The revised Swiss Federal Act on Data Protection (FADP) went into effectiveness September 1, 2023, and it poses significant challenges for clinical trials. The new law applies not only to trials conducted in Switzerland but also to any data processing operations within the country. It introduces severe sanctions for individuals responsible for infringements, mandates immediate breach notifications, and requires the appointment of a Swiss FADP representative.
Does the FADP Apply to Sponsors?
In the context of clinical trials, the sponsor is always the data controller. The FADP covers the processing of personal data by private controllers and federal bodies. Like the EU’s General Data Protection Regulation (GDPR), the FADP has extra-territorial scope, applying to sponsors outside Switzerland and any processing operations performed on Swiss servers, even if conducted from abroad. If the Trial Master File (TMF) or the Electronic Data Capture (EDC) system is located in Switzerland, the entire study must comply with the FADP.
Key Changes Under the FADP
Patient Informed Consent (PIC):
The new FADP emphasizes patient awareness and consent for data collection. Sponsors must clearly communicate individuals’ rights when obtaining consent and provide transparent information about data collection, storage, processing, and use.
Immediate Breach Notifications: Unlike the GDPR, which allows for breach notification within 72 hours, the FADP requires immediate communication of cyberattacks or security breaches to patients, the Federal Data Protection and Information Commissioner (FDPIC), and other affected stakeholders.
Swiss FADP Representative: The FADP requires foreign data controllers (sponsors) or processors (Contract Research Organizations or CROs) to appoint a representative in Switzerland if they process the personal data of individuals in Switzerland and meet the following requirements:
- The processing is connected with the offer of goods or services or the monitoring of the behaviour of persons in Switzerland.
- The processing is on a large scale.
- The processing is carried out regularly.
- The processing poses a high risk to the personality of the data subjects.
This means that Sponsors/CROs with a branch or any other type of establishment in Switzerland that are not a corporate seat are still required to appoint a Swiss representative if they monitor patient behaviour (monitoring is a key requirement under ICH-GCP, so every study conducted in Switzerland with the involvement of Swiss patients will fall under this category); and their processing activities are regular, on a large scale and pose a high risk to data subjects (which is also the case in clinical trials).
Unlike under the GDPR however, the appointment of a Data Protection Officer is recommended, but not a requirement (Art. 10 FADP).
The FADP imposes hefty penalties, unlike the GDPR, which are directed at responsible individuals rather than companies. Instead of administrative fines, the FADP sanctions violations with criminal liabilities, with penalties reaching up to CHF 250,000 (~$270,000 USD). While the company itself can also be fined up to CHF 50,000 if identifying the responsible person would involve a disproportionate effort, it’s the individuals who bear the brunt of the liability under the revised law.
The law empowers the FDPIC to enforce increased sanctions against companies failing to meet the new standards. However, unlike European data privacy authorities, the FDPIC has no sanctioning powers under the new law. Offending persons are fined by the cantonal prosecution authorities.
While the revised FADP introduces stricter regulations and significant penalties for non-compliance, it is a crucial step towards ensuring data privacy and security in an increasingly digital world. As the landscape of data protection laws continues to evolve globally, it’s more important than ever for clinical trial sponsors and stakeholders to stay informed and ensure their operations are fully compliant.
While the revised FADP has been designed based on the requirements of the EU’s General Data Protection Regulation (GDPR), there are notable differences between the two regulations:
Key Differences Between FADP and GDPR
|Definition of Sensitive Data||Includes two additional categories: “data on administrative or criminal proceedings and sanctions” and “data on social security measures”.||Art. 9 of GDPR|
|Designation of DPO||Not mandatory but recommended||Mandatory according to Art 37. GDPR|
|Data Export||Swiss Federal Council determines adequacy. EU standard contractual clauses and binding corporate rules can be applied.||Adequacy is determined by the European Commission. Standard contractual clauses and binding corporate rules apply.|
|Data Breach Notification||Mandatory reporting as soon as possible (same exceptions to reporting as GDPR). Notification of data subject only if necessary for the protection of the data subject.||Mandatory reporting within 72 hours|
|DPIA||Consultation of a Data Protection Officer instead of the FDPIC is possible in case of high risk despite measures taken.||Duty to consult the supervisory authority in case of high risk despite measures taken.|
|Profiling||General obligation to obtain consent is only imposed for high-risk profiling.||General obligation to obtain consent|
|Sanctions||Up to CHF 250,000 against responsible private persons as well, not just legal entities||Up to EUR 20 million or 4% of the company’s worldwide annual revenue|
Accelsiors can help navigate these new regulations and ensure full compliance. Our services include:
- FADP representative services
- Swiss legal representative services
- FADP compliance
- Data mapping consultancy
- DPIA consultancy
As the landscape of data protection laws continues to evolve globally, it’s more important than ever for clinical trial sponsors and stakeholders to stay informed and ensure their operations are fully compliant.