Switzerland
Switzerland Data Privacy Laws: Federal Act on Data Protection (nFADP) Compliance Guide
Switzerland governs data privacy through the revised Federal Act on Data Protection (nFADP, SR 235.1), which took effect September 1, 2023. The law is distinct globally: criminal fines of up to CHF 250,000 fall on the responsible individual, not the company, and only willful violations are punishable.
Switzerland operates one of the most distinctive data privacy regimes in the world. The revised Federal Act on Data Protection, known in English as the nFADP (new Federal Act on Data Protection) or FADP, and in German as the revDSG (revidiertes Datenschutzgesetz), SR 235.1, replaced a 1992 law that had not kept pace with the internet era. It entered into force on September 1, 2023, with no transition grace period.
The nFADP matters for any organization that processes personal data of individuals located in Switzerland, regardless of where that organization is headquartered. Its enforcement model, which targets the individual human being responsible rather than the corporate entity, sets it apart from every major data privacy regime in Europe and North America.
This guide explains every major provision of the nFADP as it stands in May 2026, including the growing body of FDPIC enforcement decisions that have emerged since the law took effect.
Jurisdictional scope: This article addresses the federal data protection law of Switzerland (SR 235.1, nFADP/revDSG) and the role of the FDPIC. Switzerland is not a member of the European Union; the EU GDPR does not apply directly to Swiss-domiciled controllers processing data inside Switzerland. Where a Swiss organization offers goods or services to EU/EEA residents or monitors their behavior, EU GDPR compliance obligations run in parallel. For Switzerland's recording consent rules, see Switzerland recording laws.
Quick Answer: What Law Governs Data Privacy in Switzerland?
Switzerland's data privacy law is the Federal Act on Data Protection, SR 235.1, as revised in September 2023 (nFADP/revDSG). The Federal Data Protection and Information Commissioner (FDPIC), based in Bern, supervises compliance. The EU GDPR does not apply directly, but Switzerland holds an EU adequacy finding, meaning EU-Switzerland personal data flows proceed without additional safeguards. The nFADP fines individuals up to CHF 250,000 for willful violations, not companies. Processing by private entities is generally lawful unless it infringes personality rights. Breach notification must be made to the FDPIC "as soon as possible" with no fixed 72-hour deadline.
History and Legislative Background
Switzerland's first Federal Act on Data Protection was enacted on June 19, 1992 (SR 235.1). At the time, the law was considered progressive, but by the 2010s it had become outdated. It predated cloud computing, smartphone tracking, behavioral profiling, and modern data broker practices.
The Federal Council submitted a comprehensive revision bill to Parliament in 2017. Parliament adopted the revised law during the fall 2020 session after substantial debate, particularly over the penalty model. The accompanying Ordinance on Data Protection (DPO, SR 235.11) and the Ordinance on Data Protection Certification (DPCO, SR 235.13) were finalized in August 2022.
The nFADP entered into force on September 1, 2023. There was no transition period. Existing data processing activities were required to meet the new requirements from day one.
Abbreviation Guide
The law appears under multiple abbreviations in legal and business literature:
- nFADP or FADP (English): new Federal Act on Data Protection
- revDSG or DSG (German): revidiertes Datenschutzgesetz
- revLPD (French): Loi sur la protection des données, révisée
- SR 235.1: the official Swiss statute number, stable across language versions
All refer to the same law.
Scope and Applicability
Who the nFADP Covers
The nFADP applies to the processing of personal data of natural persons by:
- Private individuals and private-sector organizations (companies, associations, foundations, sole traders)
- Federal government bodies
A significant change from the 1992 law: the nFADP protects only natural persons. The old law also extended protection to legal entities (companies), which was unusual internationally. Removing corporate data subjects aligns Switzerland with the GDPR approach and with the Council of Europe's Convention 108+.
Extraterritorial Reach
Article 3 of the nFADP establishes explicit extraterritorial scope. The law applies to any processing operation that produces effects in Switzerland, regardless of where the data controller or processor is located.
In practical terms, this covers three categories of foreign organizations:
- Organizations that offer goods or services to individuals in Switzerland, whether for payment or free of charge
- Organizations that monitor the behavior of individuals in Switzerland (for example, through cookies, tracking pixels, or behavioral analytics)
- Organizations that process personal data on behalf of Swiss-based controllers
Representative Requirement for Foreign Controllers
Foreign controllers and processors that regularly process personal data of individuals in Switzerland on a large scale, where that processing poses a high risk to data subjects, must appoint a representative in Switzerland under Article 14 of the nFADP. The representative must be a company registered or an individual residing in Switzerland and must be named in the organization's privacy notice. The representative is the point of contact for data subjects and for the FDPIC.
Core Principles
Lawfulness and Good Faith
Personal data must be processed lawfully and in good faith. There is a fundamental structural difference here from the GDPR: under Swiss law, processing by private entities is generally permitted unless it violates the data subject's personality rights under Article 26 of the Civil Code. The nFADP does not require controllers to identify a specific legal basis (consent, legitimate interest, contract, etc.) for every processing activity, as Article 6 GDPR does.
This means consent is not the default prerequisite for ordinary personal data processing in Switzerland. A legal basis is required only when processing infringes personality rights, or when processing involves sensitive data or high-risk profiling.
Proportionality and Purpose Limitation
Personal data may only be collected for a specific purpose that is recognizable to the data subject, and may only be processed in a manner compatible with that purpose. The data collected must be limited to what is proportionate to the stated purpose. Article 6 nFADP.
Data Accuracy
Controllers must ensure personal data is accurate and up to date. Where data is inaccurate, it must be corrected or deleted. This obligation is ongoing, not a one-time collection requirement.
Privacy by Design and Privacy by Default
The nFADP formally codifies both principles in Article 7:
- Privacy by Design requires organizations to build data protection into systems and processes from the earliest design stage, selecting technical and organizational measures that minimize data processing.
- Privacy by Default requires that default settings limit data processing to the minimum necessary for the declared purpose. Users must not have to take active steps to restrict unnecessary data collection; restrictive settings must be the default.
Neither principle appeared in the 1992 law. Their formal codification introduces compliance obligations for system architects, product managers, and IT procurement teams, not just privacy lawyers.
Sensitive Personal Data
An Expanded Definition
The nFADP expanded the categories of sensitive personal data. Under Article 5(c) nFADP, sensitive personal data includes:
| Category | Notes |
|---|---|
| Religious, philosophical, political, or trade union views or activities | Same as GDPR |
| Health data | Same as GDPR |
| Intimate or private life, including sexual orientation | Same as GDPR |
| Race or ethnicity | Same as GDPR |
| Genetic data | New under the nFADP |
| Biometric data uniquely identifying a person | New under the nFADP |
| Administrative and criminal proceedings or sanctions | Broader than GDPR special categories |
| Social security measures | Broader than GDPR special categories |
The last two categories, administrative and criminal proceedings and social security data, extend the Swiss sensitive-data definition beyond the GDPR's Article 9 list. Organizations processing these data types in Switzerland face stricter requirements than the GDPR imposes in the EU.
Processing sensitive personal data requires explicit consent unless another justification applies (public interest, legal obligation, or vital interest of the data subject).
Data Subject Rights
The nFADP significantly expanded individual rights compared to the 1992 law.
Right of Access (Article 25)
Any person may submit a written request to a data controller asking whether personal data concerning them is being processed. Upon receiving a valid request, the controller must provide:
- Its identity and contact details
- The personal data being processed
- The purpose of processing
- The retention period or criteria used to determine it
- The origin of data not collected directly from the subject
- Any automated individual decision-making applied, including profiling
- The recipients or categories of recipients to whom data has been or will be disclosed
The information must generally be provided free of charge within 30 days of the request. A controller may charge a fee only where the request is manifestly unfounded or excessive. The FDPIC's January 2025 ruling against Cembra Money Bank AG found the bank had answered 9 of 13 access requests outside the 30-day deadline, in violation of Article 25 nFADP, and had used a standardized response text that failed to provide the required individualized information.
Right to Data Portability (Article 28)
Data subjects may request their personal data in a commonly used, machine-readable electronic format, or ask the controller to transfer it directly to another controller. This right applies where the data was provided by the data subject and processed with their consent or for the performance of a contract.
Right to Rectification and Erasure
Data subjects may request correction of inaccurate personal data and deletion of data that is no longer necessary for its original purpose, where consent has been withdrawn, or where processing lacks a lawful basis.
Right to Object
Data subjects may object to the processing of their personal data. The controller must then demonstrate compelling legitimate grounds to continue or must cease processing.
Automated Decision-Making
Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, that significantly affects them, unless they have consented, the decision is authorized by law, or it is necessary for the performance of a contract. Where an automated decision is made, the data subject may request that it be reviewed by a natural person.
Transparency: Duty to Inform
Under Articles 19 through 21 of the nFADP, controllers must proactively inform data subjects when collecting their personal data. This duty applies to all personal data, not only sensitive data, which is stricter than the 1992 law.
The required information includes:
- Identity and contact details of the controller, and of the Swiss representative if the controller is abroad
- Purpose of processing
- Recipients or categories of recipients of the data
- If data is transferred abroad: the destination country and the safeguards in place
When data is not collected directly from the individual, the controller must provide this information at the latest within one month of receiving the data, or before first disclosure to a third party if that occurs sooner.
Exceptions apply where notification would be disproportionately onerous, where the data was already known to the data subject, where recording or disclosure is explicitly required by law, or where overriding third-party interests require confidentiality.
Profiling Under Swiss Law
The nFADP draws a two-tier distinction that differs from the GDPR approach.
Standard profiling, meaning automated processing of personal data that evaluates certain personal aspects, does not require consent under Swiss law. A lawful basis is only needed if the profiling infringes personality rights.
High-risk profiling is defined in Article 5(f) as profiling that results in a profile of the personality of the data subject, meaning it produces a comprehensive picture of essential aspects of a person's life. High-risk profiling requires explicit consent from the data subject.
The GDPR by contrast requires a lawful basis for all profiling and grants data subjects a general right to object to profiling under Article 21, with stronger protections for solely automated profiling under Article 22. The Swiss model gives organizations more latitude for standard profiling while imposing a firm consent wall at the high-risk threshold.
Data Protection Impact Assessments
Article 22 of the nFADP requires a Data Protection Impact Assessment (DPIA) before any processing operation that is likely to result in a high risk to the personality or fundamental rights of data subjects. High-risk processing includes:
- Large-scale processing of sensitive personal data
- Systematic monitoring of large public areas (for example, CCTV coverage of a city center)
- High-risk profiling
If the DPIA reveals that the planned processing would still present a high risk despite planned mitigation measures, the controller must consult the FDPIC before beginning the processing, unless the organization has appointed a Data Protection Advisor, which provides an exemption from this prior consultation obligation.
There is no prescribed format for DPIAs under the nFADP. Organizations may follow GDPR DPIA methodology, which the FDPIC considers adequate, or develop their own structured assessments.
Data Breach Notification
The nFADP introduced mandatory breach notification for the first time in Swiss data protection law.
Controller Obligations
Under Article 24 nFADP, a controller must notify the FDPIC as soon as possible when a data security breach is likely to result in a high risk to the personality or fundamental rights of affected individuals. There is no fixed deadline equivalent to the GDPR's 72-hour window. The FDPIC has published detailed guidelines on data breaches and operates a dedicated online notification portal.
Controllers must also notify affected data subjects if notification is necessary for their protection, or if the FDPIC requires it.
Processor Obligations
Data processors must notify the controller as soon as possible of any breach. The controller then bears responsibility for assessing whether FDPIC notification and data subject notification are required.
The "High Risk" Threshold
The nFADP's notification threshold is "high risk to personality or fundamental rights," which is a higher bar than the GDPR's standard of "risk to the rights and freedoms of natural persons." Breaches posing a moderate or low risk do not trigger notification obligations under Swiss law. Organizations operating in both Switzerland and the EU may therefore face GDPR notification duties for incidents that fall below the Swiss notification threshold.
Cross-Border Data Transfers
Adequacy Decisions
The Federal Council maintains an official list of countries whose data protection is recognized as adequate under Article 16 nFADP and Article 8 DPO. Personal data may flow freely to countries on this list without additional safeguards. The FDPIC's adequacy list and the Federal Office of Justice's recognition database are the authoritative sources and are updated as new countries are assessed.
Switzerland's EU Adequacy Status
The European Commission's January 15, 2024 adequacy report confirmed that Switzerland continues to provide adequate data protection under the GDPR. The Commission's review specifically cited the nFADP's modernization as strengthening the adequacy basis. The next scheduled Commission review under Article 97(2) GDPR is not due until approximately 2028. Swiss-to-EU and EU-to-Swiss personal data transfers may continue without additional safeguards.
Swiss-US Data Privacy Framework
On August 14, 2024, the Federal Council decided that the Swiss-US Data Privacy Framework (Swiss-US DPF) provides adequate protection for transfers of personal data to certified US companies. The Swiss-US DPF took effect on September 15, 2024. US organizations certified under the framework and listed on the Data Privacy Framework website may receive Swiss personal data without additional transfer safeguards.
As of May 2026, the Swiss-US DPF remains operational. However, organizations are advised to maintain backup transfer mechanisms such as Standard Contractual Clauses with Swiss Add-ons, given the uncertainty that has historically surrounded US transfer frameworks following the Schrems I and Schrems II decisions in the EU context.
Standard Contractual Clauses: The Swiss Finish
For transfers to countries without an adequacy finding, Swiss Standard Contractual Clauses are the most commonly used mechanism. The FDPIC has issued guidance indicating that organizations may adapt the EU-approved SCCs for Swiss purposes by adding "Swiss Finish" clauses. These modifications typically:
- Replace references to the GDPR with references to the nFADP
- Designate the Swiss courts or the FDPIC as the competent supervisory authority
- Incorporate Swiss-specific data subject rights
A Transfer Impact Assessment should accompany SCC-based transfers to jurisdictions that pose elevated legal risks to data subjects (for example, jurisdictions with broad government surveillance powers).
Other Transfer Mechanisms
Additional recognized transfer mechanisms under Article 16 nFADP include:
- Binding Corporate Rules approved by the FDPIC
- Standard data protection clauses approved by the FDPIC
- Codes of conduct approved by the FDPIC
- Explicit consent of the data subject after being informed of the destination and the absence of adequate protection
- Performance of a contract with the data subject or in their interest
- Overriding public interests
The FDPIC: Switzerland's Supervisory Authority
The Federal Data Protection and Information Commissioner (FDPIC) is Switzerland's independent national data protection authority. The office is based in Bern and reports to the Federal Council.
Expanded Powers Under the nFADP
The nFADP substantially strengthened the FDPIC's supervisory toolkit compared to the 1992 law, under which the Commissioner could only issue recommendations that parties were free to ignore:
- Preliminary enquiries: Low-threshold preliminary examinations where there is a suspicion of a data protection issue. These can be concluded without opening a formal investigation.
- Formal investigations: Opened under Article 49 ff nFADP where there are clear indications of a violation. The FDPIC may gather evidence and compel production of documents.
- Binding administrative orders: Following an investigation, the FDPIC may issue legally binding orders requiring a controller or processor to modify or cease specific processing activities. These orders are enforceable and may be appealed to the Federal Administrative Court.
- Mandatory DPIA consultation: Controllers must consult the FDPIC before proceeding where a DPIA reveals high residual risk (unless a Data Protection Advisor is in place).
- Amicus participation: The FDPIC may participate in court proceedings involving data protection matters.
What the FDPIC Cannot Do
The FDPIC cannot impose fines. This is a fundamental structural difference from EU Data Protection Authorities, which under the GDPR may levy administrative fines of up to EUR 20 million or 4% of global annual turnover. In Switzerland, monetary penalties rest exclusively with cantonal criminal prosecution authorities, and only for intentional violations.
Enforcement Track Record (2023-2026)
Since the nFADP entered into force, the FDPIC has steadily increased enforcement activity:
- By November 2024, the FDPIC had opened 26 preliminary enquiries and formal investigations, with seven concluded, according to the FDPIC's November 2024 enforcement figures published at edoeb.admin.ch.
- Staffing for enforcement activities increased by approximately 30 percent in the 2024/2025 period.
- Mediation requests increased by 53 percent, with the FDPIC reaching mutually agreed solutions in 76 percent of cases.
Key enforcement actions concluded since the nFADP took effect include:
| Date | Case | Outcome |
|---|---|---|
| April 2024 | Digitec Galaxus (online retailer) | FDPIC found linking ordering to account creation violated proportionality; recommended one-click opt-out from behavioral profiling |
| November 2025 | Digitec Galaxus (closure) | Company implemented one-click personalisation opt-out; FDPIC closed the case |
| January 29, 2025 | Cembra Money Bank AG | Binding order: bank violated 30-day deadline for access requests and used inadequate standardized response texts |
| April 28, 2025 | Inkasso-Team AG | Binding order: debt collector's publication of alleged debtors' names on public website violated proportionality and transparency; ordered to delete published data. Decision appealed to Federal Administrative Court. |
| May 16, 2025 | PostFinance AG | Binding order: bank's use of voice recognition for authentication constituted biometric data processing without explicit consent; ordered to obtain express consent and delete voiceprints lacking consent |
| October 6, 2025 | Bürgerforum Schweiz | Federal Administrative Court upheld FDPIC's processing ban on the citizens' association for publishing individuals' religious beliefs without consent |
| 2026 (ongoing) | BLT Baselland Transport AG | Investigation opened into use of bodycams by train attendants |
Criminal Penalties: Switzerland's Unique Individual-Liability Model
Structure of the Penalty Regime
Articles 60 through 66 of the nFADP establish the criminal penalty framework. The maximum fine is CHF 250,000 (approximately EUR 263,000 at May 2026 exchange rates). This fine is imposed on the natural person who committed the violation, not on the organization as an entity. The legislative history of the nFADP makes clear that Parliament intended these penalties to target management personnel and decision-makers, not front-line employees carrying out instructions.
This model is effectively unique globally. The GDPR imposes administrative fines on the organization itself. Canada's PIPEDA imposes fines on organizations. Australia's Privacy Act imposes penalties on entities. Switzerland's choice to target the individual is a deliberate legislative policy choice rooted in Swiss criminal law tradition, which generally requires a responsible natural person for criminal sanctions.
Intent Requirement: Only Willful Violations Are Punishable
Only intentional (willful) violations trigger criminal penalties under the nFADP. Negligent violations, including failures arising from poor data governance, inadequate systems, or organizational oversights, are not punishable. Prosecutors must establish that the accused acted with intent to violate the law.
This intent requirement substantially narrows the scope of criminal exposure compared to the GDPR, where administrative fines may be imposed for negligent violations. However, it creates particular risk for individuals who knowingly disregard clear compliance obligations.
Specific Criminal Offenses
| Article | Offense |
|---|---|
| Art. 60 | Violating the duty to provide information, the access right, or the duty to cooperate with the FDPIC; providing false information to the FDPIC |
| Art. 61 | Cross-border transfer without adequate safeguards; failing to engage processors meeting security requirements; failing to meet minimum data security standards |
| Art. 62 | Breach of professional confidentiality: intentionally disclosing confidential personal data obtained through professional activities |
| Art. 63 | Violating the duty to appoint a Swiss representative for foreign organizations |
Company Liability as Exception
Where identifying the specific responsible individual within a company would require disproportionate investigative effort, the company itself may be fined up to CHF 50,000. This subsidiary entity liability is the exception rather than the rule and applies only when the per-individual attribution is genuinely impracticable.
Prosecution by Cantonal Authorities
Criminal cases under the nFADP are handled by the cantonal criminal prosecution authorities, not by the FDPIC. The FDPIC does not have standing to file criminal complaints. This decentralized model means enforcement may vary across cantons, and as of May 2026 there have been no publicly reported criminal convictions under the new law.
Record of Processing Activities
Controllers and processors must maintain a written record of their processing activities under Article 12 nFADP. The record must include:
- Identity of the controller or processor
- Purpose of each processing activity
- Categories of data subjects and personal data processed
- Categories of recipients, including cross-border recipients
- Destination countries and safeguards for cross-border transfers
- Retention periods or determination criteria
- General description of technical and organizational security measures
SME Exemption
Organizations with fewer than 250 employees are exempt from the record-keeping obligation under Article 24(2) DPO, provided their data processing does not pose a significant risk to the personality or fundamental rights of data subjects. This exemption has no equivalent in the GDPR, which applies to all organizations regardless of size except for a narrow exception for occasional processing by SMEs.
The exemption is conditional. An SME that processes sensitive personal data at scale, conducts high-risk profiling, or systematically monitors individuals loses the exemption and must maintain full processing records.
Data Protection Advisor
Voluntary for Private Organizations
Unlike the GDPR, which mandates a Data Protection Officer (DPO) for certain categories of controller (public bodies, organizations conducting large-scale systematic monitoring, or large-scale sensitive data processors), the nFADP does not require private organizations to appoint a Data Protection Advisor (Datenschutzberater/-beraterin).
The Compliance Incentive
Appointing a Data Protection Advisor provides a concrete compliance benefit: organizations with an advisor are exempt from the obligation to consult the FDPIC when a DPIA reveals high residual risk. This exemption is particularly valuable for organizations that regularly conduct DPIAs, since FDPIC consultation can cause delays to planned processing activities.
Federal government bodies are required to appoint a Data Protection Advisor under Article 10 nFADP.
Comparing the nFADP and the GDPR
While the nFADP was designed to remain compatible with the GDPR and preserve the EU adequacy finding, meaningful differences remain that organizations must track when operating across both jurisdictions.
| Feature | nFADP (Switzerland) | GDPR (EU/EEA) |
|---|---|---|
| Legal basis requirement | Not required for all processing; required only when personality rights are infringed | Required for every processing operation (Art. 6) |
| Who is penalized | The individual natural person responsible | The organization (controller or processor) |
| Maximum penalty | CHF 250,000 on individual | EUR 20M or 4% global turnover on organization |
| Intent requirement | Only willful violations punishable | Both intentional and negligent violations covered |
| Supervisory authority fines | FDPIC cannot fine | DPAs can fine directly |
| Breach notification deadline | "As soon as possible" (no fixed period) | 72 hours |
| DPO / Data Protection Advisor | Voluntary for private sector | Mandatory in specified circumstances |
| SME record-keeping exemption | Yes (under 250 employees, low-risk processing) | No general SME exemption |
| Sensitive data scope | Broader: includes admin/criminal proceedings, social security data | Narrower enumerated list (Art. 9) |
| Profiling consent | Required only for high-risk profiling | Lawful basis required; right to object to all profiling |
| Data subjects covered | Natural persons only | Natural persons only |
| Extraterritorial scope | Yes, effects in Switzerland | Yes, targeting EU residents |
AI and Data Protection
The FDPIC has confirmed that the nFADP applies directly to AI-powered data processing. The law is drafted in a technology-neutral manner: AI systems that process personal data of individuals in Switzerland must comply with the nFADP's principles of lawfulness, purpose limitation, proportionality, and data minimization.
Specific guidance published by the FDPIC establishes that:
- Manufacturers, providers, and users of AI applications must ensure that individuals affected retain the greatest possible degree of control over their personal data
- AI systems must make their purpose, functionality, and data sources transparent
- AI-supported processing that poses high risks requires a DPIA
- Prohibited AI applications include real-time mass facial recognition in public spaces and social scoring systems
In March 2025, Switzerland signed the Council of Europe Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law (the "Vilnius Convention"). The Federal Council announced that the necessary amendments to Swiss law to ratify the Convention would be prepared. This signals that Switzerland's AI governance framework will continue to develop and that data protection and AI regulation will be treated as closely interrelated.
In January 2026, the FDPIC joined more than 60 international data protection authorities in a joint statement on AI-generated images and privacy protection, confirming that generating realistic images of real individuals without consent can constitute a violation of data protection law.
Cookie Guidance and Tracking Technologies
The FDPIC published updated cookie guidelines on January 22, 2025, and a revised factsheet on March 27, 2026. Key conclusions from the FDPIC's guidance include:
- Behavioral advertising: Integrating third-party cookies or similar technologies that share visitor data with advertisers in exchange for payment requires the data subject's consent, because this constitutes a disclosure of personal data to third parties for purposes not apparent from the initial collection.
- Location data: Profiling based on location data often constitutes high-risk profiling because location data enables identification of the individual and can reveal essential aspects of personality. Such profiling requires explicit consent.
- Cookie paywalls: Whether a choice between consent or a paid subscription constitutes valid consent requires assessment on the specific facts. The FDPIC's guidance sets out conditions under which such consent can be lawfully obtained.
Sector-Specific Considerations
Financial Services
Switzerland's banking secrecy tradition, embedded in the Banking Act (SR 952.0) and Article 47 of the Banking Act, intersects with the nFADP in complex ways. Financial institutions must balance data protection requirements against anti-money laundering reporting obligations, tax information exchange agreements, and financial market supervision requirements under FINMA supervision. The FDPIC's 2025 ruling against Cembra Money Bank is the clearest signal yet that financial sector data practices will receive scrutiny under the new law.
Healthcare
Health data is classified as sensitive under Article 5(c) nFADP. Healthcare providers, insurers, pharmaceutical companies, and research institutions processing health data must apply heightened safeguards, conduct DPIAs for large-scale health data processing, and identify a lawful basis for sensitive data processing. Cross-border clinical trials involving Switzerland must address transfer mechanism requirements for health data flows.
Technology, Cloud Services, and SaaS
Cloud providers, SaaS platforms, and IT service companies serving Swiss clients operate as data processors under the nFADP and must satisfy Article 9 requirements: processing only on documented controller instructions, implementing adequate technical and organizational security measures, notifying controllers of breaches as soon as possible, and supporting controller compliance with data subject rights requests. Foreign SaaS providers with large-scale Swiss user bases may need to appoint a Swiss representative under Article 14 nFADP.
Practical Compliance Checklist
Organizations subject to the nFADP should complete these steps:
- Map processing activities. Document all personal data processing involving individuals in Switzerland. Confirm whether the SME exemption from record-keeping applies.
- Update privacy notices. Ensure notices disclose the controller's identity and Swiss representative (if applicable), processing purposes, recipients, cross-border transfer destinations and safeguards, and data subject rights.
- Review legal bases for sensitive data. Identify where explicit consent or another justification is needed for sensitive data or high-risk profiling.
- Audit cross-border transfers. Verify that all international flows to non-adequate countries use SCCs with Swiss Finish, Binding Corporate Rules, or another recognized mechanism. Conduct Transfer Impact Assessments where required.
- Establish breach response procedures. Set up internal processes to detect, triage, and report breaches to the FDPIC's online portal. Assign responsibility chains clearly to specific individuals, given personal criminal exposure.
- Conduct DPIAs for high-risk processing. Identify all high-risk processing operations and complete DPIAs before launch. Consider appointing a Data Protection Advisor to gain the FDPIC prior-consultation exemption.
- Review processor contracts. Ensure all data processing agreements satisfy nFADP requirements for security, breach notification, sub-processor restrictions, and access right support.
- Train staff on individual liability. Because the nFADP imposes criminal sanctions on individuals, training must reach decision-makers. Staff who authorize data processing must understand they, personally, bear criminal exposure for willful violations.
- Monitor FDPIC enforcement guidance. The FDPIC regularly publishes new guidance, investigation outcomes, and binding orders. Subscribe to FDPIC news releases at edoeb.admin.ch.
Recent Developments
This article presents general legal information about Switzerland's Federal Act on Data Protection (nFADP/revDSG, SR 235.1) as verified in May 2026. It does not constitute legal advice and does not address any individual's or organization's specific circumstances. Data protection law and its enforcement practice continue to evolve. Organizations subject to the nFADP should consult a lawyer licensed in Switzerland for advice on their specific compliance obligations.
Frequently Asked Questions
Does the EU GDPR apply to Swiss companies?
The GDPR does not apply directly to Swiss-domiciled companies processing data inside Switzerland. Switzerland is not an EU or EEA member state and operates under its own nFADP (SR 235.1). However, a Swiss company that offers goods or services to EU or EEA residents, or that monitors the behavior of EU residents, must comply with the GDPR in respect of those activities under Article 3(2) GDPR, regardless of the nFADP. Many Swiss organizations therefore operate under both regimes in parallel.
How are nFADP penalties different from GDPR fines?
The nFADP imposes criminal fines of up to CHF 250,000 on the individual natural person responsible for a violation, not on the company. Only intentional violations are punishable; negligence is not covered. The GDPR, by contrast, imposes administrative fines of up to EUR 20 million or 4% of global annual turnover on the organization itself, and covers both intentional and negligent violations. If identifying the responsible individual would require disproportionate investigative effort, a Swiss company may be fined up to CHF 50,000 as a subsidiary measure.
Is a Data Protection Officer required under Swiss law?
No. The nFADP does not require private organizations to appoint a Data Protection Advisor (Datenschutzberater/-beraterin), the Swiss equivalent of a DPO. Appointment is voluntary. However, appointing an advisor provides a practical benefit: it exempts the organization from the obligation to consult the FDPIC before proceeding with processing that a DPIA identifies as high residual risk. Federal bodies are required to appoint a Data Protection Advisor under Article 10 nFADP.
Can personal data be transferred from Switzerland to the United States?
Yes, through several mechanisms. Since September 15, 2024, the Swiss-US Data Privacy Framework allows transfers to certified US companies listed at dataprivacyframework.gov. For non-certified US companies, organizations should use Standard Contractual Clauses with Swiss Add-ons and accompany them with a Transfer Impact Assessment. Binding Corporate Rules approved by the FDPIC are also available. Organizations are advised to maintain backup mechanisms given the historical uncertainty around US transfer frameworks.
What is the deadline for reporting a data breach to the FDPIC?
The nFADP requires notification 'as soon as possible' when a breach is likely to result in a high risk to the personality or fundamental rights of the affected individuals. There is no fixed deadline comparable to the GDPR's 72-hour rule. The FDPIC has published guidelines and operates a dedicated breach notification portal at edoeb.admin.ch. Data processors must notify their controllers as soon as possible; controllers must then assess and, if required, notify the FDPIC and affected individuals.
Does Switzerland's nFADP require consent to process personal data?
Not for ordinary personal data. Unlike the GDPR, which requires a specific legal basis for every processing operation, the nFADP permits processing by private entities as a default unless it infringes the data subject's personality rights. Consent or another justification is required specifically when processing sensitive personal data, conducting high-risk profiling, or engaging in other processing that infringes personality rights. The distinction is significant for organizations moving from GDPR-compliant practices: their existing consent infrastructure may be more expansive than Swiss law strictly requires.
What is the role of the FDPIC?
The Federal Data Protection and Information Commissioner (FDPIC) is Switzerland's independent national data protection supervisory authority. The FDPIC supervises compliance with the nFADP, opens preliminary enquiries and formal investigations, issues legally binding administrative orders requiring modification or cessation of processing, provides guidance documents and recommendations, must be consulted when a DPIA reveals high residual risk (unless a Data Protection Advisor is in place), and participates in legislative consultations. The FDPIC cannot impose fines; criminal fines are handled by cantonal prosecution authorities.
Do Swiss data protection laws apply to foreign companies?
Yes. Article 3 nFADP establishes extraterritorial scope. Any organization that processes personal data of individuals in Switzerland, offers goods or services to Swiss residents, or monitors Swiss residents' behavior must comply with the nFADP, regardless of where that organization is established. Foreign controllers and processors meeting certain thresholds (regular large-scale processing posing high risk) must also appoint a Swiss representative under Article 14 nFADP.
What is the Swiss-US Data Privacy Framework?
The Swiss-US Data Privacy Framework (Swiss-US DPF) is a bilateral transfer mechanism that allows personal data to flow from Switzerland to US companies that have self-certified their compliance with the Framework's data protection principles. The Federal Council found the Framework adequate on August 14, 2024, and it took effect on September 15, 2024. Certified companies are listed at dataprivacyframework.gov. Organizations should monitor the Framework's status and maintain backup transfer mechanisms such as Swiss SCCs.
What is the SME exemption under Swiss data protection law?
Under Article 24(2) of the Data Protection Ordinance (DPO, SR 235.11), organizations with fewer than 250 employees are exempt from the obligation to maintain a record of processing activities, provided their data processing does not pose a significant risk to data subjects' personality rights. Organizations that process sensitive data at scale, conduct high-risk profiling, or systematically monitor individuals lose this exemption regardless of size. No comparable exemption exists under the GDPR.
Sources and References
- Federal Act on Data Protection (FADP), SR 235.1 - Official Consolidated Text(fedlex.admin.ch).gov
- Ordinance on Data Protection (DPO), SR 235.11(fedlex.admin.ch).gov
- Ordinance on Data Protection Certification, SR 235.13(fedlex.admin.ch).gov
- New Federal Act on Data Protection (nFADP) - Swiss Federal SME Portal(kmu.admin.ch).gov
- FDPIC - Guidelines on Data Breaches(edoeb.admin.ch).gov
- FDPIC - The New Data Protection Act in Figures (November 2024)(edoeb.admin.ch).gov
- FDPIC - Adequacy Decisions for International Data Transfers(edoeb.admin.ch).gov
- FDPIC - Supervisory Role and Powers Under the nFADP(edoeb.admin.ch).gov
- EU Adequacy Decision Regarding Switzerland (January 15, 2024)(edoeb.admin.ch).gov
- FDPIC Ruling Against Cembra Money Bank AG (January 29, 2025)(edoeb.admin.ch).gov
- FDPIC Ruling Against Inkasso-Team AG (April 28, 2025)(edoeb.admin.ch).gov
- FDPIC Concludes Investigation into Voice Recognition at PostFinance (May 16, 2025)(edoeb.admin.ch).gov
- FDPIC - Digitec Galaxus: Website Personalisation Opt-Out (November 2025)(edoeb.admin.ch).gov
- FDPIC Cookie Guidelines: Updated Version (January 22, 2025)(edoeb.admin.ch).gov
- FDPIC - AI and Data Protection(edoeb.admin.ch).gov
- New Data Protection Legislation - Federal Office of Justice(bj.admin.ch).gov
- Recognition of States with Adequate Data Protection - Federal Office of Justice(bj.admin.ch).gov
- Adequacy of Swiss Data Protection - Federal Office of Justice(bj.admin.ch).gov
- Swiss-US Data Privacy Framework: Federal Council Decision (August 14, 2024)(admin.ch).gov
- Swiss-US Data Privacy Framework - Certified Participant List(dataprivacyframework.gov).gov
- EU Data Protection Adequacy Decisions - European Commission(commission.europa.eu).gov
- Article 60 FADP - Criminal Penalties (Online Commentary)(onlinekommentar.ch)
- Data Protection Laws and Regulations 2025-2026: Switzerland (ICLG)(iclg.com)
- Chambers Data Protection and Privacy 2025 - Switzerland(practiceguides.chambers.com)