Advice on data protection issues

Data protection for your web applications

With the revision of the Federal Act on Data Protection (FADP), new rules for your web application came into force on September 1, 2023. But what does the new FADP actually regulate?

The new Federal Act on Data Protection (FADP)

The aim of the new Data Protection Act is to adapt data protection to changing technological and social conditions. Consequently, this means an increase in compliance requirements and stricter penalties for companies.

In terms of compliance requirements, the information and disclosure obligations, documentation requirements, data security regulations and the obligation to report data security breaches will be extended and tightened.

As a tightening of the penal provision, this means that higher fines will be imposed (up to CHF 250,000.00), personal liability will come to the fore and administrative proceedings may be initiated with cost consequences as a result of the strengthening of the supervisory authority's powers.

The new Swiss Data Protection Act is aimed at all companies whose customers are based in Switzerland. This means that the FADP is not based on the company's location, but on its customer data.

Get in touch

What does this mean for my web application?

Data processes should be documented and the maintenance of a data processing directory is mandatory for more than 250 employees or for particularly sensitive personal data.
How is your data obtained and processed? An up-to-date privacy policy is mandatory.
Technical and organizational measures must be taken and we recommend that you review  your IT regulations to ensure the data security of your employees and customers.
If you pass on data to third parties/institutions, we recommend concluding a data processing agreement (DPA).
For future projects, document the project and measures relating to data processing. A corresponding data protection impact assessment is mandatory.
Persons can request information about the following upon request: Request for information, data correction, human right to be heard in automated individual case decisions, deletion concept.
Is personal data processed directly or indirectly in other countries? For example, Google services? Data protection in these countries must be checked and complied with.
Is there a notification process to the Federal Data Protection and Information Commissioner (FDPIC) and other affected parties in the event of a data breach?
Privacy by default settings should be set to the minimum amount of information required.
All entrusted data must remain secret.
Customers must be informed  of any data processing.
No data protection officer is required by law. However, individuals are always penalized and not the company itself.