FAQ
Does the FADP apply to me as a company domiciled abroad?
A distinction must be made between the following two scenarios:
The public law obligations of the FADP must be complied with in all circum-stances that have an impact in Switzerland (so-called "effects doctrine"). These include, for example, the duty to provide information, the obligation to maintain a data processing register, the obligation to report data security breaches, or the obligation to carry out data protection impact assess-ments.
If, on the other hand, private law provisions of the FADP are breached, such as data protection rights of the persons affected or fundamental data protection principles, this may be relevant for companies domiciled abroad if this results in the jurisdiction of Swiss courts, for example because the place where the event which gave rise to the harm occurred or where the harm arising from the data protection breach was felt in Switzerland. The data subject can then choose the applicable law within the framework of Article 139 PILA, which may lead to the applicability of Swiss data protec-tion law.
Does the FADP apply to me as a company domiciled abroad if I have a branch office in Switzerland?
As the branch is located in Switzerland, the public law provisions of the FADP apply to the activities of the branch office in Switzerland due to the principle of territoriality.
In the event of a violation of the private law provisions of the FADP, the courts at the place of establishment shall have jurisdiction for actions aris-ing from the activity of a branch in Switzerland.
Is the FADP applicable to my company domiciled abroad if I operate a data centre in Switzerland?
Yes, as a rule, there is a physical presence in Switzerland relevant for the FADP. As a result, data processing in the Swiss data centre is in principle covered by the FADP.
Is the FADP applicable to my company domiciled abroad if I offer products or services to persons in Switzerland?
Yes, as data subjects in Switzerland are affected by the company's pro-cessing activities, the public law provisions apply. The private law provisions apply as described above .
What data protection obligations do foreign companies necessarily have to comply with?
As a company domiciled abroad, do I have to grant my customers in Swit-zerland their rights under the FADP?
In principle, yes, because in addition to the above-mentioned provisions of public law, in cases where data processing is covered by the FADP, the provisions of private law of the FADP should generally also be complied with. This also results from the jurisdiction and applicable law under the PILA in case of a beach of personality rights.
For example, the general data protection principles (Art. 6 and 8 revFADP), the right to information for customers (Art. 25 et seqq. revFADP) or the regulations on violation of privacy (Art. 30 et seq. revFADP).
Can a supervisory authority conduct an investigation of my company's pro-cessing activities, if, as a company domiciled abroad, I do not comply with the FADP? What would be the result of such an investigation?
Yes, the supervisory authority, the Federal Data Protection and information Commissioner ("FDPIC"), has the authority to investigate data processing activities and therefore companies abroad (Art. 49 and 50 revFADP) that fall under the FADP due to their activities in Switzerland or with a Swiss connection, and to issue orders against such companies if they process da-ta in violation of the FADP (Art. 51 revFADP).
The FDPIC may order that specific data processing activities be adjusted, interrupted or suspended in whole or in part, and that personal data be de-leted in whole or in part. It may prohibit or suspend data transfers abroad or order that data security be improved or that companies comply with their obligations, etc.
Can I be fined if, as a company domiciled abroad, I do not comply with the FADP?
Yes, that is in principle possible.
A fine not exceeding Swiss francs 250,000 may be imposed on any person who violates the duty to inform upon collection of personal data, for exam-ple, or willfully fails to comply with an FDPIC order or a decision by the ap-pellate authorities based on the threat of punishment under this Article.
It should be noted that the fine is not imposed on the company but on the responsible private, i.e. natural person. It is not fully clear how the fine will be enforced abroad vis-à-vis the natural person responsible.
Can I be sued by my clients before a court in Switzerland if I violate the FADP?
Yes, if private law provisions of the FADP are violated, such as the right to information or the general data protection principles, jurisdiction may arise for Swiss courts to hear actions brought by Swiss customers.
At a glance
Companies domiciled abroad are covered by the Swiss FADP if their data processing has an impact in Switzerland. This may be the case if they collect or store personal data in Switzerland, process personal data of persons in Switzerland, offer products or services to persons in Switzerland or if data processing, contrary to the FADP, affects the privacy or fundamental rights of the data subject.
It should be noted that, unlike the GDPR, the so-called marketplace principle does not apply in Switzerland. The territorial scope can therefore vary between the GDPR and the revFADP.
Introduction
For companies domiciled abroad, the primary question is whether the FADP is ap-plicable to them at all.
The territorial scope of the Swiss Federal Data Protection Act ("revFADP") is now explicitly regulated in Art. 3 revFADP. At the same time, nothing "new" was intro-duced, but the revFADP merely codifies what was already the case, namely that companies abroad must comply with the FADP under certain circumstances, even if they do not have a registered office, branch office or other physical presence (e.g., a data centre in Switzerland) in Switzerland.
In such cases, companies must comply with the obligations under the revFADP (such as the duty to inform or report data breaches) in the context of all circum-stances that have an impact in Switzerland (so-called "effects doctrine"). The FADP is therefore applicable to circumstances that have an impact in Switzerland, even if the data processing is carried out abroad. In this respect, the geographic scope of the FADP is in part even wider than that of the GDPR.
In contrast, for provisions of the FADP that are of a private law nature, the Fed-eral Act on Private International Law (PILA ) applies when determining the juris-diction and applicable law in an international context .This includes, for example, the right to information or deletion or, in the event of a violation of a data sub-ject's privacy, possible claims for damages by Swiss data subjects. Under the rules of the PILA, jurisdiction may arise in Swiss courts (and at the same time the applicability of Swiss data protection law) at the defendant's Swiss domicile and at the place where the event which gave rise to the harm occurred or where the harm of the data protection infringement arose, which may result in affected data subjects being able to assert and enforce their rights under the FADP in Switzer-land, for example, before a Swiss court.
The following discusses the different territorial scope in the FADP, depending on the "nature" of the provision.
When must foreign companies comply with the public FADP obligations?
According to the so-called "effects doctrine", companies domiciled abroad must comply with certain obligations of the FADP if their data processing activities have a sufficient impact on the territory of Switzerland. What a sufficient degree of impact is, has not been conclusively determined and must be assessed on a case-by-case basis. This may be the case, for example, if a company with its regis-tered office abroad:
- Collects or stores personal data in Switzerland,
- Processes personal data of persons in Switzerland,
- Offers products or services to persons in Switzerland; or
- Processes data in violation of the FADP and this affects the privacy or funda-mental rights of the data subject in Switzerland.
The fact that a relevant act takes place in Switzerland or has an impact on Swit-zerland (e.g. the collection of data or the storage of data in a data centre in Swit-zerland) may suffice.
In such cases, the following obligations must in particular be complied with:
- the duty to maintain a data processing register (Art. 12 revFADP);
- the duty to appoint a representative in Switzerland (Art. 14 et seq. revFADP);
- the duty to provide information upon collection of personal data (Art. 19 revFADP);
- the obligation to carry out a data protection impact assessment (Art. 22 et seq. revFADP); or, for example,
- the duty to report data breaches (Art. 24 revFADP).
In addition, the Federal Data Protection and Information Commissioner has the authority to investigate data processing activities and, thus, companies abroad (Art. 49 and 50 revFADP) that fall under the FADP due to their activities in Swit-zerland or with a Swiss connection, and to issue orders against such companies if they process data in violation of the FADP (Art. 51 revFADP).
Can foreign companies in Switzerland be sued? Can data sub-jects enforce their rights in Switzerland under Swiss law?
If private law provisions of the FADP are violated, such as the general data pro-tection principles (Art. 6 and 8 revFADP) , the right to information (Art. 25 et seqq. revFADP) or the regulations on the beach of personality rights (Art. 30 et seq revFADP) , jurisdiction may lie with Swiss courts, in particular at the defend-ant's Swiss domicile, at the place where the event which gave rise to the harm occurred or where the harm of the data protection breach arose.
The place where the harm arose is the place where the protected right was violat-ed. In the event of a breach of data protection law, the place where the harm arose is generally the residence or habitual residence of the injured data subject – that is, the customer.
The place where the event which gave rise to the harm occurred is the place where the tort (i.e., the data protection infringement) is executed in whole or in part. In the area of data protection claims, this will normally be where the data processing in question takes place.
This is relevant for companies domiciled abroad if, for example, a customer in Switzerland is violated in respect of his or her privacy because the general data protection principles are violated or he or she wishes to enforce his or her right to information before a Swiss court.
If such a place of jurisdiction exists in Switzerland, the data subject can largely choose the applicable law within the limits of Article 139 PILA and, therefore, de-clare Swiss data protection law applicable under certain circumstances.
Checklist
- Check the extent to which reference points exist to Switzerland for your data processing activities.
- If the effects go beyond mere individual cases and to some extent are no-ticeable, an in-depth examination must be carried out and, if necessary, the duties as listed above must be complied with.
- It is also advisable to comply with the processing principles and to introduce a process for dealing with requests from data subjects who wish to exer-cise their rights.
Art. 3 Territorial Scope
1 This Act applies to matters that have an effect in Switzerland, even if they occurred abroad.
2 Private law claims are governed by the Federal Act of 18 December 1987 on International Private Law. The provisions governing the territorial scope of application of the Criminal Code also remain reserved.