Skip to main content

Representation of data processors under the new Swiss Data Protection Act (FADP)

|

Switzerland has made an effort to renew its Federal Act on Data Protection (revFADP) in order to modernise its data protection law and to comply with the European General Data Protection Regulation (GDPR). With the entry into forc of the new Federal Act on Data Protection (revFADP), companies that are not residing in Switzerland must name a representative in Switzerland if certain requirements are met. What these requirements are will be elaborated in the following article.

a. Introduction

If a private controller residing abroad processes personal data, the regulation in art. 14 et seq. revised FADP (SR 235.1) might be applicable and a representative must be designated. Art. 14 para. 1 lit. a FADP requires a prespresentative in Switzerland when goods and services are offert or if monitoringf user behavior of data subjects is done. This article is therefore very similar to Art. 27 GDPR.

The wording of the provision does not state whether the requirements in art. 14 para. 1 lit. a-d FADP must be fulfilled alternatively or cumulatively by the processor. However, the doctrine claims that the conditions are cumulative requirements.

 

b. Requirements regarding Art. 14 rev.FADP

Firstly, a representative in Switzerland must be appointed if the data processing of data subjects in Switzerland is connected with the offer of goods and services or if observations are made about the behavior of data subjects. Thereby it is irrelevant whether the data subject is a Swiss citizen, permanently resides in Switzerland or is only on vacation in Switzerland. Decisive is that the person concerned is located in Switzerland at the time of the data processing.

According to art. 14 revized FADP, only if the data processing is carried out by a data controller according to art. 5 lit. j revFADP a representative must be determined. Therefore, no representation is requiered should a processor according to art. 5 lit. k revFADP carry out the data processing.

In addition to the above, the data processing must

  • be extensive;
  • take place regularly, and must have
  • a high risk potential for the personality of the data subjects.

Jurisprudence will have to clarify in which cases the data processing becomes extensive. In our opinion it can be assumed that this condition will be interpreted accordingly to art. 35 GDPR and – in contrast to art. 27 GDPR – refers to all categories of data. Regular data processing describes recurring processing of data. This includes, for example, data processing that is necessary in order to be able to offer the service at all. The term “high risk” is defined in art. 22 para. 2 revFADP, which deals with the data protection impact assessment, in the case of extensive processing of personal data requiring special protection as well as the systematic monitoring of a public area.

 

c. Tasks of the representative

The representative serves as point of contact for the Federal Data Protection and Public Information Officer (FDPIC) and for the persons affected by the data processing. Hence, the representative must be known and his or her name and address must be published (see art. 14 para. 3 revFADP). If the FDPIC requests information about the contents of the directory, the representative must release the information.

Additionally, the representative lists the processing activities and provides information (art. 15 para. 1 and 2 revFADP). This directory must comply with the requirements established in art. 12 revFADP. No formal requirements are placed on the maintenance of the directory in the revFADP. Upon request, the representative shall also explain to a data subject how he or she can assert his or her rights against the data controller.

 

d. Contractual relationship between representative and data controller

The contractual relationship between the representative and the data controller qualifies as a agency contract pursuant to art. 394 et seq. of the Swiss Code of Obligations (CO). The representative is therefore obliged to perform diligently and faithfully (art. 398 para. 2 CO).

 

e. Criminal Provisions

There are no specific penal provisions in art. 60 et seq. revFADP for the missbehaviour of the representative. However, the representative will face criminal sanctions if he or she infringes any other penalized provisions of the revFADP. Even though there is no civil liability provided in the revFADP, a non-contractual liability according to art. 41 et seq. CO can take place between the representative and the data subject if the requirements of art. 41 CO are met.

 

f. Conclusion

To conclude, it can be stated that a representation within the meaning of art. 14 revFADP must be determined if data of data subjects residing in Switzerland are processed in connection with the offering of goods or services or in the context of user behavioral monitoring. Furthermore, the data processing must be extensive and regular and brings an increased risk for the privacy of data subjects. The representative shall keep a directory of all the data processing activities and has to provide information upon request.Time after the revFADP comes into force will show how the provisions on the representative will be interpreted and applied by the courts. Since the art. 14 revFADP has not been discussed during the drafting of the revFADP by the Swiss Parliament, there are currently no further indications on how the provision might be interpreted.

 

Article provided by INPLP member: Nicole Beranek (HÄRTING Rechtsanwälte AG, Switzerland)

 

 

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}