The Parliament has adopted the new Federal Data Protection Act (nLPD), which improves the handling of personal data and grants new rights to Swiss citizens. This significant legislative change is accompanied by a certain amount of obligations for businesses.

The complete revision of the Data Protection Act (nLPD) and its related executive provisions contained in the new Data Protection Ordinance (OPDa) will come into effect on September 1, 2023.

What are the main changes?

The nLPD introduces the following eight main changes for businesses:

  1. Only data of natural persons will now be covered, no longer including legal entities.
  2. Genetic and biometric data are included in the definition of sensitive data.
  3. The principles of “Privacy by Design” and “Privacy by Default” are introduced. As indicated by the name, the principle of “Privacy by Design” (data protection from the outset) implies that developers integrate privacy protection and respect for users’ privacy into the structure of the product or service intended to collect personal data. The principle of “Privacy by Default” ensures the highest level of security from the launch of the product or service, automatically activating all necessary measures to protect data and limit their use, without user intervention. In other words, all software, materials, and services must be configured to protect data and respect users’ privacy.
  4. Impact assessments must be conducted in case of high risk to the personality or fundamental rights of the data subjects.
  5. The right to information is extended: the collection of all personal data – not just sensitive data – must lead to advance information of the data subject.
  6. It becomes mandatory to keep a record of processing activities (excluding companies with fewer than 250 employees and if the processing of personal data carries a low risk of infringing on the personality of data subjects).
  7. Prompt notification in the event of a data security breach is required to be forwarded to the Federal Data Protection and Transparency Commissioner (IDT).
  8. The notion of profiling (i.e., automated processing of personal data) is included in the law. The IFPDT website provides more precise and detailed information on the changes introduced by the nLPD.

Differences from the EU

Companies that have already complied with the EU General Data Protection Regulation (GDPR) will have few changes to undertake. The SwissPrivacy.Law association has published a comparative table between the nLPD and the European Regulation, which can be consulted at the following address (in French): Link to the comparative table.