Regulatory
Data protection
Basics
4 min
⚡tl;dr both the swiss law (fadp) and the european regulation (gdpr) can apply simultaneously to swiss companies understand your role the controller is the entity determining the purpose and the means of the data processing the processor processes data on behalf of the controller the law provides an exhaustive list of sensitive data (e g , health data) there's an information obligation for the controller this is usually performed in a privacy policy book a free call with us strategy & risks data protection laws can significantly impact your business model this is, in particular, relevant for data intensive businesses in these cases, it is key to understand the impact of these rules and to outline a key strategy to tackle any issues general risks are fines for board members (in switzerland) and for the company (in the eu) as well as reputational damage for companies active in b2b fields, having a proper set up is a requirement to sell your services to customers when do the fadp and the gdpr apply? the fadp is the swiss federal act on data protection; it applies when the data processing is done in switzerland or when the data processing is done abroad but has an impact in switzerland if personal data are processed (see below for the definition) if the data are processed by private persons (e g , by companies) or by the federal administration, but not when the data are processed by cantons or cities the gdpr is the european general data protection regulation; it applies when the data processing is done in the eu or when the data processing is done out of the eu (e g , in switzerland) but relates to the offering of goods or services to people in the eu; or the monitoring of behaviors of people taking place in the eu if personal data are processed (see below for the definition) through automated means (e g , ai) or (in case they are not processed by automated means) if they are meant to be included in a filing system (e g , hard drive, cloud) keep in mind that data protection laws do not apply to data processing done exclusively for personal use both regulations can apply simultaneously this is often the case for swiss companies targeting swiss and european customers what are the key definitions? personal data any information relating to an identified or identifiable physical person, such as name, birth date address, email, phone number iban log in data ip address etc sensitive data (fadp) / special categories of data (gdpr) personal data deemed as more important because of their significance to the core personal elements of a person these are data relating to religious, philosophical, political, or trade union related views or activities; data relating to health, the private sphere or affiliation to a race or ethnicity; genetic data; biometric data that uniquely identifies a natural person; data relating to administrative and criminal proceedings or sanctions; data relating to social assistance measures (only for fadp) processing any handling of personal data this is a very wide definition, and it includes collecting, storing, using, amending, archiving, deleting, and even reading data controller the company (or person, or authority) determining the purpose and the means of the processing it is often the party collecting the data, but not necessarily keep in mind that there can be joint controllers processor the company (or person, or authority) processing data for the controller sub processor the company (or person, or authority) processing data for the processor, as a sub contractor data subject the person whose data is being processed best practices fadp/gdpr it is clarified whether fadp, gdpr, or both are applicable to the data processing controller/processor for each processed dataset, the role (data controller or data processor) of the company is understood and confirmed in writing sensitive data for each processed dataset, it is understood and confirmed in writing whether sensitive data is processed when can i process data? under the fadp , data processing is generally authorized without justification grounds, provided that the data subject is sufficiently informed (see privacy and cookies policies docid\ d qvtdko8ubv8hewvtf6m ) if the processing unlawfully breaches the data subject's rights (e g , because it violates the legal obligations or is against the express wish of the data subject), it is only possible if it is legitimized by a justification ground under the gdpr , any processing is unlawful and must be legitimized by a justification ground in both cases, justification grounds include the consent of the data subject (which must sometimes be given expressly); an overriding private, public, or vital interest ; execution of a contract with a data subject or for the purpose of entering into a contract with a data subject; the law information duty in any case, as a data controller , you must inform the data subjects of the processing and its related elements this is done in privacy and cookies policies docid\ d qvtdko8ubv8hewvtf6m when processing data, the data controller must establish a record of processing activities (ropa) this is an obligation for all companies under the gdpr and for all companies with more than 250 employees under the fadp the ropa is an overview of the key processing activities incl types of personal data, controller vs processor, and overview of sub processors best practices justification grounds justification grounds are collected and documented when required to process personal data ropa there is an overview of the key processing activities what do i do if i process sensitive data / special categories of data? processing sensitive data means having to comply with additional requirements if the processing is based on consent, this consent must be explicit other justification grounds might also be applicable (e g , the doctor must process health data to cure patients) stricter technical and organizational measures must be implemented to ensure data security in the case of the large scale processing of sensitive personal data, a data protection impact assessment must be carried out am i compliant? book a flat fee assessment with us to understand where your blind spots are and have the proper documentation in place read more on the lexr blog https //www lexr com/en ch/blog/data controller data processor/ https //www lexr com/en ch/blog/data controller data processor/ https //www lexr com/en ch/blog/preparation as new swiss data protection act comes into force/ https //www lexr com/en ch/blog/preparation as new swiss data protection act comes into force/https //www lexr com/en ch/blog/gdpr switzerland/ https //www lexr com/en ch/blog/gdpr switzerland/https //www lexr com/en ch/blog/iot and gdpr/ https //www lexr com/en ch/blog/iot and gdpr/