On September 1, 2023, the new Federal Act on Data Protection (nFADP) came into effect. The revision aligns the level of protection for personal data in Switzerland with the one the GDPR requires, thus ensuring that the European Commission’s adequacy decision will be renewed. This allows companies from Switzerland and the EEA to continue to exchange and process data in a legally compliant way.
On the one hand, the nFADP grants people in Switzerland better control over their personal data, particularly by strengthening the right of information and addressing the duty to provide information. On the other hand, Swiss companies face more stringent obligations in relation to data protection of their customers, partners, and employees: they are required to inform these stakeholders in a transparent, comprehensive, and comprehensible way about how their personal data is processed.
As part of their business activities, many companies outsource certain services to third parties. Under the nFADP, however, they remain responsible for the personal data they hand over to third parties for processing – whether it’s for payroll accounting, cloud storage, marketing analysis, or instant messaging. The outsourcing must therefore be secured by data processing agreements that guarantee data security at the third party’s end and maintain the company’s control over the data processing. Particularly challenging is the outsourcing to foreign providers as companies also need to ensure appropriate data protection with these providers.
Instant Messaging in Companies
Until now, the careless use of instant messaging services for business purposes in Switzerland only resulted, in the worst case, in a recommendation to stop using it by the Federal Data Protection and Information Commissioner (FDPIC). The nFADP now strengthens the FDPIC’s competence: Anyone who transfers personal information to countries for which no adequacy decision by the Federal Council exists is required to ensure appropriate data protection by means of other measures. Failing to do so might result in investigations and a ban to carry out the data processing. Criminal complaints against data subjects or violations of orders issued by the FDPIC that are punishable by law may result in fines of up to 250,000 CHF.
In contrast to the GDPR, the fines primarily affect responsible persons in the company, e.g., the managing director, rather than the company itself. Therefore, using instant messaging services for business purposes – without data processing agreements and additional guarantees in case of foreign providers – can possibly also have a financial impact on individual natural persons.
With Threema Work, all essential data processing takes place on Threema’s own hardware in Switzerland. Personal data is not disclosed to countries without adequacy decisions, and Threema Work can be used in all conscience.
To avoid lengthy inquiries such as data transfer impact assessments, extensive regulatory measures, or even fines, it pays off to introduce a privacy-compliant business messenger like Threema Work and to be on the safe side in every respect.
Webinar About the nFADP
In our webinar on the subject, Kathrin Schmid, CISO at Friendly, and Peter Szabó, Legal Counsel at Threema, talk about what Swiss companies have to consider to comply with the nFADP’s requirements. The webinar takes place on September 27, 2023, is free of charge and will be held in German.Register now