News & Events

Checklist: How to write a privacy policy for the new FADP and GDPR?

21/06/2021

With the new Swiss Federal Act on Data Protection (FADP) likely coming into effect in January 2022, this is a great time to revise your privacy policy and ensure it covers all the key points.  

The FADP follows the European Union (EU) General Data Protection Regulation (GDPR) that came into effect in 2018, so if you already have a GDPR-compliant privacy policy, there is little you need to add (see section 1 below). For the entire checklist, see section 2.  

We have a GDPR-compliant privacy policy. What do we need to do?

The new FADP adopts the new principles of the GDPR to a large extent. As a result, the information requirements that a business needs to provide about its data processing activities in the privacy policy are equivalent or less stringent. It is only for the transfers abroad where the new FADP goes beyond the requirements of the GDPR: Under the new FADP, businesses need to list the countries into which they transfer personal data, including the measures taken to ensure adequate protection. 

In scholars’ view, which we support, a generic statement that a transfer abroad can occur ‘worldwide’ is still possible. However, the measures implemented still need to be named. For example, you should outline that transfers only happen to countries with adequate data protection as per the Swiss Federal Data Protection and Information Commissioner or based on approved Standard Contractual Clauses.  

Keep reading for a detailed overview of a FADP- and GDPR-compliant privacy policy. 

Privacy policy checklist

This checklist guides you through the FADP- and GDPR-compliant privacy policy requirements for a typical website.

  • Identity and contact details of the controller and the controller’s Swiss or EU representative.
    • Make sure you include the company name, address, and contact email.
  • Personal data or categories of data.
    • Suppose you collect the data about an individual indirectly (which is almost always the case if you, e.g., collect browser data or use Google analytics). In that case,according to the GDPR and the FADP, you must address the personal data you collect in your privacy policy.
    • To this end, you may either list all the personal data you process in detail (e.g., name, address, phone number, email) or only the categories of personal data (e.g., contact details).
    • We usually suggest listing the categories of the data, as an exhaustive list is challenging to draft and maintain.
  • Purpose(s) of processing.
    • Under both the FADP and the GDPR, you need to inform individuals why you process their data in the first place. The most common purposes of processing are the following:
      • To provide and develop your products, services, and website.
      • To recruit job candidates.
      • To market your services.
      • To assert legal claims and defend yourself in legal disputes and official proceedings.
  • Recipients/categories of recipients.
    • You have the option of listing the actual recipients or simply the categories of recipients (e.g., data storage and hosting providers, CRM systems). Keep in mind that although group companies qualify as ‘recipients’, your employees and internal departments do not.
    • We again typically recommend simply listing the recipients’ categories, as listing each recipient is challenging to keep up to date.
  • Data transfers outside of Switzerland.
    • List all countries to which you transfer personal data and the measures to ensure adequate protection in such countries.
    • A generic statement is sufficient (see section 1 above for details).
  • Contact details of the data protection officer (DPO) (so-called ‘privacy advisor’ under the new FADP).
    • If you have appointed a DPO under the GDPR and the FADP, you must include his/her contact details in your privacy policy.
  • Automated decision-making (incl. profiling).
    • According to the GDPR and the FADP, you need to inform users if you conduct any automated decision-making and explain the logic involved and the consequences.
  • Legal bases of the processing.
    • Under the FADP, you do not have to list the legal bases for processing. You can instead only supply this information to individuals if they exercise their right to be informed but, according to scholars, do not have to.
    • However, under the GDPR, you must include the legal bases for processing in your policy. They can be either specified for each purpose or listed generically. The legal bases of processing under the FADP/GDPR are the following:
      • Contract;
      • Legitimate interest;
      • Consent;
      • Legal obligation;
      • Vital interests;
      • Public task.
  • Data retention period or criteria for the determination thereof.
    • Under the FADP, you typically do not have to reflect the data retention periods in your privacy policy. Instead, you can only supply this information to individuals if they exercise their right to be informed (s. below).
    • Under the GDPR, you can specifically mention the retention periods for each data category (e.g., six months for recruitment data of unsuccessful job candidates).
    • Alternatively, you may publish a generic statement along these lines: “We retain personal data for so long as the personal data is needed for the purposes for which it was collected or in line with legal and regulatory requirements or contractual arrangements“.
  • Data subject rights. Under the FADP and the GDPR, you must inform individuals of their rights, in particular:
    • The right to be informed;
    • The right of access;
    • The right to rectification of incorrect or incomplete data;
    • The right to erasure;
    • The right to restrict processing;
    • The right to data portability;
    • The right to object to the processing;
    • The right to withdraw consent;
    • Rights related to automated decision-making, including profiling; and
    • The right to file a complaint with a regulatory authority.
  • Processing based on a statutory or contractual requirement and the consequences of refusing to provide personal data.
    • Under the GDPR, when you process personal data based on a statutory or contractual requirement, you must inform individuals of this along with the consequences of refusing to produce their data.
    • There is no such requirement under the FADP.
  • The sources of the data, if you did not directly obtain it from the individual.
    • In cases where you obtain data indirectly, under the GDPR and the FADP, you need to mention the sources in your privacy policy (e.g., publicly accessible sources).
  • References to data protection law.
    • Ensure that you do not only reference the GDPR or the FADP articles but “applicable data protection law”.

Conclusion

We hope that this checklist helped you review your privacy policy in light of the upcoming FADP. As outlined above, a GDPR-compliant privacy policy is, in principle, sufficient with some finetuning (especially regarding transfers of personal data outside of Switzerland).

If you have any questions, please do not hesitate to contact us. Stay compliant!

Sources:
https://www.fedlex.admin.ch/eli/fga/2020/1998/de
https://www.edoeb.admin.ch/dam/edoeb/de/dokumente/2021/revdsg.pdf.download.pdf/revDSG_DE.pdf


Anna Maria Tonikidou

By Anna Maria Tonikidou

MLaw, LL. M. mult.

Related

Let’s Go!

Book a free, non-binding discovery call to talk about how we can help you achieve your business goals.

Or feel free to reach us directly via email at contact@lexr.ch

Book a free call