Swiss Data Protection & GDPR

How to Comply with the Revised FADP and Understand GDPR Obligations

Learn how Swiss companies can comply with Switzerland’s revised Federal Act on Data Protection (FADP 2023) and determine when the EU’s GDPR applies. Protect your business and avoid personal liability.

On 1 September 2023, Switzerland’s revised Federal Act on Data Protection (FADP) came into force. This modernised law strengthens privacy rights and aligns closely with the European Union’s General Data Protection Regulation (GDPR).

For many Swiss companies, this raises pressing questions: what exactly has changed in the FADP, does the GDPR apply to us too, and how can we avoid legal and reputational risk? Importantly, under the revised FADP, liability is not only corporate – individuals making decisions about personal data can face fines.

What the Revised FADP Requires

The FADP protects the personal data of natural persons and imposes several obligations on businesses:

    • Transparency: Clearly inform individuals about what you do with their data and why.

    • Individual rights: Respond promptly to requests for access, correction, deletion, and (in certain cases) data portability.

    • Risk management: Assess and document high-risk processing and conduct impact assessments where required.

    • Breach notification: Report serious data breaches to the Federal Data Protection and Information Commissioner (FDPIC).

    • Cross-border data transfers: Ensure transfers abroad meet Swiss adequacy standards or include appropriate safeguards.

Why Compliance Matters Personally

A distinctive feature of the revised FADP is that fines of up to CHF 250,000 are typically directed at the responsible individuals, not just the company. Directors, managers or employees who decide how personal data is handled can be held personally liable for unlawful processing.

This makes compliance not just a corporate obligation but a personal duty. When data protection is neglected, it is not only the business that suffers – those in charge may face direct legal consequences.

Does the GDPR Also Apply to Swiss Companies?

The GDPR can apply to Swiss organisations in addition to the revised FADP if they:

    • Offer goods or services to individuals located in the EU/EEA, or

    • Monitor the behaviour of individuals in the GDPR jurisdiction (for example, through web tracking).

If either condition applies, your organisation must comply with both the revised FADP and the GDPR. While similar in many respects, the GDPR has stricter transparency requirements, higher potential fines (up to 4% of global annual turnover), and in some cases, mandates the appointment of a Data Protection Officer.

Key Differences Between the Revised FADP and the GDPR

    • Legal basis: The GDPR requires a lawful basis for each processing activity. The revised FADP does not, but processing must not infringe upon personality rights unlawfully.

    • Fines: The FADP generally fines natural persons responsible; the GDPR fines the organisation itself, with much higher amounts possible.

    • Obligations: GDPR requires more detailed transparency and record-keeping; the revised FADP is less prescriptive but still demands clear documentation and breach reporting.

    • Data Protection Officer: Mandatory in some instances under GDPR; optional under the revised FADP.

Building a Culture of Compliance

Strong data protection safeguards both your organisation and you personally. It builds trust with customers and employees and reduces legal and reputational risk. Key steps include:

    • Assigning clear responsibilities for data protection.

    • Training managers and staff on their duties and personal exposure.

    • Implementing practical internal controls, policies and breach procedures.

How We Help Swiss Companies Align with the Revised FADP and GDPR

We offer services tailored to your size and sector:

    1. Gap assessments: Review your policies and practices against the revised FADP and, where relevant, the GDPR.
    2. Policy and process development: Draft or update privacy policies, notices and internal procedures.
    3. Training and awareness: Equip staff and decision-makers with the knowledge to avoid personal and corporate liability.
    4. Incident readiness: Establish breach response and reporting frameworks.
    5. Cross-border compliance: Advise on GDPR applicability and international data transfer requirements.

Conclusion and Call to Action

Switzerland’s revised FADP has raised the stakes for data protection. Compliance is no longer just a corporate issue; it carries personal consequences for those making decisions about data.

To ensure your organisation complies with the revised FADP and understand whether the GDPR applies to your business, please contact us today. We can help you protect your business and yourself.