New Federal Act on Data Protection: What you need to know right now as a private individual

1 September 2023 is the date: The New Federal Act on Data Protection for Switzerland comes into effect. It is long overdue: because the current Federal Act on Data Protection is based on its fundamental principles from the year 1992, is considered outdated, and is particularly weak in terms of enforcement. Find out here to what extent you are affected by the new Act and how you can avoid fines of up to CHF 250,000.  

What is important for you: The New Federal Act on Data Protection does not just apply to federal authorities and companies processing private data. Private individuals like you and me, as well as associations, are also affected. 

But what is actually protected? The short answer is: personal data. Specifically, this means: all information that relates to a particular or identifiable person. Personal data includes, for example, your name, your email address and your date of birth.   

What you need to do now

If you do not process personal data, you can relax and enjoy your newly gained rights. But be careful! You may not even be aware that you are processing personal data. In a legal sense, you are also doing so in the following examples:

• You don't have a website, but you own a small kebab shop. You write down addresses and phone numbers in a notebook when taking an order.
• You have a private blog where you write about your passion, bird photography. People leave comments under the photos or you send a newsletter once a week.        
• You manage the website for your music club. The website has a contact form through which potential new members can sign up.

In all these examples, you are intentionally or unintentionally processing personal data. This means: you must now adhere to the following obligations.

• Information obligations: when you process personal data, you must inform the individuals concerned. And: you now require a mandatory privacy policy. You will find out below what should be included in it.
• Notification obligations: If you lose the data you process or if it’s stolen, you must inform the Federal Data Protection Officer (FDPO).  
• Access obligations: if someone wants to know what you are doing with their data, or wants you to delete it, you must comply with this request within 30 days.  
• Information obligations: you must maintain comprehensive records of existing personal data, including information about the nature and purpose of data processing, as well as the recipients of this data.
• Increased priority of data security: you must adequately protect personal data. 

Creating a privacy policy

If you collect personal data (e.g. through contact forms, comment features, or chats), you must now inform your visitors of this. There are four important points that you must communicate to them in your privacy policy: 

• Why you are collecting this personal data in the first place (i.e. the data collection purpose).  
• Who exactly is responsible for data collection and how this person can be contacted (name and contact information of the body or person responsible).
• If you pass on the data to someone, you must indicate who these recipients are.  
• If you pass on the data abroad, you must indicate the country where the recipients are located.  

Long overdue 

Finally, a new Federal Act on Data Protection is coming into effect that meets international standards. Lawyers or legal advisors will certainly be happy to explain to you how to ideally respond to the new legal situation in specific cases. Irrespective of this, you now have all the information to enjoy your new rights and a fundamental understanding of your obligations.