Switzerland Data Privacy Laws: nFADP Compliance Guide (2026)
Switzerland has long been associated with privacy and discretion in financial matters, but its approach to data protection has undergone a fundamental transformation. The new Federal Act on Data Protection, known as the nFADP (or revDSG in German), replaced the original 1992 data protection law on September 1, 2023. This overhaul was driven by two forces: the need to maintain the European Union's adequacy finding for Swiss data protection, and the recognition that a law written before the internet era was no longer fit for purpose.
The nFADP affects every organization that processes personal data of individuals in Switzerland, regardless of where that organization is based. Its unique enforcement model, where criminal penalties target individuals rather than companies, sets it apart from virtually every other data privacy regime in the world.
This guide covers every major provision of the nFADP as it stands in 2026, including the enforcement track record that has developed since the law took effect.
History and Legislative Background
Switzerland's first Federal Act on Data Protection was enacted on June 19, 1992 (SR 235.1). At the time it was considered forward-thinking, but by the 2010s the law was visibly outdated. It did not address cloud computing, profiling, automated decision-making, or any of the data processing realities that had emerged in the decades since its passage.
The revision process began in earnest in 2017, when the Federal Council submitted a draft to Parliament. The Federal Assembly adopted the revised law in its fall 2020 session. After a lengthy implementation period that included drafting the accompanying ordinance (the Ordinance on Data Protection, DPO), the nFADP entered into force on September 1, 2023.
There was no transition period. Organizations were expected to be compliant from day one. The law applies retroactively to all ongoing data processing activities, not just those initiated after the effective date.
The German Abbreviation Question
You will encounter multiple abbreviations for this law. In German, the law is the Datenschutzgesetz, abbreviated DSG. The revised version is sometimes called the revDSG. In English, the common abbreviations are FADP (Federal Act on Data Protection) and nFADP (new Federal Act on Data Protection). All refer to the same statute: SR 235.1 as revised.
Scope and Applicability
Who the nFADP Covers
The nFADP applies to the processing of personal data of natural persons by:
- Private individuals and organizations (companies, associations, foundations)
- Federal government bodies
A critical change from the old law is that the nFADP now only protects natural persons. The 1992 version also covered legal entities (companies), which was unusual internationally. This change aligns Switzerland with the GDPR approach.
Extraterritorial Reach
Article 3 of the nFADP explicitly establishes extraterritorial scope. The law applies to any data processing that produces effects in Switzerland, even if the data controller or processor is located abroad. This mirrors Article 3 of the GDPR.
In practice, this means any foreign company that offers goods or services to individuals in Switzerland, or monitors the behavior of individuals in Switzerland, must comply with the nFADP.
Representative Requirement for Foreign Companies
Foreign controllers and processors that regularly process personal data of individuals in Switzerland on a large scale, and where the processing poses a high risk to data subjects, must appoint a representative in Switzerland. This representative must be either a company registered in Switzerland or an individual residing there.
The representative serves as a point of contact for both data subjects and the FDPIC. This requirement is similar to the GDPR's Article 27 representative requirement, though the Swiss version is arguably broader because the law does not define what constitutes a sufficient "establishment" in Switzerland to avoid the obligation.
Key Principles of the nFADP
Lawfulness and Good Faith
Personal data must be processed lawfully and in good faith. However, there is an important difference from the GDPR here: under Swiss law, data processing by private entities is generally permitted unless it violates the personality rights of the data subject. There is no requirement to identify a specific legal basis (like consent or legitimate interest) for every processing activity, as the GDPR demands under Article 6.
This means consent is not the default requirement for processing in Switzerland. Processing only requires justification when it infringes on the data subject's personality rights.
Proportionality and Purpose Limitation
Personal data may only be collected for a specific purpose that is apparent to the data subject, and it may only be processed in a manner compatible with that purpose. The data collected must be proportionate to the stated purpose.
Data Accuracy
Controllers must ensure that personal data is accurate and must take reasonable steps to correct or delete inaccurate data.
Privacy by Design and Privacy by Default
The nFADP formally codifies both principles:
- Privacy by Design requires organizations to consider data protection from the earliest stages of system and process design.
- Privacy by Default requires that default settings limit data processing to the minimum necessary for the stated purpose. Users should not have to take active steps to restrict unnecessary data collection.
These principles were not present in the 1992 law.
Sensitive Personal Data: A Broader Definition
The nFADP expanded the categories of sensitive personal data beyond what the GDPR covers. Under Swiss law, sensitive data includes:
- Data on religious, philosophical, political, or trade union views or activities
- Health data
- Data on intimate or private life (including sexual orientation)
- Data on race or ethnicity
- Genetic data (new under the nFADP)
- Biometric data capable of uniquely identifying a person (new under the nFADP)
- Data on administrative and criminal proceedings or sanctions
- Data on social security measures
The last two categories, covering administrative/criminal proceedings and social security measures, go beyond the GDPR's definition of special category data. This broader scope means organizations processing these data types in Switzerland face stricter requirements than they might under EU law alone.
Processing sensitive data requires explicit consent unless another justification ground applies.
Data Subject Rights
The nFADP significantly expanded the rights available to individuals.
Right of Access (Article 25)
Any person may request from a data controller whether personal data concerning them is being processed. The controller must provide:
- The identity and contact details of the controller
- The personal data being processed
- The purpose of processing
- The retention period or criteria for determining it
- The origin of the data if not collected directly from the data subject
- Any automated individual decision-making, including profiling
- The recipients or categories of recipients to whom data is disclosed
The information must generally be provided free of charge within 30 days of the request.
Right to Data Portability (Article 28)
This is a new right introduced by the nFADP. Data subjects can request their personal data in a commonly used electronic format, or have it transferred directly to another controller. This mirrors the GDPR's portability right under Article 20.
Right to Rectification and Deletion
Data subjects can request correction of inaccurate data and deletion of data that is no longer necessary for its original purpose, where consent has been withdrawn, or where there is no legal basis for continued processing.
Right to Object
Data subjects may object to the processing of their personal data. The controller must cease processing unless it can demonstrate compelling legitimate grounds.
Transparency and Duty to Inform
The nFADP significantly strengthened transparency obligations. Under Articles 19 through 21, data controllers must proactively inform data subjects when collecting their personal data. This duty applies regardless of the nature of the data, which is stricter than the 1992 law that only required notification for sensitive data collection.
The required information includes:
- The identity and contact details of the controller
- The purpose of processing
- The recipients or categories of recipients
- If data is transferred abroad, the destination country and the safeguards in place
When data is not collected directly from the individual, the controller must provide this information within one month of receiving the data, or before first disclosure to a third party if that occurs sooner.
Data Protection Impact Assessments
The nFADP introduced a formal Data Protection Impact Assessment (DPIA) requirement. A DPIA must be conducted when planned data processing is likely to result in a high risk to the personality or fundamental rights of data subjects.
High-risk processing includes:
- Large-scale processing of sensitive data
- Systematic monitoring of large public areas
- High-risk profiling
The DPIA must describe the planned processing, assess the risks to data subjects' rights, and identify measures to mitigate those risks. There is no prescribed format, giving organizations flexibility in how they document the assessment.
If the DPIA shows that the planned processing still presents a high risk despite mitigation measures, the controller must consult the FDPIC before proceeding. Organizations may be exempt from the DPIA requirement if they follow an approved code of conduct that has been submitted to the FDPIC.
Profiling Under Swiss Law
The nFADP takes a distinctive approach to profiling. General profiling, meaning automated processing of personal data to evaluate certain aspects of a person, does not require consent under Swiss law.
However, high-risk profiling does require consent. High-risk profiling is defined as profiling that results in a profile of the personality of the data subject, meaning it produces a comprehensive picture of essential aspects of a person's life. When profiling reaches this threshold, explicit consent from the data subject is required.
This is different from the GDPR, which requires a lawful basis for all profiling and gives data subjects the right to object to profiling at any time under Article 21.
Data Breach Notification
The nFADP introduced mandatory data breach notification requirements for the first time in Swiss law.
When to Notify the FDPIC
A controller must report a data security breach to the FDPIC as soon as possible when the breach is likely to result in a high risk to the personality or fundamental rights of the affected individuals.
Notably, the nFADP does not impose a specific deadline like the GDPR's 72-hour window. The standard is "as soon as possible," which gives some flexibility but also creates ambiguity. The FDPIC has published guidelines on data breaches that encourage prompt reporting and describe the dedicated breach notification portal.
When to Notify Data Subjects
The controller must also inform affected data subjects if notification is necessary for their protection, or if the FDPIC requires it.
Processor Notification
Data processors (such as cloud providers or IT service companies) must notify the data controller as soon as possible of any breach. The controller then decides whether the FDPIC and data subjects need to be informed.
Risk Threshold
The nFADP's notification threshold is "high risk," which is a higher bar than the GDPR's general "risk to the rights and freedoms" standard. Breaches that pose only a moderate risk do not need to be reported under Swiss law.
Cross-Border Data Transfers
The nFADP's cross-border transfer framework closely mirrors the GDPR model but has some Swiss-specific elements.
Adequacy Decisions
The Federal Council maintains a list of countries that provide an adequate level of data protection. Personal data may be transferred freely to these countries. The FDPIC publishes and regularly updates the adequacy list.
EU Adequacy of Switzerland
In a development critical for Swiss-EU data flows, the European Commission confirmed on January 15, 2024 that Switzerland continues to provide an adequate level of data protection under the GDPR. This means personal data can flow from the EU/EEA to Switzerland without additional safeguards, and vice versa.
The Commission's report specifically noted the positive impact of the nFADP in strengthening Switzerland's data protection framework.
Swiss-US Data Privacy Framework
On August 14, 2024, the Federal Council decided that the Swiss-US Data Privacy Framework (DPF) provides adequate protection for data transfers to certified US companies. This took effect on September 15, 2024.
US companies that are certified under the DPF and are listed on the Data Privacy Framework website can receive personal data from Switzerland without additional safeguards. However, the long-term stability of this framework remains uncertain, and organizations are advised to maintain backup transfer mechanisms.
Standard Contractual Clauses
For transfers to countries without an adequacy finding, organizations can rely on Standard Contractual Clauses (SCCs). The FDPIC has issued Swiss-specific versions of the EU SCCs, known informally as "Swiss Add-ons," which include tailored language to ensure compliance with both Swiss and EU requirements.
Organizations must also conduct Transfer Impact Assessments (TIAs) when transferring data to jurisdictions not covered by adequacy decisions or the DPF.
Other Transfer Mechanisms
Additional lawful transfer mechanisms include:
- Binding Corporate Rules (BCRs) approved by the FDPIC
- Explicit consent of the data subject after being informed of the risks
- Performance of a contract with the data subject
- Overriding public interests
The FDPIC: Switzerland's Data Protection Authority
The Federal Data Protection and Information Commissioner (FDPIC) is the independent authority responsible for supervising compliance with the nFADP at the federal level. The current commissioner's office is based in Bern.
Expanded Powers Under the nFADP
The nFADP significantly expanded the FDPIC's authority compared to the 1992 law:
- Investigations: The FDPIC can open formal investigations where there are clear indications of data protection violations, conduct informal preliminary enquiries, and carry out low-threshold interventions for simpler cases.
- Binding Orders: Following an investigation, the FDPIC can issue legally binding administrative orders requiring data controllers to modify or cease specific processing activities.
- Consultations: The FDPIC must be consulted when a DPIA shows high residual risk.
What the FDPIC Cannot Do
Critically, the FDPIC cannot impose fines. This is a fundamental structural difference from EU Data Protection Authorities, which can levy administrative fines of up to 4% of global turnover under the GDPR. In Switzerland, the power to impose monetary penalties rests exclusively with the cantonal criminal prosecution authorities.
Enforcement Track Record
Since the nFADP took effect, the FDPIC has steadily ramped up enforcement:
- By November 2024, the FDPIC had opened 26 preliminary enquiries and formal investigations, with seven concluded at the time of reporting.
- The office increased staffing for enforcement activities by approximately 30 percent compared to the previous year.
- Notable investigations have included the Xplain ransomware incident (involving data from the Federal Office of Police and Federal Office for Customs and Border Security), and investigations into the data practices of Digitec Galaxus (a major online retailer) and the TX Group (parent company of the Ricardo auction platform).
- Mediation requests increased by 53 percent, with the FDPIC reaching mutually agreed solutions in 76 percent of cases.
The FDPIC's 2024/2025 annual report, titled "Increased intervention against data protection violations and new highs in access requests," signals a clear trajectory toward more active enforcement.
Criminal Penalties: Switzerland's Unique Approach
The nFADP's penalty regime is fundamentally different from the GDPR and virtually every other modern data privacy law. Understanding this distinction is essential for compliance.
Penalties Target Individuals, Not Companies
Articles 60 through 66 of the nFADP establish criminal offenses. The maximum fine is CHF 250,000 (approximately EUR 263,000 or USD 290,000). This fine is imposed on the natural person who committed the violation, not on the organization.
This means a company's data protection officer, CEO, or IT manager could personally face criminal prosecution and fines for data protection violations. This is unique globally. Under the GDPR, fines are levied against the company itself.
Intent Requirement
Only willful (intentional) violations are punishable under the nFADP. Negligent violations are not subject to criminal penalties. This is a significant limitation that narrows the scope of enforcement, as prosecutors must prove the accused acted with intent.
Specific Criminal Offenses
The nFADP defines several specific criminal offenses:
- Article 60: Violations of the duty to provide information, the duty of access, and the duty to cooperate with the FDPIC. This includes intentionally providing false information to the FDPIC or refusing to cooperate during an investigation.
- Article 61: Violations of the duty of care. This covers intentionally conducting cross-border transfers without adequate safeguards, transferring data to processors without meeting security requirements, and failing to comply with minimum data security standards.
- Article 62: Breach of professional confidentiality. Intentionally disclosing confidential personal data obtained during professional activities.
- Article 63: Violation of the duty to appoint a representative in Switzerland for foreign organizations.
Company Liability as a Fallback
When identifying the specific responsible individual within a company would require disproportionate investigative effort, the company itself may be fined up to CHF 50,000. This subsidiary company liability is the exception, not the rule.
Prosecution by Cantonal Authorities
Criminal cases under the nFADP are prosecuted by the cantonal criminal prosecution authorities, not by the FDPIC. This decentralized enforcement model means prosecution practices may vary somewhat between cantons.
Record of Processing Activities
The nFADP requires controllers and processors to maintain a record of their processing activities. This record must include:
- The identity of the controller or processor
- The purpose of processing
- Categories of data subjects and personal data processed
- Categories of recipients
- If applicable, transfers to foreign countries and the safeguards in place
- Retention periods or criteria for determining them
- A general description of technical and organizational security measures
SME Exemption
Organizations with fewer than 250 employees are exempt from maintaining processing records, provided their data processing does not pose a significant risk to data subjects' personality rights. This exemption does not exist under the GDPR.
Data Protection Advisor
Unlike the GDPR, which mandates a Data Protection Officer (DPO) in certain circumstances, the nFADP does not require the appointment of a Data Protection Advisor (the Swiss equivalent). Appointing one is voluntary for private organizations.
However, appointing a Data Protection Advisor provides a tangible benefit: organizations with an advisor are exempt from the obligation to consult the FDPIC when a DPIA reveals high residual risk. This creates a practical incentive for larger organizations to appoint one.
Federal government bodies are required to appoint a Data Protection Advisor under the nFADP.
Comparing the nFADP with the GDPR
While the nFADP was designed to align with the GDPR, several meaningful differences remain:
| Feature | nFADP (Switzerland) | GDPR (EU) |
|---|---|---|
| Legal basis required | Not required for all processing; only when personality rights infringed | Required for all processing (Article 6) |
| Penalties | Criminal, up to CHF 250,000 on individuals | Administrative, up to EUR 20M or 4% turnover on companies |
| Who is penalized | Natural person responsible | The organization |
| Intent requirement | Only willful violations | Negligent violations also covered |
| Breach notification deadline | "As soon as possible" | 72 hours |
| DPO/Advisor | Voluntary for private sector | Mandatory in certain cases |
| Data subjects covered | Natural persons only | Natural persons only |
| Sensitive data scope | Broader (includes admin/criminal proceedings, social security) | Narrower list |
| Profiling consent | Only for high-risk profiling | Lawful basis needed; right to object |
| SME record-keeping exemption | Yes (under 250 employees, low risk) | No general exemption |
| Enforcement authority fines | FDPIC cannot fine | DPAs can fine directly |
Practical Compliance Steps
Organizations subject to the nFADP should take the following concrete steps:
Step 1: Map Your Data Processing
Conduct a thorough inventory of all personal data processing activities involving individuals in Switzerland. Document what data you collect, why, how long you keep it, and who receives it.
Step 2: Update Privacy Notices
Ensure your privacy policy discloses the identity of the data controller, purposes of processing, recipients, cross-border transfer destinations and safeguards, and data subject rights. The nFADP's transparency requirements are broader than the old law.
Step 3: Review Cross-Border Transfers
Verify that all international data transfers are covered by an adequacy decision, the Swiss-US DPF (for certified US recipients), Standard Contractual Clauses with Swiss Add-ons, or another recognized mechanism. Conduct Transfer Impact Assessments where required.
Step 4: Implement Breach Response Procedures
Establish internal procedures to detect, assess, and report data breaches to the FDPIC via its dedicated portal. Define clear escalation paths and responsibility chains.
Step 5: Conduct DPIAs for High-Risk Processing
Identify processing activities that pose high risks and complete Data Protection Impact Assessments before proceeding. Consider appointing a Data Protection Advisor to gain the FDPIC consultation exemption.
Step 6: Review Contracts with Processors
Ensure all data processing agreements meet nFADP requirements, including adequate security measures, breach notification obligations, and restrictions on sub-processing.
Step 7: Train Staff on Individual Liability
Because the nFADP imposes criminal liability on individuals, staff training is especially important. Employees who handle personal data need to understand that they, personally, could face prosecution and fines for intentional violations.
Sector-Specific Considerations
Financial Services
Switzerland's banking secrecy tradition intersects with the nFADP in complex ways. Financial institutions must balance data protection with regulatory obligations under anti-money laundering laws and financial market supervision requirements.
Healthcare
Health data is classified as sensitive under the nFADP. Healthcare providers, insurers, and pharmaceutical companies must apply heightened safeguards. Cross-border clinical trials require careful attention to transfer mechanisms.
Technology and Cloud Services
Cloud providers serving Swiss clients must comply with the nFADP's processor requirements, including data security standards, breach notification, and potentially appointing a Swiss representative.
Recent Developments (2024-2026)
FDPIC Cookie Guidance (February 2025)
The FDPIC released updated guidance on cookie practices in February 2025, offering clearer expectations for consent mechanisms and tracking technologies. The commissioner has specifically flagged cross-platform tracking through cookies and fingerprinting as an area operating in a "legal vacuum" and has called for clearer rules on transparency, consent, and documentation.
Xplain Investigation Outcome
The FDPIC's investigation into the Xplain ransomware attack, which exposed data from multiple federal offices on the darknet, has become a landmark case for data processor accountability under the nFADP.
OneLog Security Incident
The FDPIC documented a targeted cyberattack on the OneLog login platform, highlighting the risks of centralized cloud-based authentication services and their potential to affect thousands of individuals.
Increased Resources for Enforcement
The FDPIC's 2024/2025 annual report confirms a staffing increase of approximately 30 percent for enforcement activities, signaling a sustained commitment to active supervision rather than the historically passive approach.
Sources and References
Sources and References
- Federal Act on Data Protection (FADP) - Official Text(fedlex.admin.ch).gov
- FDPIC - New Federal Act on Data Protection Overview(kmu.admin.ch).gov
- FDPIC - Guidelines on Data Breaches(edoeb.admin.ch).gov
- FDPIC - The New Data Protection Act in Figures (November 2024)(edoeb.admin.ch).gov
- FDPIC - Adequacy Decisions for International Data Transfers(edoeb.admin.ch).gov
- FDPIC - New Commissioner Role and Powers(edoeb.admin.ch).gov
- EU Adequacy Decision Regarding Switzerland (January 2024)(edoeb.admin.ch).gov
- Swiss-US Data Privacy Framework Overview(dataprivacyframework.gov).gov
- EU Adequacy of Swiss Data Protection - Federal Office of Justice(bj.admin.ch).gov
- EU Data Protection Adequacy Decisions(commission.europa.eu).gov
- FDPIC 2024/2025 Annual Report Summary(bsv.admin.ch).gov
- Article 60 FADP - Criminal Penalties Commentary(onlinekommentar.ch)
- Data Protection Laws and Regulations 2025-2026: Switzerland(iclg.com)
- Chambers Data Protection and Privacy 2025 - Switzerland(practiceguides.chambers.com)