Switzerland's revised Federal Act on Data Protection (nFADP) - the new law that replaced the 1992 framework - fundamentally reshapes how businesses collect, process and transfer personal data in Switzerland. Companies that already comply with the EU General Data Protection Regulation (GDPR) will find significant overlap, but the nFADP contains distinct requirements that cannot be satisfied by GDPR compliance alone. Ignoring those differences exposes businesses to criminal liability, regulatory enforcement and reputational damage. This article maps the legal framework, identifies the tools available to controllers and processors, explains cross-border transfer rules, and outlines the practical steps international businesses must take to operate lawfully in Switzerland.
The legal framework: nFADP, its scope and relationship with GDPR
The Federal Act on Data Protection (Bundesgesetz über den Datenschutz, nFADP) entered into force on 1 September 2023. The accompanying Ordinance on Data Protection (Datenschutzverordnung, DPO Ordinance) and the Ordinance on Data Protection Certification provide the implementing detail. Together they form the primary Swiss data protection architecture.
The nFADP applies to the processing of personal data of natural persons by private entities and federal bodies. Unlike the GDPR, it does not cover legal persons - a distinction that matters for B2B data flows where the data subjects are individuals acting in a corporate capacity. The territorial scope mirrors the GDPR's market-place principle: any entity outside Switzerland that processes data of persons in Switzerland is subject to the nFADP if the processing relates to activities offered to those persons or to monitoring their behaviour.
A common mistake made by international businesses is to assume that GDPR compliance automatically satisfies Swiss requirements. The two regimes share a common philosophy but diverge on several concrete points: the nFADP uses the concept of 'particularly sensitive personal data' (Article 5 nFADP) rather than the GDPR's 'special categories'; the legal bases for processing differ in their formulation; and the criminal liability provisions - which target natural persons, not companies - have no direct GDPR equivalent. The Federal Data Protection and Information Commissioner (FDPIC) is the supervisory authority. The FDPIC has investigative and recommendation powers but, unlike most EU data protection authorities, cannot directly impose administrative fines on companies. Criminal sanctions under Article 60 nFADP are imposed by cantonal criminal authorities and can reach CHF 250,000 per individual.
The Swiss Federal Council has confirmed that Switzerland maintains its adequacy status with the EU, meaning data flows from the EU to Switzerland remain permissible without additional safeguards. However, Swiss law independently regulates outbound transfers from Switzerland to third countries, and that regime requires separate analysis.
Legal bases for processing and the role of consent
Processing personal data in Switzerland requires a legal basis. The nFADP recognises several grounds: a legitimate interest of the controller or a third party (Article 31 nFADP), performance of a contract with the data subject, compliance with a legal obligation, and consent. Unlike the GDPR, the nFADP does not list these bases in a single exhaustive article but distributes them across provisions dealing with justification grounds for unlawful processing.
Legitimate interest is the most practically significant basis for commercial processing. A controller relying on legitimate interest must conduct a balancing test: the interest must be real, not hypothetical, and must not be overridden by the fundamental rights of the data subject. In practice, it is important to consider that Swiss courts and the FDPIC apply this test rigorously in sectors involving profiling, direct marketing and employee monitoring.
Consent under the nFADP must be free, specific, informed and unambiguous. For particularly sensitive personal data and high-risk profiling, consent must be explicit (Article 6(6) nFADP). A non-obvious risk is that consent obtained under a general terms-and-conditions clause is unlikely to satisfy the specificity requirement, particularly where the processing involves data shared with third-party analytics providers. Many international businesses import consent mechanisms designed for other jurisdictions and fail to adapt them to Swiss requirements.
Processing of particularly sensitive personal data - which includes health data, biometric data used for identification, data on religious or political views, and data on criminal proceedings - requires either explicit consent, a statutory basis, or an overriding private or public interest. The threshold for processing this category is materially higher than for ordinary personal data, and the consequences of unlawful processing are correspondingly more severe.
Automated individual decision-making, including profiling with legal or similarly significant effects, triggers specific obligations under Article 21 nFADP: the controller must inform the data subject, and the data subject has the right to request human review. This provision applies to credit scoring, insurance underwriting and recruitment screening, among other contexts.
To receive a checklist on lawful processing bases and consent requirements under the nFADP for Switzerland, send a request to info@vlolawfirm.com.
Transparency obligations, privacy notices and data subject rights
Transparency is a foundational obligation under the nFADP. Article 19 requires controllers to inform data subjects at the time of collection about the identity of the controller, the purpose of processing, the categories of recipients, and whether data will be transferred abroad. Where data is not collected directly from the data subject, the information must be provided within a reasonable time.
Privacy notices must be written in plain language and must be genuinely accessible - not buried in multi-page terms. A common mistake is to publish a single global privacy notice that references GDPR and assume it covers Swiss requirements. The nFADP requires disclosure of the legal basis for processing and, where applicable, the legitimate interest relied upon. These elements are not always present in GDPR-compliant notices drafted for EU audiences.
Data subjects in Switzerland hold a robust set of rights. The right of access (Article 25 nFADP) entitles individuals to obtain confirmation of whether their data is being processed, a copy of the data, and information about the processing. Controllers must respond within 30 days. The right to rectification, erasure and restriction of processing follow similar logic to the GDPR equivalents but are grounded in the nFADP's own provisions.
The right to data portability applies where processing is automated and based on consent or contract. The controller must provide the data in a structured, commonly used and machine-readable format. In practice, many businesses underestimate the technical infrastructure required to fulfil portability requests at scale, particularly where data is held across multiple systems or third-party processors.
Profiling with high risk - defined in Article 5(m) nFADP as automated processing that leads to a particularly high risk to the personality or fundamental rights of the data subject - triggers enhanced transparency obligations and, in some cases, a data protection impact assessment (DPIA). Controllers must proactively identify which of their processing activities fall into this category before they go live, not after a complaint is received.
Data protection impact assessments, DPO appointment and records of processing
A data protection impact assessment (DPIA) is mandatory under Article 22 nFADP where processing is likely to result in a high risk to the data subject's personality or fundamental rights. Indicators of high risk include large-scale processing of sensitive data, systematic monitoring of publicly accessible areas, and processing that combines datasets in ways that could reveal sensitive attributes. The FDPIC has published guidance on when a DPIA is required, and controllers should treat that guidance as a practical checklist rather than a theoretical reference.
Where a DPIA reveals a residual high risk that cannot be mitigated by technical or organisational measures, the controller must consult the FDPIC before commencing processing. This prior consultation mechanism - modelled on Article 36 GDPR - is rarely triggered in practice but carries significant consequences if bypassed: processing that should have been subject to prior consultation but was not may be challenged by the FDPIC through its investigative powers.
Appointment of a data protection advisor (Datenschutzberater, DSB) - the Swiss equivalent of a Data Protection Officer (DPO) - is not mandatory under the nFADP for private entities. However, appointing one carries a concrete procedural benefit: controllers who have appointed a DSB and registered that appointment with the FDPIC are exempt from the prior consultation obligation in certain circumstances (Article 23(4) nFADP). For businesses with complex or high-volume processing, this exemption has real operational value.
Records of processing activities are required under Article 12 nFADP for private controllers that employ more than 250 persons, or whose processing carries particular risks to the data subjects regardless of size. The records must document the identity of the controller, the purpose of processing, the categories of data subjects and data, the recipients, the retention periods, and the security measures. Controllers below the 250-person threshold who process sensitive data or conduct high-risk profiling must maintain records regardless of size.
A non-obvious risk is that many small and medium-sized businesses assume the 250-person threshold exempts them entirely. Where processing involves health data, financial data or systematic profiling, the risk-based trigger applies independently of headcount. Failing to maintain records in those circumstances is a compliance gap that the FDPIC can identify during an investigation.
To receive a checklist on DPIA requirements and records of processing obligations under the nFADP for Switzerland, send a request to info@vlolawfirm.com.
Cross-border data transfers from Switzerland
Switzerland maintains its own list of countries and international organisations that provide adequate data protection. This list, maintained by the Federal Council, largely mirrors the EU adequacy decisions but is not identical. Countries that have EU adequacy status do not automatically have Swiss adequacy status, and vice versa. Controllers must verify the Swiss list independently before relying on adequacy as a transfer mechanism.
Where the destination country lacks Swiss adequacy, the controller must use an appropriate safeguard. The primary mechanism is standard contractual clauses (SCCs). Switzerland has its own set of SCCs, distinct from the EU SCCs issued by the European Commission. The FDPIC has approved model clauses, and controllers must use the Swiss versions - not the EU versions - for transfers from Switzerland. Using EU SCCs for Swiss-origin transfers is a common mistake that creates a technical compliance gap, even where the substantive protections are equivalent.
Binding corporate rules (BCRs) are available for intra-group transfers and must be approved by the FDPIC. The approval process is resource-intensive and typically takes several months. BCRs are most appropriate for large multinational groups with high volumes of intra-group data flows. For smaller groups or occasional transfers, SCCs are more practical.
Derogations are available under Article 17 nFADP for transfers where the data subject has given explicit consent, where the transfer is necessary for the performance of a contract, or where it is necessary for the establishment, exercise or defence of legal claims. These derogations are narrow and cannot substitute for a systematic transfer mechanism where transfers are regular or large-scale.
Three practical scenarios illustrate the transfer analysis. First, a Swiss-based financial services firm transferring employee data to a US parent company must use Swiss SCCs, as the United States lacks Swiss adequacy status. Second, a Swiss e-commerce business using a cloud provider with servers in Japan must verify whether Japan appears on the Swiss adequacy list and, if not, execute Swiss SCCs with the provider. Third, a Swiss subsidiary of a German group that already has EU BCRs in place must obtain separate FDPIC approval for those BCRs to cover Swiss-origin transfers - EU approval does not extend automatically to Switzerland.
The FDPIC has signalled that it will scrutinise transfer mechanisms more actively following the entry into force of the nFADP. Controllers that relied on informal arrangements or outdated contractual clauses under the 1992 regime face a material compliance gap that should be addressed as a priority.
Data breach notification, enforcement and criminal liability
The nFADP introduces a mandatory data breach notification obligation for the first time in Swiss law. Under Article 24 nFADP, controllers must notify the FDPIC as soon as possible when a security breach is likely to result in a high risk to the personality or fundamental rights of the data subjects. The notification must describe the nature of the breach, its likely consequences, the measures taken or proposed, and the categories and approximate number of data subjects affected.
The nFADP does not specify a fixed notification deadline in hours, unlike the GDPR's 72-hour rule. The standard is 'as soon as possible,' which the FDPIC has indicated should be interpreted as promptly as the circumstances allow, typically within a few days of the controller becoming aware. Controllers must also notify affected data subjects directly where necessary to protect them or where the FDPIC requires it.
Processors must notify controllers of breaches without undue delay. This obligation should be reflected in data processing agreements (DPAs), which must be in place between controllers and processors under Article 9 nFADP. A common mistake is to use DPAs drafted for GDPR compliance without adapting them to Swiss requirements, particularly the breach notification chain and the specific obligations of processors under Swiss law.
Enforcement under the nFADP operates through two channels. The FDPIC can open investigations, issue recommendations and, if recommendations are not followed, refer matters to the Federal Administrative Court. The FDPIC cannot directly impose fines on companies. Criminal sanctions under Article 60 nFADP target natural persons - typically directors, compliance officers or employees responsible for the breach - and can reach CHF 250,000. Prosecutions are handled by cantonal authorities, and the standard of proof is the criminal standard.
The personal criminal liability dimension is the most significant departure from the GDPR framework and the one most frequently underestimated by international businesses. Under the GDPR, liability falls on the company. Under the nFADP, the individual who made the decision - or failed to make it - faces personal prosecution. This creates a strong incentive for boards and senior management to ensure that data protection governance is genuinely embedded in the organisation, not delegated entirely to a compliance function without adequate oversight.
The cost of non-compliance extends beyond criminal fines. Reputational damage, loss of client trust, and the operational burden of responding to an FDPIC investigation are material business risks. Lawyers' fees for managing an FDPIC investigation or defending criminal proceedings typically start from the low thousands of CHF and can escalate significantly depending on the complexity of the matter and the volume of data involved.
To receive a checklist on data breach response procedures and criminal liability exposure under the nFADP for Switzerland, send a request to info@vlolawfirm.com.
FAQ
What is the most significant practical difference between the nFADP and the GDPR for a business already compliant with the GDPR?
The most significant difference is the criminal liability framework. The GDPR imposes administrative fines on companies; the nFADP imposes criminal sanctions on natural persons, including directors and compliance officers. A business that has invested in GDPR compliance has addressed many substantive requirements, but it must separately ensure that its Swiss operations have clear governance structures that identify who is personally responsible for each compliance obligation. Additionally, Swiss SCCs must be used for transfers from Switzerland rather than EU SCCs, and the nFADP's provisions on particularly sensitive personal data and high-risk profiling have their own definitions that do not map exactly onto GDPR special categories.
How quickly must a data breach be reported to the FDPIC, and what happens if notification is delayed?
The nFADP requires notification 'as soon as possible' after the controller becomes aware of a breach likely to result in a high risk to data subjects. There is no fixed 72-hour window as under the GDPR. In practice, the FDPIC expects notification within a few days of awareness. Delayed notification does not automatically trigger criminal liability, but it is a factor the FDPIC will consider when assessing whether the controller took appropriate measures. Where delay is attributable to a deliberate decision by an individual rather than operational complexity, that individual may face personal exposure under Article 60 nFADP.
Should a business operating in both the EU and Switzerland appoint a single DPO or separate advisors for each regime?
The GDPR requires appointment of a DPO in certain circumstances; the nFADP does not mandate appointment of a data protection advisor (DSB) but incentivises it through the prior consultation exemption. A single individual can serve as both GDPR DPO and nFADP DSB, provided they have sufficient knowledge of both regimes and sufficient resources to perform both roles effectively. For businesses with significant Swiss operations, a combined role is operationally efficient. However, the DSB must be registered with the FDPIC to activate the prior consultation exemption, and that registration is a separate step from any GDPR DPO notification. Businesses that appoint a combined advisor without completing Swiss registration lose the exemption benefit.
Conclusion
Switzerland's nFADP creates a compliance environment that is substantively close to the GDPR but legally distinct in ways that matter. Criminal liability for individuals, Swiss-specific SCCs, a different adequacy list, and nuanced provisions on sensitive data and profiling all require dedicated attention. Businesses that treat Swiss compliance as a subset of GDPR compliance risk material gaps that can result in personal criminal exposure for their management and regulatory scrutiny from the FDPIC. A structured compliance programme - covering legal bases, transparency, transfer mechanisms, breach response and governance - is the most effective way to manage these risks.
Our law firm VLO Law Firm has experience supporting clients in Switzerland on data protection and privacy matters. We can assist with nFADP compliance assessments, drafting Swiss standard contractual clauses, advising on data breach response, structuring DPO and DSB appointments, and representing clients in FDPIC investigations. To receive a consultation, contact: info@vlolawfirm.com.
