The new Data Protection Representative role in Switzerland

The Data Protection Representative obligation continues to be added to the data protection laws of countries around the world – from 1st September 2023, Switzerland joins those countries with its revised Federal Act on Data Protection

?

For one reason or another, many countries have a desire to be seen as exceptional, but Switzerland is probably one of the truly exceptional countries on the planet. As a result of its geographically-unique location (largely at the top of the Alps), it has been able to seclude itself from many global events – most famously, in the last century, continuing its policy of armed neutrality (which has been in place since the 16th century) and remaining neutral during both world wars, while the rest of Europe descended into conflict around it. It remains outside of the European Union (“EU”) and the European Economic Area (“EEA”), but is a part of the European Free Trade Area (“EFTA”) and participates in the European single market and the Schengen Area (removing border controls in Europe) through treaties.

?

However, the modern world of data processing has not passed Switzerland by, and it has been necessary for them to update their data protection laws, in no small part to maintain the adequacy status which they enjoy with the EU, permitting the transfers of personal data from the EU to Switzerland. The updated version of the Swiss Federal Act on Data Protection (“FADP”, or sometimes “revFADP”, indicating the revised version)[1], which becomes enforceable from 1st September 2023, aims to ensure the continuation of this beneficial position.

?

In the guidance notes to the updated law[2] which have been issued by the Federal Data Protection and Information Commissioner (“FDPIC”, the Swiss Data Protection Authority), they note that the Swiss law, although taking account of GDPR, “complies with the Swiss legal tradition” and “stands out from the GDPR not only because of its brevity, but also a partly different terminology”.

?

The brevity is clear – the German-language version of the Swiss law is a little under one fifth (by word count) the length of the German-language version of GDPR[3].

?

The different terminology is also apparent in some places (although the English-language version of the revised FADP made available by FDPIC has transposed many of the GDPR terms across), but the difference between the obligations is often wider than that of the vocabulary – a good example of this is the Data Protection Officer (“DPO”) equivalent under Article 10 of FADP, which is optional for private companies, whereas under GDPR Article 37(1) this is a requirement for companies meeting certain criteria. Although the natural assumption is that this will lead to little take up, the Swiss role has one other factor which may encourage DPO adoption – if a Swiss DPO is sufficiently independent, they can advise on matters relating to Data Protection Impact Assessments (“DPIA”s) which would otherwise need to be referred to the FDPIC (FADP Article 10(3), such a referral is an expectation where “despite the measures planned by the controller [the data processing] will still pose a high risk to the personality or the data subject's fundamental rights”, FADP Articles 23(4)). The suggestion that the DPO would be able to advise on the DPIA implies that they will not be the one preparing the assessment – this is supported by the FDPIC FAQs[4], which suggests “he or she trains and advises employees on data protection issues (e.g. in the preparation of a data protection impact assessment…)”[5].

?

On the terminology point, interestingly the title of “Data Protection Officer” is used in the FDPIC-provided English translation, but the German original uses the different title “Data Protection Advisor” – presumably to differentiate between the roles under the EU and Swiss laws.

?

One of the clearest examples of variation between the two laws is in their extra-territorial application. A strict interpretation of FADP seems to indicate it would apply to any company, wherever based, if they process the personal data of individuals based in Switzerland (FADP Article 3(1)); GDPR, by comparison, only applies to companies outside the EU if that data processing arises from the provision of goods and/or services to the EU, or the monitoring of individuals there (GDPR Article 3(2)).

?

Having said this, it’s worth noting that many of the familiar principles of GDPR are included, such as the now-infamous obligation to apply data protection by design and default when considering the processing of personal data (FADP Article 7, GDPR Article 25).

?

There are a number of other variations in the updated FADP from both the previous Swiss law and GDPR – this article proposes to only deal with the obligation to appoint a Data Protection Representative in Switzerland, and compare it to the equivalent in EU GDPR.

?

The Swiss Data Protection Representative:

The Data Protection Representative obligation, introduced in limited circumstances by the EU in the Data Protection Directive of 1995 and widened significantly in 2016 by the GDPR, has also been included – to a degree – in the updated FADP. The Representative obligation under GDPR – as set out in Article 27 – requires those companies which have no EU location, but are required to meet GDPR’s obligations as a result of providing goods/services or monitoring in the EU, to appoint a Representative in the EU to (primarily) act as their point of contact, hold their record of processing activities (ROPA) and make that document available to the EU supervisory authorities on request.

?

An equivalent Representative role has also been created in Switzerland under the updated FADP, but under more-limited circumstances. Set out in FADP Articles 14 and 15, the Swiss Representative is only a requirement for companies outside Switzerland where all the following apply:

• Your organisation is required to meet the obligations of FADP – the FADP “applies to circumstances that have an effect in Switzerland, even if they were initiated abroad” – so any organisation processing the personal data of individuals in Switzerland is required to meet the obligations of FADP when undertaking that data processing (FADP Article 3).
• The data controller has no domicile in Switzerland – the obligation applies to companies which are “based or domiciled abroad” (FADP Article 14(1)). Unlike GDPR, which removes the EU Representative obligation where the overseas company has an “establishment” in the EU (“the effective and real exercise of activity through stable arrangements … the legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect”), the position is less clear in Switzerland. The safest interpretation is that under FADP a company must have a “domicile” in Switzerland (i.e. a registered entity, such as a branch office or subsidiary company) to avoid the need to appoint a Representative, but some commentators take the view that a GDPR-type establishment with no form under Swiss law (e.g. a Swiss office, without it being registered with the Swiss authorities) would be sufficient.
• The processing is undertaken in the role of data controller – a data processor is not obliged to appoint a Swiss Representative (FADP Article 14(1)) (the FADP scope of these roles is roughly analogous to the GDPR equivalents; a data controller makes decisions regarding the processing of the personal data (FADP Article 5(j)/(k)).
• The processing of Swiss personal data arises from the provision of goods and/or services to Switzerland, or the monitoring of individuals there (roughly comparable the circumstances which causes GDPR obligations to apply in any way to non-EU companies – e.g. selling in Swiss currency suggests the controller would meet this requirements, but their website simply being accessible in Switzerland would not be enough) (FADP Article 14(1)(a)).
• That processing “is on a large scale” (FADP Article 14(1)(b)) (e.g. the processing is not occurring only “in isolated cases”[6]).
• That processing “is carried out regularly” (FADP Article 14(1)(c)) (e.g. “more than processing for a limited time or only occasionally”[7]).
• That processing “poses a high risk to the personality of the data subjects” (FADP Article 14(1)(d)) (assessed on a case-by-case basis based on e.g. amount and type of personal data, purpose / manner of processing etc[8]).

?

The duties placed on the Representative are also slightly reduced – apart from it being made clear that the Representative carries no potential liability for the acts of their clients[9] (a point which remains unclear under GDPR, although liability specifically arises for the Representative in Spain[10]), the obligation to act as the contact point for data subjects (FADP Article 14(2)) is simply to provide them with “information on how they can exercise their rights” (FADP Article 15(3)), rather than permitting the data subject to address their requests to the Representative, as is the case under GDPR. This is confirmed in the FDPIC’s FAQs on the new law, which advise “the data subject can only exert their right of access with the controller themselves and not with the Representative.”[11]

?

The obligation on the Swiss Representative to hold the record of processing activities (“ROPA”) (FADP Article 15(1)) – a document summarising the data processing activities undertaken by the controller – and make it available to the authority (FADP Article 15(2)) is, in practical terms, identical to that under GDPR (GDPR Articles 30(1)&(4)), although the content required in that document under FADP is somewhat reduced. A wider exemption from preparing the ROPA also exists under FADP, which allows companies with fewer than 250 employees to avoid this where the data processing has a low risk of damage to the individual (FADP Article 12(5)) – the FDPIC’s FAQ’s expand on this by clarifying that organisations undertaking processing of special category data or undertaking high-risk profiling (compared to high-risk processing) will not benefit from this exemption – although only the processing relating to those activities need to be recorded in the ROPA [12]. To qualify for the ROPA exemption under GDPR, an organisation must also meet the requirement that the EU data processing be occasional (GDPR Article 30(5)). Whereas FADP always requires public bodies to provide the ROPA to the FDPIC (FADP Article 12(4)), for private organisations this is only required on the FDPIC’s request[13].

?

The potential enforcement of the Representative obligation is also more complex – the FDPIC can instruct a company outside Switzerland to appoint a Representative (Article 51(4), presumably that company would have already been expected by FADP to do so) and, only if that company has still failed to appoint a Representative after that order, can enforcement be brought through the courts (the FDPIC has no sanctioning power[14]) by way of a fine of up to CHF250,000 (roughly €260,000) (FADP Article 63). It is worth noting that the maximum penalty under the previous FADP in Switzerland was CHF10,000.

?

By comparison, a failure to appoint a Representative under GDPR can be immediately enforced by an EU supervisory authority against a non-EU company, without them having to first issue a warning to observe the legal requirement which always applied to them – under GDPR, that fine may be up to the larger of €10m or 2% of global revenue (GDPR Article 83(4), the largest fine to date for this violation was for €600,000 against Clearview AI by the Italian Garante[15]). However, one difference in the Swiss approach to fines is worth noting – the fine would usually be awarded against specific managers in the company, rather than the company itself. This arises from the fact that fines against a company are generally prevented by Swiss law[16], although there is a possibility to fine the company itself (up to a maximum of CHF50,000) if determining the individual at fault “would entail a disproportionate amount of investigation”[17].

?

The FAQs issued by FDPIC indicate that they expect the obligation to appoint a Representative will be “likely to affect large internet platforms and social networks based abroad in particular”[18] although – with the level of fines proposed – it’s hard to imagine that those larger companies will be desperately worried about the FADP, as they may have been with GDPR in 2018.

?

The effect:

Although the FADP is less stringent than GDPR, and the obligation to appoint a Representative is expected to arise less frequently, there are a couple of factors which are likely to drive compliance with this rule, whether it applies or not.

?

The first factor, as always in matters of privacy, is corporate reputation. Individuals are increasingly concerned about how their data is being used – those companies which have suffered data breaches or faced censure from data protection authorities tend to take a hit to their reputation which ultimately results in an impact on both their valuation and profit (both from lost business and costs arising from their efforts to fix that reputation)[19].

?

Secondly, for both operational convenience and consistency, is the fact that those companies will likely be already required to meet the obligations of GDPR (either as EU-based companies, or those outside EU selling into Europe). It isn’t unusual for those companies to already be applying GDPR-level data protection to the personal data they’re processing in Switzerland – frankly, having a different level of protection for a single country (which is surrounded by countries in which they’re obliged to meet GDPR’s obligations) simply makes no operational sense in most situations.

?

If those companies are located outside Europe, they will probably have already appointed a GDPR Representative in the EU (and, post-Brexit, in the UK), and extending that appointment to Switzerland is an option the larger Representative service providers will make simple for them.

?

This will likely be the case regardless of whether they cross the higher threshold to make the Swiss Representative appointment: making a local contact point available on their privacy notice for EU data subjects can only be a help at a time those individuals are likely to be disgruntled about the use of their data; why would they deny the equivalent to those in Switzerland when providing it is simple, and may help to begin the process of calming them?

?

Conclusion:

Like many other countries across the world, Switzerland is keen to demonstrate the steps it is taking to protect the personal data of those within its borders, at a time when the use (and abuse) of personal data increases daily.

?

The obligation for non-Swiss companies to appoint a Switzerland-based Data Protection Representative is a key part of this process – as it has also been with many other countries – to ensure that those individuals in Switzerland have access to their data rights with the companies which are based elsewhere.

?

This drive to protect data rights – wherever it takes place – is good news; now we look forward to seeing it action!

?

An article by Tim Bell, Managing Director of DataRep Switzerland

Tim Bell is Managing Director of the DataRep group (www.datarep.com) including DataRep Switzerland (www.datarep.ch), which provides the Swiss Data Protection Representative service for its clients, along with the equivalent EU/EEA and UK GDPR Data Protection Representative services. If you have any questions about the service or this article, please contact Tim at [email protected].

?

(Please be aware that any translations of Swiss documentation to English in this article were obtained by the use of AI and may not be 100% accurate. The author wishes to thank Marie Penot for her assistance in interpreting some of the German materials.)

[1] German original: https://www.fedlex.admin.ch/eli/cc/2022/491/de; FDPIC English language translation: https://www.fedlex.admin.ch/eli/cc/2022/491/en

[2] “The new data protection law from the perspective of the FDPIC” (in German) https://www.edoeb.admin.ch/dam/edoeb/de/Dokumente/datenschutz/Leitfaden%20Das%20neue%20Datenschutzgesetz%20aus%20Sicht%20des%20ED%C3%96B_20221009.pdf.download.pdf/Leitfaden%20Das%20neue%20Datenschutzgesetz%20aus%20Sicht%20des%20ED%C3%96B_20221009.pdf

[3] https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32016R0679&qid=1690475166253

[4] FAQs: https://www.bj.admin.ch/dam/bj/de/data/staat/gesetzgebung/datenschutzstaerkung/faq-dsr.pdf.download.pdf/faq-dsr-d.pdf (in German)

[5] FAQs paragraph 3.7.2

[6] FAQs paragraph 3.6.2.3

[7] FAQs paragraph 4.1.1

[8] FAQs paragraph 4.1.1

[9] FAQs paragraph 4.2

[10] https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf (in Spanish), Article 70(1)(c)

[11] FAQs paragraph 4.2

[12] FAQs paragraphs 3.8.6, 2.3.2

[13] FAQs paragraph 3.8.4

[14] FAQs paragraph 11.3

[15] https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9751362 (in Italian)

[16] FAQs paragraph 11.2

[17] See footnote 2, para 21

[18] FAQs paragraph 4.1.1

[19] https://www.ibm.com/downloads/cas/E3G5JMBP, https://repository.uel.ac.uk/download/246effc254cea1de0ad26b1e2eeb1226533990f9ba5f68bcc7a5b5c1942e2f4b/1227535/ECCWS21-Proceedings%20EWS-088.pdf