+41 41 521 80 00 | info@lexcellence.swiss

Open jobs!

The revised Swiss Data Protection Act (FDPA) will come into force in an upcoming year: September 1, 2023. What does it mean for Swiss companies, and how to be prepared?

The revised Swiss Data Protection Act (FDPA) will come into force in an upcoming year: September 1, 2023. What does it mean for Swiss companies, and how to be prepared?

Friday, 9 September, 2022

The Federal Council decided at its meeting on August 31, 2022, that the new Data Protection Act (DPA) would go into effect on September 1, 2023. Data Protection Ordinance (DPO) and Data Protection Certification (ODPC) were issued by the Federal Council and will go into effect simultaneously with the DPA.



On September 25, 2020, the Swiss Parliament unanimously approved the comprehensively amended Data Protection Act (revDPA). By this, the modification of the necessary implementation provisions was started during the fall of 2020. The Federal Council initiated the consultation on the matter on June 23, 2021, and continued until October 14, 2021. 


Now, the Federal Office of Justice recently communicated that the new law will enter into force on September 1, 2023.  


According to the report on the outcome of the consultation procedure of August 31, 2022, a large number of parties participated in the consultation; 24 cantons, the Conference of Cantonal Data Protection Commissioners "privatim", political parties, and numerous business, consumer protection, and data protection associations, including Walder Wyss, submitted comments.


The Federal Council has now decided that the:


  • Completely revised Data Protection Act (revDPA)
  • The new Data Protection Ordinance (DPO) 
  • The new Ordinance on Data Protection Certifications (DPCO)


Will enter into force on September 1, 2023. As a result, it allows the Swiss economy to adapt to the new conditions for another year. 


This means that the final version of the DPO is now available after a long wait.


What new ideas are in the recently released ordinance (DPO)?


Here's a quick rundown of the most important DSV rules :


Confirmation of the risk-based approach: Every section of the DPO confirms that the (due diligence) steps are based on the (potential) risk to the data subjects, such as data security or international transfer.


Data security breaches: In the event of a data security breach, the DPO details what must be communicated to the FDPIC and affected individuals. Additionally, there is a legal need to keep certain records (the documentation must be kept for at least two years from the time of the notification).


Register of Processing Activities (RoPA): Companies under private law with fewer than 250 employees are usually not required to keep a RoPA. There are exceptions, such as when a lot of "particularly sensitive personal data" or "high-risk profiling" is processed. But keeping a RoPA can also be helpful in these situations, especially when it comes to making the data protection declaration.


Automated processing of personal data at "federal bodies": Planned automated processing activities (for example, in connection with automated decision-making) must be reported to the FDPIC at the time of the project decision and at the time of the transition to productive operation (or project termination).


Duty to tell: As everyone knows, companies will have to tell people about the personal data they collect in the future (e.g., using a data protection declaration). The DPO says that the information must be given "in a precise, clear, understandable, and easy-to-find form." According to the German explanation report, the website's data protection declaration follows "best practice" by giving information in the form of a structured overview. 


There is a requirement to keep data protection impact assessments for at least two years (after the end of data processing).


What steps should Swiss companies take at this point?


The new requirements must be fully implemented within one year, and businesses now have that time to do so. If they haven't already, businesses should get started on the implementation immediately, particularly since it may also have ramifications for information technology (such as the installation of deletion capacity). 


In addition to the deadline for implementation, there is a second deadline: businesses have until December 31, 2022, to replace any SCCs that are still based on the "old" version (that is, those that date back before August 27, 2021) with the new SCCs that have been tailored to Switzerland.