Privacy Documentation
& Swiss FADP Policies
Bespoke legal drafting for outward transparency and internal accountability. Our senior Swiss lawyers craft defensible Privacy Notices (Datenschutzerklärung), rigorous DPAs, and comprehensive internal playbooks to withstand FDPIC scrutiny and shield executives from personal liability.
The Architecture of Transparency
Documentation is the physical manifestation of compliance. The Federal Data Protection and Information Commissioner (FDPIC) relies heavily on a company's documentation to determine administrative negligence. The first thing a regulator, a sophisticated B2B client, or a cantonal prosecutor asks for is your privacy documentation.
Under the revised Swiss Federal Act on Data Protection (revFADP), you have two primary documentation vectors: External Transparency (Privacy Notices, Consent forms) which tell the public what you are doing, and Internal Accountability (Article 12 RoPAs, Retention Schedules, DSAR playbooks, DPAs) which prove that your internal operations match your public claims.
Avoiding the "Cut and Paste" Criminal Liability
A widespread and highly penalized error is downloading an EU GDPR "Privacy Policy Template" and assuming it covers Switzerland. The revFADP’s transparency requirements under Article 19 have specific "Swiss finishes."
Crucially, if your privacy notice claims you do not share data with third parties, but your marketing team has integrated tracking pixels on your website, your notice is legally deceptive. Under the old law, this was a civil matter. Under the revFADP, willfully providing false or incomplete information under Article 19 triggers Article 60—a personal criminal offense punishable by a fine of up to CHF 250,000 against the responsible director or executive. Accuracy is now a strict liability requirement.
Applicable Legal Framework
Statutory Mandates (revFADP / DSG)
- Article 19: Duty to provide information
Mandates the specific information that must be supplied to a data subject, including the identity of the controller, processing purposes, recipients, and international transfer safeguards. - Article 9: Assignment of data processing to a processor
Mandates that outsourcing processing must be governed by an agreement ensuring the processor only acts within the controller's permissions (requiring a strict DPA). - Article 12: Register of processing activities (RoPA)
Requires the maintenance of an internal, comprehensive legal inventory mapping all data flows and retention periods. - Article 60: Criminal Provisions
Willful violation of the duty to provide information (Article 19) is punishable by personal fines up to CHF 250,000.
Our Drafting Portfolio
Our senior Swiss lawyers do not use generic templates. Every document is bespoke, drafted after a thorough analysis of your actual processing operations (your RoPA) to ensure absolute alignment and prevent Article 60 liabilities.
Public-Facing Transparency (Datenschutzerklärung)
We draft multi-layered Privacy Notices (Customer, Employee, Applicant) that specifically address FDPIC requirements, including explicit cross-border transfer disclosures.
Commercial Supply Chain (DPAs)
We draft and negotiate Article 9 Data Processing Agreements, securing your liability when utilizing third-party vendors or SaaS tools both domestically and abroad.
Internal Operational Playbooks
We build step-by-step Data Subject Access Request (DSAR) procedures and Data Breach Response manuals, ensuring your staff operates lawfully during a crisis.
Article 12 RoPA Construction
We forensically map your data landscape, constructing the mandatory internal register that serves as the factual bedrock for all your outward-facing claims.
Are Your Directors Exposed?
Inaccurate or incomplete privacy documentation under the revFADP carries personal criminal liability. Let our Swiss legal team secure your policy architecture today.
Request Document ReviewWho Needs Custom Legal Drafting?
While all entities processing data require basic documentation, bespoke drafting is business-critical for:
- B2B Software/SaaS Providers: Your clients' procurement and legal teams will scrutinize your Article 9 DPA before signing a contract. A weak DPA loses enterprise deals.
- Healthcare & MedTech: Handling highly sensitive data requires highly specific, layered privacy notices explaining complex medical processing in plain language.
- Employers: Collecting sensitive applicant data, monitoring staff productivity, or managing payroll requires dedicated internal Employee Privacy Notices (distinct from customer-facing policies) to comply with Swiss employment law.
Enforcement Focus: The Cost of Inaccuracy
The FDPIC actively audits public-facing documentation. If a consumer lodges a complaint because they discovered their data was transferred to a US server without it being explicitly listed in your privacy notice (as mandated by Art. 19), the FDPIC must investigate.
If the investigation reveals that the omission was willful (e.g., the marketing team knew about the tracker but the legal team did not update the notice), the case is referred to cantonal prosecutors under Article 60. Your privacy documentation is no longer just a legal formality; it is a sworn public statement of fact.
Frequently Asked Questions
Clarifying Swiss legal documentation requirements.
Can we just use our EU GDPR Privacy Notice in Switzerland?
No. While the principles are similar, the revFADP requires specific 'Swiss finishes'. Your notice must explicitly mention the Federal Data Protection and Information Commissioner (FDPIC) rather than an EU authority, list all countries where data is transferred, and reference Swiss legal bases where applicable.
What must a Swiss Privacy Notice contain under Article 19?
Article 19 revFADP mandates you disclose: the identity and contact details of the controller, the purpose of processing, the categories of recipients, and the countries to which data is transferred along with the specific safeguards (e.g., SCCs) relied upon for those transfers.
Do we need a Data Processing Agreement (DPA) under Swiss law?
Yes. Article 9 allows processing to be assigned to a processor by agreement or law, provided the processor only processes data as the controller is permitted to do, and no statutory/contractual secrecy duties prohibit it. A formal, written DPA is required to secure this chain of liability.
What happens if our Privacy Notice is inaccurate?
This is one of the highest risks under the revFADP. Under Article 60, anyone who willfully provides false or incomplete information under Article 19 can face a personal criminal fine of up to CHF 250,000. Accuracy is a strict legal requirement, not a marketing exercise.
Do we need an internal Data Inventory (RoPA)?
Yes. Article 12 mandates a Register of Processing Activities (RoPA). Companies with fewer than 250 employees are exempt, unless they carry out processing that poses a high risk to the personality of data subjects, which nullifies the exemption for many tech and healthcare SMEs.
What are Data Subject Rights (DSRs) under the revFADP?
Data subjects have the right to access their data (Art. 25), have incorrect data rectified (Art. 32), and request data portability (Art. 28). Organizations must have documented internal procedures to fulfill these requests within the 30-day statutory limit.
Should we translate our privacy documents into Swiss national languages?
If you are actively targeting the Swiss market, it is highly recommended to provide your Privacy Notice in German, French, and Italian. If you process data of employees in Switzerland, employment law and transparency principles heavily favor providing documentation in the local language of the workplace.
What is the penalty for failing to provide a Privacy Notice?
Willfully failing to provide the information required under Article 19 (i.e., operating completely without a privacy notice or deliberately hiding data collection practices) is a criminal offense under Article 60, punishable by personal fines up to CHF 250,000.
Upgrade Your Privacy Architecture
Replace risky, generic templates with bespoke, rigorously drafted documentation that proves accountability and protects your executives from Article 60 fines.
Draft New DocumentationDisclaimer: This content is for informational purposes only and does not constitute legal advice or create a solicitor-client relationship. Data protection regulations, including the revFADP (DSG), are subject to change and specific application depends heavily on the context of your processing activities. Please consult directly with our legal team for advice tailored to your organization.