervention from users, all the measures necessary to protect data and limit their use. In other words, all software, hardware and services must be configured to protect data and respect the privacy of users.
Keeping a register of processing activities is now mandatory. However, the ordinance allows exemptions for SMEs whose data processing presents limited risk of harm to the data subject. Prompt notification to the Federal Data Protection and Information Commissioner (FDPIC) is required in the event of a data security breach. The concept of profiling (i.e. the automated processing of personal data) is now part of the law. The FDPIC website (New Federal Data Protection Act) provides more specific and detailed information about the revisions made by the nFADP.
Our Saas consent management solution:
- Personal data control at the level of individual HCPs
- Detailed, real time capturing of opt-ins/opt-outs according to mandatory GDPR Data Processing Record and local regulations
- Single source of truth for HCP data leading to higher data quality and less internal discussions about validity of the collected e-consent
- Data quality algorithm by Match & Merge to reduce duplication & improve golden records
- Seamless connections with your marketing channels (e.g web, e-detail, portal) and automated synchronized with all channels onnected, resulting in no more manual labor plus less mistakes
- Automated synchronization with widely used applications in pharma, such as Veeva & OCE
- Consent & preference center for HCPs
- Data insights based on internal and external resources
The most important
privacy laws
are:
European Union 🇪🇺
The General Data Protection Regulation (GDPR) is a regulation of the European Union (EU) that became effective on May 25, 2018.
United States 🇺🇸
In the United States there are several privacy laws and regulations on a national, state and local level. There is not one national privacy law in the United States. Certain states, like California, introduced their own comprehensive privacy laws and other states are expected to follow.
Canada 🇨🇦
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal privacy law that came into effect on January 1, 2004.
Australia 🇦🇺
The Privacy Act 1988 is a federal privacy law that sets standards for the collection, storage, use, and disclosure of personal information by Australian government agencies and some private sector organizations.
Japan 🇯🇵
The Act on the Protection of Personal Information (APPI) is a privacy law that came into effect on May 30, 2017.
Brazil 🇧🇷
The General Data Protection Law (Lei Geral de Proteção de Dados, or LGPD) is a privacy law that came into effect on August 16, 2020.
India 🇮🇳
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (also known as the IT Rules) is a privacy and data protection law in India.
China 🇨🇳
China has several laws and regulations that relate to privacy and data protection, including the Cybersecurity Law of the People’s Republic of China, which came into effect on June 1, 2017, and the Personal Information Protection Law, which is still in draft form.
Africa
Privacy laws vary by country, with some having comprehensive privacy legislation and others having limited provisions.
Middle East
Privacy laws vary by country, but generally, they follow Islamic principles and are based on personal privacy rights outlined in the national constitution.
Russia 🇷🇺
The privacy law in Russia is regulated by the Federal Law No. 152-FZ “On Personal Data”. It outlines the rules for collecting, processing, and storing personal data.
Switzerland 🇨🇭
Switzerland is implementing new legislation to better protect its citizens’ data. Swiss companies will have to comply with this legislation from September 1, 2023.
OptInsight is the
e-consent management
platform for pharma & life sciences
