30 April 2024

Who will be penalised for infringements of the new Federal Data Protection Act?

  • Articles
  • Legal
  • Data / Technology / IP

Infringements of the new Federal Act on Data Protection (FADP) can have legal consequences. Below you will find a brief overview.

I. A look at the criminal provisions of the FADP: What actions are punishable? Who will be punished?

The criminal provisions (Art. 60 ff. FADP) have been tightened with the revision of the FADP. The following wilful conduct is punishable - whereby contingent intent is sufficient (criminal offences under data protection law):

  • Violation of the duty to provide access and information or to cooperate (Art. 60 FADP)
  • Violation of the duty of care (Art. 61 FADP)
    • Unauthorised disclosure abroad (data export)
    • Transfer of data processing to processors without a data processing agreement (DPA)
    • Violation of minimum data security requirements
  • Violation of the professional duty of confidentiality (Art. 62 FADP)
  • Failure to comply with rulings of the Federal Data Protection and Information commissioner (FDPIC) or a decision of the appeal bodies (Art. 63 FADP)

The criminal provisions of the FADP generally target the natural persons responsible for the infringement. Thus, not the company as provided for in the EU General Data Protection Regulation (GDPR) (with high fines for companies). Where a legal entity is the addressee of the obligations, the natural persons who actually act on behalf of the legal entity and fulfil the offence are responsible. This also includes so-called de facto bodies. The focus is on management personnel due to their obligation to ensure compliance with the FADP in the company (e.g., board members, management), as well as any other person who has an overview of and is responsible for the relevant data processing process due to their competence (criterion of authority to issue directives). This group of persons may include functions such as CIO, CISO or Compliance and, in particular, internal data protection officers. Data protection coordinators lacking decision-making or directive authority are rather not considered to be management personnel. It must be clarified on a case-by-case basis for each offence who may be considered an offender. The company's internal rules on responsibility are decisive.

If the proposed fine does not exceed CHF 50,000 and the investigation required to punish a natural person would be disproportionate, the prosecuting authority may refrain from prosecuting this person and instead convict the business operation (Art. 6 and 7 of the Federal Act on Administrative Criminal Law (ACLA) in conjunction with Art. 64 FADP).

The maximum fine is CHF 250,000, with financial circumstances being taken into account when calculating the fine. The cantonal prosecution authorities are then responsible for prosecution.

II. What other legal consequences could be threatened?

Infringements of the FADP may also result in civil or administrative proceedings:

For example, the FDPIC can initiate administrative investigation proceedings (Art. 49 FADP) and issue administrative measures in the event of data protection infringements (Art. 51 FADP). As these proceedings are (partially) public, reputational damage can be expected.

In the context of civil law proceedings, the person concerned may, in particular, bring an action against the company - for example, for damages or compensation.

Corporate bodies risk being held liable on the basis of directors' and officers' liability under company law, liability in tort or under a mandate agreement.

III. Can the fine be insured?

While, according to the prevailing doctrine, fines may neither be insured nor paid by the employer in cases of intent (paying the fine could even constitute assisting offenders within the meaning of Art. 305 of the Swiss Criminal Code (SCC)), it is possible, depending on the insurance, to insure fines for negligence, compensation payments for justified civil law claims, lawyers' fees and procedural costs as well as the costs of defending against unjustified claims (D&O insurance).

IV. Summary and recommendation

The sanctions for infringements of the FADP have been expanded and tightened as part of the revision. However, only intentional infringements are penalised. First and foremost, the natural persons responsible for the infringement can be held liable. Data protection is thus given a higher priority. In particular, we recommend that a written data protection concept be drawn up, in which the responsibilities and delegation of responsibility in the area of data protection are precisely regulated. MME will be happy to advise you on all questions relating to the practical implementation of the provisions of the FADP.