Overview
The Swiss Federal Act on Data Protection (FADP), revised and effective September 1, 2023, is Switzerland's primary data protection legislation. The revised FADP (revFADP) replaces the original 1992 law and brings Swiss data protection standards closer to the European Union's GDPR while maintaining a distinctly Swiss approach to privacy regulation.
The revision was driven by the need to maintain Switzerland's adequacy status with the European Commission, ensuring that personal data can continue to flow freely between the EU and Switzerland. The revFADP introduces stricter transparency requirements, expanded individual rights, and stronger enforcement mechanisms.
Who Does It Apply To?
The revFADP applies to:
- Any private person or federal body that processes personal data of individuals in Switzerland
- Organizations outside Switzerland whose data processing activities have effects in Switzerland
- Both data controllers and data processors, with specific obligations for each role
- Processing of personal data of natural persons only (the previous law also covered legal entities)
Unlike GDPR, the revFADP does not distinguish between controllers and processors using those specific terms. Instead, it uses "controller" for those determining the purpose and means of processing, and "processor" for those processing data on behalf of a controller.
Key Requirements
Data Processing Principles
The revFADP establishes core principles for lawful data processing:
- Lawfulness: Processing must comply with the law and be carried out in good faith
- Proportionality: Only data that is necessary and suitable for the stated purpose may be processed
- Purpose limitation: Data may only be collected for a specific purpose that is apparent to the data subject
- Accuracy: Data must be accurate, and reasonable steps must be taken to correct or delete inaccurate data
- Storage limitation: Data must be destroyed or anonymized as soon as it is no longer needed for the processing purpose
Privacy by Design and Default
Organizations must implement technical and organizational measures to ensure data protection from the design stage. Default settings must be configured to process only the minimum amount of personal data necessary for the intended purpose.
Data Protection Impact Assessments
A Data Protection Impact Assessment (DPIA) is required when processing is likely to result in a high risk to the personality or fundamental rights of data subjects. This includes large-scale processing of sensitive data and systematic monitoring of public areas.
Data Breach Notification
Controllers must notify the Federal Data Protection and Information Commissioner (FDPIC) as quickly as possible when a data breach is likely to result in a high risk to the personality or fundamental rights of the data subjects. Affected individuals must also be notified when necessary for their protection.
Cross-Border Data Transfers
Personal data may only be transferred abroad if the recipient country ensures adequate protection. The Federal Council maintains a list of countries with adequate protection. For countries without adequacy, appropriate safeguards such as standard contractual clauses or binding corporate rules must be in place.
Individual Rights
The revFADP grants individuals the following rights:
- Right to information: Individuals can request comprehensive information about the processing of their personal data, including the purpose, categories of data, recipients, and retention period
- Right to data portability: Individuals can request their personal data in a commonly used electronic format or have it transferred to another controller
- Right to object: Individuals can object to data processing and request deletion of their data
- Right not to be subject to automated decisions: Individuals must be informed when decisions are made exclusively through automated processing and can request human review
Enforcement and Penalties
The Federal Data Protection and Information Commissioner (FDPIC) oversees compliance with the revFADP:
- Criminal penalties: Individuals responsible for violations (not organizations) can face fines of up to CHF 250,000 (approximately $280,000 USD). This personal liability approach is unique among modern data protection laws.
- Willful violations: Intentional violations of information, disclosure, and cooperation obligations, as well as breaches of professional secrecy and violations of data transfer rules, are subject to criminal penalties
- FDPIC powers: The FDPIC can open investigations, issue recommendations, and order specific measures. The revised law grants stronger investigative and enforcement powers than the previous version.
- Administrative investigations: The FDPIC can investigate organizations on its own initiative or based on complaints
The personal criminal liability model means that data protection officers, executives, and board members bear direct responsibility for compliance, creating strong incentives for organizational accountability.
How Apidly Helps
Apidly provides comprehensive support for revFADP compliance:
- Swiss-specific compliance mapping aligns your data processing activities with the revFADP's principles and identifies obligations specific to Swiss law as distinct from GDPR
- Data Protection Impact Assessment workflows guide you through the required DPIA process and help determine when an assessment is necessary
- Cross-border transfer management checks recipient countries against the Federal Council's adequacy list and helps you implement appropriate safeguards for transfers to non-adequate jurisdictions
- Breach notification tools streamline reporting to the FDPIC and manage notification to affected individuals when required
- Individual rights request handling processes information, portability, and deletion requests in compliance with revFADP timelines and requirements