Is the FADP also applicable to companies domiciled abroad?

Companies domiciled abroad are covered by the Swiss FADP if their data processing has an impact in Switzerland. This may be the case if they collect or store personal data in Switzerland, process personal data of persons in Switzerland, offer products or services to persons in Switzerland or if data processing, contrary to the FADP, affects the privacy or fundamental rights of the data subject.

It should be noted that, unlike the GDPR, the so-called marketplace principle does not apply in Switzerland. The territorial scope can therefore vary between the GDPR and the revFADP.

For companies domiciled abroad, the primary question is whether the FADP is ap-plicable to them at all.

The territorial scope of the Swiss Federal Data Protection Act ("revFADP") is now explicitly regulated in Art. 3 revFADP. At the same time, nothing "new" was intro-duced, but the revFADP merely codifies what was already the case, namely that companies abroad must comply with the FADP under certain circumstances, even if they do not have a registered office, branch office or other physical presence (e.g., a data centre in Switzerland) in Switzerland.

In such cases, companies must comply with the obligations under the revFADP (such as the duty to inform or report data breaches) in the context of all circum-stances that have an impact in Switzerland (so-called "effects doctrine"). The FADP is therefore applicable to circumstances that have an impact in Switzerland, even if the data processing is carried out abroad. In this respect, the geographic scope of the FADP is in part even wider than that of the GDPR.

In contrast, for provisions of the FADP that are of a private law nature, the Fed-eral Act on Private International Law (PILA ) applies when determining the juris-diction and applicable law in an international context .This includes, for example, the right to information or deletion or, in the event of a violation of a data sub-ject's privacy, possible claims for damages by Swiss data subjects. Under the rules of the PILA, jurisdiction may arise in Swiss courts (and at the same time the applicability of Swiss data protection law) at the defendant's Swiss domicile and at the place where the event which gave rise to the harm occurred or where the harm of the data protection infringement arose, which may result in affected data subjects being able to assert and enforce their rights under the FADP in Switzer-land, for example, before a Swiss court.

The following discusses the different territorial scope in the FADP, depending on the "nature" of the provision.

According to the so-called "effects doctrine", companies domiciled abroad must comply with certain obligations of the FADP if their data processing activities have a sufficient impact on the territory of Switzerland. What a sufficient degree of impact is, has not been conclusively determined and must be assessed on a case-by-case basis. This may be the case, for example, if a company with its regis-tered office abroad:

• Collects or stores personal data in Switzerland,
• Processes personal data of persons in Switzerland,
• Offers products or services to persons in Switzerland; or
• Processes data in violation of the FADP and this affects the privacy or funda-mental rights of the data subject in Switzerland.

The fact that a relevant act takes place in Switzerland or has an impact on Swit-zerland (e.g. the collection of data or the storage of data in a data centre in Swit-zerland) may suffice.

In such cases, the following obligations must in particular be complied with:

• the duty to maintain a data processing register (Art. 12 revFADP);
• the duty to appoint a representative in Switzerland (Art. 14 et seq. revFADP);
• the duty to provide information upon collection of personal data (Art. 19 revFADP);
• the obligation to carry out a data protection impact assessment (Art. 22 et seq. revFADP); or, for example,
• the duty to report data breaches (Art. 24 revFADP).

In addition, the Federal Data Protection and Information Commissioner has the authority to investigate data processing activities and, thus, companies abroad (Art. 49 and 50 revFADP) that fall under the FADP due to their activities in Swit-zerland or with a Swiss connection, and to issue orders against such companies if they process data in violation of the FADP (Art. 51 revFADP).

If private law provisions of the FADP are violated, such as the general data pro-tection principles (Art. 6 and 8 revFADP) , the right to information (Art. 25 et seqq. revFADP) or the regulations on the beach of personality rights (Art. 30 et seq revFADP) , jurisdiction may lie with Swiss courts, in particular at the defend-ant's Swiss domicile, at the place where the event which gave rise to the harm occurred or where the harm of the data protection breach arose.

The place where the harm arose is the place where the protected right was violat-ed. In the event of a breach of data protection law, the place where the harm arose is generally the residence or habitual residence of the injured data subject – that is, the customer.

The place where the event which gave rise to the harm occurred is the place where the tort (i.e., the data protection infringement) is executed in whole or in part. In the area of data protection claims, this will normally be where the data processing in question takes place.

This is relevant for companies domiciled abroad if, for example, a customer in Switzerland is violated in respect of his or her privacy because the general data protection principles are violated or he or she wishes to enforce his or her right to information before a Swiss court.

If such a place of jurisdiction exists in Switzerland, the data subject can largely choose the applicable law within the limits of Article 139 PILA and, therefore, de-clare Swiss data protection law applicable under certain circumstances.

• Check the extent to which reference points exist to Switzerland for your data processing activities.
• If the effects go beyond mere individual cases and to some extent are no-ticeable, an in-depth examination must be carried out and, if necessary, the duties as listed above must be complied with.
• It is also advisable to comply with the processing principles and to introduce a process for dealing with requests from data subjects who wish to exer-cise their rights.