Swiss FADP
Compliance Programme
Navigate the revised Federal Act on Data Protection (revFADP). Our senior Swiss legal experts operationalize your compliance, shielding your executive team from CHF 250,000 personal criminal fines while enabling borderless data flows.
The New Reality of Swiss Data Protection
On September 1, 2023, Switzerland's completely overhauled Federal Act on Data Protection (revFADP) entered into force. Designed to secure Switzerland's adequacy status with the European Union, the new law is rigorous, extraterritorial, and fundamentally alters the risk profile for corporate executives.
Unlike the GDPR, which relies on multi-million Euro corporate fines, the Swiss framework targets the individual. Willful non-compliance is now a criminal offense carrying personal fines of up to CHF 250,000 against the responsible natural persons (directors, managers, or compliance officers). Ignorance of the new statutory requirements is not a valid legal defense.
The Core Shifts in the revFADP
To achieve compliance, organizations must completely overhaul their existing documentation and internal procedures. Key shifts include:
- Data Protection by Design & Default (Art. 7): A strict legal requirement to bake privacy into product architecture. By default, systems must only process the absolute minimum data necessary for the specified purpose.
- Expanded Information Duties (Art. 19): Privacy notices must now explicitly list all countries to which data is transferred and the exact safeguards (e.g., SCCs) relied upon.
- Prompt Breach Notification (Art. 24): Breaches must be reported to the FDPIC "as soon as possible" if they result in high risk, requiring rapid incident response playbooks.
Applicable Legal Framework
Statutory Mandates (revFADP / DSG)
- Article 7: Privacy by Design and by Default
Controllers must implement appropriate technical and organisational measures from the planning stage to ensure compliance. - Article 12: Register of processing activities (RoPA)
Mandates a comprehensive inventory of all data flows. (Exemptions exist for SMEs not conducting high-risk processing). - Article 22: Data Protection Impact Assessments (DPIA)
Mandatory before initiating high-risk processing, especially regarding automated decision-making and extensive profiling. - Articles 60-63: Criminal Provisions
Dictates the CHF 250,000 personal fines for willful violation of duties related to information, notification, cooperation, and professional secrecy.
Our Lifecycle Process
Our senior Swiss legal experts execute a methodical, phase-based implementation to construct your compliance architecture and insulate your executive team.
Phase 1: Diagnostic Gap Analysis
We map your current practices against the revFADP, specifically focusing on the "Swiss finishes" that differ from the EU GDPR.
Phase 2: Data Inventory (Art. 12 RoPA)
We legally categorize your data flows, ensuring all processors are documented and the legal bases for processing are strictly defined.
Phase 3: Policy Remediation (Art. 19 & 28)
We draft Swiss-compliant Datenschutzerklärungen (Privacy Notices) and negotiate strict Data Processing Agreements with your vendors.
Phase 4: Executive Liability Shielding
We implement internal reporting structures, train your DPO/Advisors, and establish breach response protocols to negate the risk of willful non-compliance under Article 60.
Are Your Directors Personally at Risk?
The revised FADP targets individuals, not just corporations. Secure a bespoke compliance framework built by senior Swiss legal engineers to eliminate this liability.
Start Your Swiss Gap AnalysisWho Needs This Service?
Because the revFADP asserts extraterritorial jurisdiction, this programme is critical for both domestic Swiss entities and international operators:
- Swiss SMEs & Enterprises: Requiring total overhaul of legacy (1992 Act) policies to meet the stringent 2023 standards.
- Global E-Commerce: Any business targeting Swiss consumers, accepting CHF payments, or shipping goods into the Confederation.
- Tech & SaaS Platforms: Utilizing Swiss data centers or processing data on behalf of Swiss corporate clients (acting as Processors).
- Multinational Groups: Sharing employee or customer data across borders, requiring complex Transfer Impact Assessments and Swiss SCC Addendums.
Common Mistakes: The "GDPR is Enough" Myth
A fatal error is assuming that because you are EU GDPR compliant, you are automatically Swiss FADP compliant. While the principles align, the specifics differ radically. For instance, the Swiss act does not demand an outright ban on processing without a legal basis (unless it violates personality rights), but its transparency rules regarding cross-border transfers are arguably stricter than the GDPR.
Relying entirely on an EU Privacy Notice that fails to mention the FDPIC, fails to name your Swiss Representative (if applicable under Art. 14), and fails to list the specific countries where data is stored is a rapid path to regulatory enforcement and potential executive prosecution.
Frequently Asked Questions
Expert answers on building a Swiss FADP framework.
What is the revised Swiss FADP (revFADP)?
The revised Federal Act on Data Protection (revFADP or DSG in German) is Switzerland's modernized data privacy law, which entered into force on 1 September 2023. It aligns Swiss law with the EU GDPR to maintain the free flow of data, but introduces unique Swiss concepts, primarily focusing on personal criminal liability.
Does the revFADP apply to companies outside Switzerland?
Yes. Under its extraterritorial scope, the revFADP applies to any processing of personal data that has an 'effect' in Switzerland, even if the processing occurs entirely abroad. If you offer goods to the Swiss market or monitor Swiss citizens, you must comply.
How do the fines under the Swiss FADP differ from the GDPR?
Unlike the GDPR, which fines the corporate entity (up to €20M/4% turnover), the revFADP targets the responsible natural persons (directors, management, DPOs). Willful violations of information, cooperation, or security duties can result in personal criminal fines up to CHF 250,000.
What is Privacy by Design under the Swiss law?
Article 7 of the revFADP explicitly requires Data Protection by Design and by Default. You must integrate data protection into your technical architecture from the earliest planning stages and ensure that default settings strictly minimize data collection.
Do we need an inventory of processing activities (RoPA)?
Yes. Article 12 requires controllers and processors to maintain a register of processing activities. While there is an exemption for companies with fewer than 250 employees, it does not apply if your processing involves high-risk profiling or large volumes of sensitive data.
Are we required to conduct Data Protection Impact Assessments (DPIAs)?
Yes. Article 22 mandates a DPIA if the planned processing is likely to lead to a high risk to the personality or fundamental rights of the data subject, particularly when using new technologies, sensitive data, or extensive profiling.
What happens if we already comply with the EU GDPR?
While GDPR compliance gets you 90% there, the revFADP has distinct 'Swiss finishes'. You must update your privacy notices to mention the FDPIC (Swiss regulator), handle Swiss-specific international transfer addendums, and account for the personal criminal liability framework.
Who enforces the Swiss FADP?
The Federal Data Protection and Information Commissioner (FDPIC / EDÖB) oversees compliance. While the FDPIC does not directly issue the CHF 250,000 fines (these are issued by cantonal prosecution authorities), the FDPIC conducts investigations, issues binding administrative orders, and reports violations to prosecutors.
Shield Your Organization from FDPIC Enforcement
Move beyond baseline GDPR compliance. Let our senior legal team implement a robust Swiss FADP framework that protects your directors and your corporate reputation.
Book Your Diagnostic AuditDisclaimer: This content is for informational purposes only and does not constitute legal advice or create a solicitor-client relationship. Data protection regulations, including the revFADP (DSG), are subject to change and specific application depends heavily on the context of your processing activities. Please consult directly with our legal team for advice tailored to your organization.