Iubenda logo
Start generating

Documentation

Table of Contents

How to comply with the revised Swiss Federal Act on Data Protection (FADP)

Are you a publisher targeting users in Switzerland? Starting July 2024, it’s essential to integrate a certified CMP compliant with the TCF. This change to an opt-in model is crucial to maintain proper ad display and protect your revenue streams. Learn more →

What is the new Federal Act on Data Protection (FADP), does it affect you, and how do you comply with FADP using iubenda? We break it down in easy, understandable terms in the sections below.

In short
  • The new Federal Data Protection Act (FADP) is the result of a complete revision of the previous Swiss Data Protection Act and entered into force in September 2023.
  • The new FADP differs in several ways from the GDPR → FADP updates and GDPR: What are the main differences?
  • The new FADP applies to the processing of personal data with effects in Switzerland, even if carried out abroad. It does not apply to the processing of personal data by individuals for exclusively personal use. Jump to How iubenda can help you to comply.
  • Non-compliance is punishable by fines of up to CHF 250,000 under the revised Swiss FADP.

What is the new Federal Act on Data Protection (FADP) and its territorial scope?

The Swiss central data protection law enacted at the federal level is the Federal Act on Data Protection, which dates back to 1992 and was partially updated in 2019. Consequently, the Swiss Parliament has adopted a fully revised version of the law.

The new FADP applies to the processing of personal data with effects in Switzerland, even if carried out abroad, and imposes new requirements on businesses.

Our solutions eliminate the need for guesswork in compliance by handling the heavy technical and legal aspects.

With iubenda, you can meet these new legal requirements.

How iubenda can help you to comply

Privacy and Cookie Policy Generator 

The new FADP requires you to provide your users with an up-to-date Privacy Policy that includes all the information necessary for users to assert their rights and ensure transparent processing of their data. This includes, among other things:

  • your identity and contact information;
  • the purpose of the processing;
  • if applicable, the recipients or the categories of recipients to which personal data is disclosed;
  • if data is not collected directly from the user, the categories of personal data which is processed;
  • if personal data is disclosed abroad, you should also inform the data subject of the name of the State or international body and, as the case may be, the safeguards or the applicability of one of the exceptions provided by law. 

With our Privacy and Cookie Policy Generator, you can now enable a compliance solution for FADP.

👉 Generate your FADP Privacy Policy or update your existing policy by clicking “Enable FADP disclosures for users in Switzerland” to activate the new FADP-specific sections and clauses.

Find it here:

  • log into your privacy policy admin area;
  • enter the editing of your privacy policy, which can be found via our Dashboard, then click on your policy and go to Edit from the privacy policy section;
  • under the heading “Enable FADP disclosures for users in Switzerland” choose Enable.

This allows you to consider your specific case and react to where your users/clients are based, and choose accordingly. If you have enabled disclosures for multiple legislations (e.g., GDPR, FADP, LGPD, and US State Laws), you will see that links to the legislation-specific sections have been added to your privacy policy. This way, your users can easily navigate to the section that concerns them.

👀 Take a look at this example of a Privacy Policy generated with iubenda

💡 We’ve added a Site Scanner within the service’s window of the generator, allowing you to quickly inspect your site in real-time and identify which services you need to add to your policy.

If you use automated processes to make decisions that have a legal or similar impact on your users by utilizing their personal data, or if you use personal data to create profiles of your users, it is important to inform them. To assist you in meeting the transparency requirements, our Privacy and Cookie Policy Generator provides two clauses that can serve as a basic model for such disclosure. You can find these clauses by typing ‘Automated decision-making’ or ‘Profiling’ in the service search bar. However, we highly recommend that you review these clauses to determine their applicability to your specific case. If necessary, you can provide a more detailed description of your automated decision-making and profiling activities by adding custom clauses.

📌 Addition of new data transfer clauses 

Our Privacy and Cookie Policy Generator offers additional clauses related to the transfer of data outside of Switzerland. These clauses, if selected, will be shown in your privacy policy inside both the simplified and the complete versions, under the section dedicated to Users in Switzerland and their privacy rights.

These additional clauses can be of great help, but they contain broad and generic descriptions since we do not know exactly how you transfer data abroad. Therefore, we highly recommend that you check if they apply to your case and, if needed, describe your data transfer activities in more detail by adding custom clauses.

💡With our Register of Data Processing Activities, you can specify which is the legal basis for data transfer abroad according to FADP for each service inside your privacy policy.

Note

The Swiss Federal Administration has recently adopted its adequacy decision for the Swiss-U.S. Data Privacy Framework (DPF). The adequacy decision concludes that the United States ensures an adequate level of protection for personal data transferred from Swiss to US companies participating in the Swiss-U.S. Data Privacy Framework.
With our Register of Data Processing Activities you can specify “Swiss-U.S. Data Privacy Framework” as the legal basis for data transfer for those service provider (e.g. Google) that adhere to the Swiss-US DPF.

💡 For more information on privacy policies, click here.

Privacy Controls and Cookie Solution

If you use cookies or similar technologies, the FADP requires you to: 

  • inform your users about the use of cookies and similar technologies 
  • provide your users with an easily accessible way to exercise their right to opt out at any time of the use of cookies and similar technologies 

How do I comply?

To provide transparency about the use of cookies and similar technologies, you can: 

1) Activate your cookie policy inside the iubenda Privacy and Cookie Policy Generator → How to Generate a Cookie Policy for the Cookie Banner

2) Once you have completed the activation of your privacy and cookie policy make sure the “Switzerland” tile within the Privacy Controls and Cookie Solution is enabled: the solution will autoconfigure to help you meet the new FADP requirements allowing your users to exercise their right to opt out

👉 Simply select where you and your users are based while configuring the Privacy Controls and Cookie Solution, and the solution will do the rest!

Our Privacy widget can help you comply with the requirement to offer a simple way for your users to exercise their right to opt out: a small, unobtrusive widget, with a predefined format and label, will be displayed on every page of your website.

❓Don’t want to use our Privacy widget and prefer a manual link to place wherever you like?

To do this, under the Style & Text section, click Edit on the Privacy widget box, then simply choose the option to add it Manually.

If you want to add the link manually, remember to place it on your website/app in an easily accessible spot, for example, the footer or the application settings.

❓Do I need to display a cookie banner on the user’s first visit, under FADP?

Short answer: no, you don’t need one.

Under the FADP, a cookie banner does not represent a specific requirement, as the legislator has followed an opt-out approach. This means that, in most cases, you may perform processing activities based on the use of cookies or similar technologies, without obtaining users’ prior consent, up until the moment in which users decide to actively deny their consent to such processing.

That’s why you don’t necessarily need a cookie banner. If, anyway, you would like to display an informative banner on your website/app that simply contains the links to the cookie policy, our Privacy Controls and Cookie Solution has a dedicated option for this.

Inside the Switzerland tile, under the Manual configuration, select the option “Show a cookie banner upon the user’s first visit”

Note: if you prefer to apply a prior consent approach to the use of cookies and similar technologies, our solution offers you such option, which is likely the one preferred by the Swiss data protection authority. You can do so by enabling the GDPR (or LGPD) tile in the compliance settings view of the Privacy Controls and Cookie Solution (read the following paragraph for further instructions).

❓ What can I do if I have to comply with other legislation that requires a prior-consent/opt-in approach to the use of cookies and similar technologies, such as the GDPR and LGPD, for example?

Some of the legislation covered by our solution, such as GDPR and LGPD for example, require prior-consent (i.e., cookies and similar technologies are not placed until the user has given consent). 

It might be the case that according to where you or your target users are located, you are required to comply with multiple legislation at the same time that follows different approaches (i.e., prior consent approach vs. opt-out approach). When this happens, our Privacy Controls and Cookie Solution offers you different options to address the problem: 

Take advantage of the geolocation feature (this might require you to update your plan). With the geolocation feature, you can decide to apply different approaches (i.e., prior consent approach vs. opt-out approach) based on the user location. E.g., taking into consideration your specific situation, you can decide to apply GDPR (prior-consent approach) to users in Europe only and the Swiss data protection framework (opt-out approach) to users in Switzerland only. In order to do so, you have to select the related option under the Manual configuration inside the respective legislation tiles.

Apply globally the prior consent approach (this option will be the default if, according to your plan, you don’t have the geolocation feature activated). Therefore, a consent-based approach (i.e., trackers are not placed until the user has given consent) rather than an opt-out approach will be applied to all your users regardless of their location

Note: even if you are not required to comply with legislation other than FADP (i.e. you and your target users are located in Switzerland only), but you still prefer to apply a prior consent approach to the use of cookies and similar technologies, our solution offers you such option, which is likely the one preferred by the Swiss data protection authority.

❓ Haven’t generated a Privacy Policy and Cookie Policy with us, or simply want to customize things yourself?

Within the Privacy Controls and Cookie Solution Generator, simply enable the Switzerland option.

Next, click on Manual configuration and select the options that apply to your case:

Take control of your data protection compliance and comply with the revised Swiss Federal Act on Data Protection (FADP).

Create a privacy policy today!

Start generating