Data Breach
Response (revFADP)
When a data breach occurs, the clock starts. Navigate the "as soon as possible" FDPIC notification requirement under Article 24 of the revFADP with immediate, strategic legal intervention that protects your organization's reputation and shields executives from personal liability.
The "As Soon As Possible" Mandate
A data breach is an operational crisis, but mishandling the regulatory notification transforms it into a legal catastrophe. Under the revised Swiss Federal Act on Data Protection (revFADP), the notification framework differs subtly but crucially from the EU GDPR.
Instead of a rigid 72-hour countdown, Article 24 dictates that high-risk breaches must be reported to the FDPIC "as soon as possible." However, this is not a license to delay. The FDPIC expects notification immediately following the initial triage and risk assessment. Attempting to suppress a high-risk breach invites severe regulatory scrutiny and exposes the executive suite to the personal criminal liability framework unique to Swiss law.
Determining the High-Risk Threshold
The Swiss threshold for reporting to the regulator is higher than in the EU. You are only required to notify the FDPIC if the breach is likely to lead to a high risk to the personality or fundamental rights of the data subject.
One of the most critical legal decisions during a crisis is making this threshold determination. Over-reporting burdens your organization and invites unnecessary FDPIC audits; under-reporting violates the law. If an unencrypted database of customer health records or financial profiles is exposed, the risk is severe, triggering mandatory FDPIC notification (Article 24(1)) and potential communication to the data subjects (Article 24(4)).
Applicable Legal Framework
Statutory Mandates (revFADP / DSG)
- Article 24(1): Notification to the FDPIC
"The controller shall notify the FDPIC as soon as possible of any data security breach that is likely to lead to a high risk to the personality or fundamental rights of the data subject." - Article 24(3): Processor obligations
The processor must notify the controller "as soon as possible" of a breach of data security. - Article 24(4): Communication to Data Subjects
The controller must inform the data subject if it is necessary for their protection or if requested by the FDPIC. - Article 61(c): Criminal Liability for Security Failures
Willful failure to implement minimum data security requirements can result in personal criminal fines up to CHF 250,000 for responsible executives.
Our Incident Response Protocol
When you engage our legal team during an active incident in Switzerland, we establish an immediate legal perimeter around your operations, taking control of the regulatory narrative.
Triage & Risk Assessment
We run the strict threshold test to determine if the "high risk" criteria under Article 24 are met, documenting the decision legally to defend against future audits.
FDPIC Notification Drafting
If notification is required, we draft the formal submission to the FDPIC in the appropriate national language, ensuring facts are presented without admitting unconfirmed technical faults.
Data Subject Communication
If Article 24(4) is triggered, we draft the public/customer communications, ensuring they are empathetic, clear, and legally compliant to mitigate reputational damage.
Executive Liability Defense
We interface with the FDPIC throughout their investigation, demonstrating robust remediation to argue against any referrals for Article 60/61 criminal prosecution.
Are You Currently Experiencing a Breach?
Do not contact the FDPIC without legal representation. Let our senior Swiss experts handle the regulatory fallout and protect your executive team.
Contact Emergency Legal CounselPre-Breach Preparation: Incident Response Plans
We strongly advise not waiting for an emergency. The FDPIC expects organizations to have a documented Incident Response Playbook. We build these playbooks for:
- SaaS Providers: Establishing Article 24(3) processor protocols for notifying Swiss corporate clients "as soon as possible."
- Healthcare & InsurTech: Handling extreme-risk data where any exposure triggers immediate Article 24 subject notification requirements.
- E-commerce Platforms: Preparing for payment-skimming attacks that expose financial data, requiring rapid public relations and legal containment.
Enforcement Context: Executive Liability
The critical difference in Switzerland is the personal liability aspect. If an organization suffers a breach, and the subsequent FDPIC investigation reveals that the breach occurred because executives willfully ignored basic data security standards (Article 8), the regulator will refer the case to prosecutors.
Fumbling the breach notification process—such as attempting a cover-up or providing misleading information to the FDPIC—is a direct violation of Article 60 (providing false information). A structured, legally guided breach response is your primary defense against a technical IT failure mutating into a personal criminal prosecution.
Frequently Asked Questions
Critical answers on Swiss breach reporting obligations.
What is the timeline for reporting a data breach under the revFADP?
Unlike the EU GDPR which enforces a strict 72-hour deadline, Article 24 of the revFADP requires data controllers to report breaches to the FDPIC 'as soon as possible'. While this sounds flexible, the FDPIC expects notification within a few days once a high risk has been identified.
Do we have to report every breach to the FDPIC?
No. Article 24 specifies that notification is only required if the data security breach is 'likely to lead to a high risk to the personality or fundamental rights of the data subject'. This is a higher threshold than the EU GDPR (which requires reporting for any 'risk', not just 'high risk').
When must we notify the affected individuals in Switzerland?
Under Article 24(4), you must inform the affected data subjects 'if it is necessary for their protection' or 'if the FDPIC so requests'. The FDPIC can legally order you to notify the public if they deem it necessary.
We are a processor. What is our obligation during a breach?
Article 24(3) strictly requires the processor to notify the data controller 'as soon as possible' after discovering a breach. The processor does not directly notify the FDPIC; that burden lies solely with the controller.
Can executives be personally fined for a data breach?
The occurrence of a cyber-attack itself does not automatically trigger personal fines. However, under Article 61, if an executive willfully fails to implement minimum data security requirements, they can face personal criminal fines up to CHF 250,000. Neglecting to manage the breach properly can invite this scrutiny.
What constitutes a 'breach of data security'?
It includes unauthorized access, loss, deletion, alteration, or disclosure of personal data. This covers everything from a malicious ransomware attack to an employee accidentally emailing a client list to the wrong recipient.
Should we involve the police if we are hacked?
In the case of criminal cyber-attacks (e.g., ransomware), involving cantonal or federal cyber police is often necessary and recommended. Our legal team coordinates these communications to ensure they align with your FDPIC notifications.
Can the FDPIC issue fines?
The FDPIC conducts investigations and issues binding administrative orders, but they do not directly issue the CHF 250,000 criminal fines. If they detect willful violations of the revFADP, they report the individuals to the cantonal prosecution authorities, who enforce the criminal fines.
Don't Navigate a Crisis Alone
Whether you are facing an active data breach or want to build a preventative response playbook, our senior Swiss legal team is ready to defend your organization.
Secure Legal CounselDisclaimer: This content is for informational purposes only and does not constitute legal advice or create a solicitor-client relationship. Data protection regulations, including the revFADP (DSG), are subject to change and specific application depends heavily on the context of your processing activities. Please consult directly with our legal team for advice tailored to your organization.