revFADP Article 22

Swiss Privacy
Risk Assessments (DPIA)

Navigate Article 22 of the revised Swiss FADP. Our senior legal counsel conducts exhaustive Data Protection Impact Assessments (DPIAs) to secure your high-risk technologies before deployment, protecting your operations and your executives.

Request a DPIA Scoping Call
FDPIC Methodology Article 22 Compliant Defensible Documentation

Proactive Risk Mitigation under the revFADP

The revised Swiss Federal Act on Data Protection (revFADP) shifts compliance from retroactive defense to proactive engineering. Article 7 demands Data Protection by Design and by Default. The primary mechanism to prove you have adhered to this principle is the Data Protection Impact Assessment (DPIA).

A DPIA is not merely a legal hurdle; it is a structural project management tool. It forces organizations to map exactly how personal data flows through a new system, identify where that data is vulnerable, and legally justify the proportionality of the entire operation before code is committed or contracts are signed.

The Threshold: When is a Swiss DPIA Mandatory?

Article 22(1) explicitly mandates a DPIA where a planned processing activity is "likely to lead to a high risk to the personality or fundamental rights of the data subject." The law highlights two specific absolute triggers:

  1. Processing of extensive amounts of sensitive personal data (e.g., health data, biometric templates, religious beliefs).
  2. Systematic monitoring of extensive public areas.

Additionally, deploying innovative technologies (like AI, machine learning, or automated decision-making engines) inherently elevates risk and frequently triggers the DPIA requirement under FDPIC interpretive guidelines.

Applicable Legal Framework

Statutory Mandates (revFADP / DSG)

  • Article 22: Data protection impact assessment
    Requires controllers to carry out an assessment prior to processing if high risk is likely. Specifies the assessment must contain a description of operations, risk assessment, and planned mitigation measures.
  • Article 23: Prior consultation of the FDPIC
    If the DPIA indicates a high risk that the controller cannot mitigate, the controller must consult the FDPIC before processing.
  • Article 23(4): Exemption from Consultation
    Private controllers are exempt from consulting the FDPIC if they have consulted their designated Data Protection Advisor (Article 10).

Our DPIA Execution Process

Our senior Swiss legal team executes DPIAs strictly following the FDPIC's expectations, ensuring that if you are ever audited, your documentation is unimpeachable.

1

Threshold Analysis

We assess whether a formal DPIA is legally required under Article 22, documenting the decision to protect against future audits.

2

Systematic Description & Proportionality

We map the exact data flows and legally justify the processing against Article 6 (Principles), ensuring data minimization and transparency.

3

Risk Quantification to Personality Rights

We assess the likelihood and severity of harm to Swiss data subjects, specifically focusing on the Swiss civil law concept of "personality rights".

4

Mitigation Architecture & Sign-off

We prescribe technical/legal safeguards to reduce residual risk, providing formal DPA advice (if appointed) to bypass Article 23 FDPIC consultations.

Deploying New AI or Tracking Tech in Switzerland?

Launching without a DPIA is a direct violation of Article 22. Let our senior lawyers structure your risk assessment to ensure uninterrupted deployment.

Start Your DPIA Process

Who Needs Swiss Privacy Risk Assessments?

While any organization might trigger the need for a DPIA, they are virtually constant requirements in specific high-growth sectors:

  • AI & Machine Learning Developers: Scraping data, training models, or deploying automated decision-making systems (Article 21).
  • HealthTech & MedTech: Processing massive volumes of highly sensitive health or genetic data.
  • FinTech & InsurTech: Deploying extensive profiling algorithms for credit scoring or risk assessment.
  • HR & Workforce Management: Implementing employee monitoring software, CCTV, or biometric access controls.

Enforcement Risks & FDPIC Scrutiny

The FDPIC does not view the DPIA as a 'tick-box' exercise. A frequent enforcement trigger is the discovery that an organization launched a highly invasive technology without a DPIA, or with a generic DPIA that superficially dismissed the risks.

Under the revFADP, failure to adhere to the core principles (which a DPIA is designed to protect) and willful failure to provide required information can expose corporate directors to the CHF 250,000 personal criminal liability framework. A robust, documented DPIA is your primary defensive shield against accusations of willful negligence.

Frequently Asked Questions

Understanding the legal thresholds for Swiss DPIAs.

What is a DPIA under the revised Swiss FADP?

Under Article 22 of the revFADP, a Data Protection Impact Assessment (DPIA) is a mandatory prior risk assessment. It must be conducted when a planned processing activity is likely to lead to a high risk to the personality or fundamental rights of the data subject.

What constitutes a 'high risk' requiring a DPIA in Switzerland?

Article 22(2) explicitly states that high risk is present when processing extensive amounts of sensitive personal data (e.g., health, biometric, or religious data), or when systematically monitoring extensive public areas.

Can we launch our product without a DPIA?

If your processing meets the high-risk threshold, launching without a DPIA violates Article 22. This demonstrates a willful disregard for Data Protection by Design (Art. 7) and can trigger investigations by the FDPIC and potential personal criminal liability (Art. 60).

What must a Swiss DPIA document contain?

According to Article 22(3), the DPIA must include: a description of the planned processing, an evaluation of the risks to the personality or fundamental rights of the data subjects, and the measures planned to protect those rights.

When do we have to consult the FDPIC regarding a DPIA?

Under Article 23(1), if your DPIA concludes that the processing will still result in a high risk despite your planned security measures, you must consult the FDPIC before launching the processing.

Is there an exemption from consulting the FDPIC?

Yes. Article 23(4) provides a critical exemption: you do not need to consult the FDPIC if you have formally appointed a Data Protection Advisor (DPA) under Article 10, and you have consulted them instead.

Are there exemptions from conducting the DPIA entirely?

Yes. Under Article 22(4), private controllers are exempt if a legal obligation requires the processing, or if they use a system/product that has been certified under Article 13 of the revFADP.

How does a Swiss DPIA differ from a GDPR DPIA?

They are conceptually very similar. However, the Swiss DPIA focuses explicitly on 'personality rights' (a core concept of Swiss civil law). Additionally, the ability to bypass regulatory consultation by utilizing an internal Data Protection Advisor is a unique, highly advantageous feature of the Swiss law.

De-Risk Your Innovation in Switzerland

Do not let a lack of documentation stall your product launch or expose your executives. Engage our senior data protection lawyers to conduct your DPIAs thoroughly and efficiently.

Book a DPIA Consultation

Disclaimer: This content is for informational purposes only and does not constitute legal advice or create a solicitor-client relationship. Data protection regulations, including the revFADP (DSG), are subject to change and specific application depends heavily on the context of your processing activities. Please consult directly with our legal team for advice tailored to your organization.