Swiss Privacy Laws: Complying with the Revised FADP and Understanding Your GDPR Obligations

Jon Pertwee · CIPP/E · September 2023 (revised 2026)

 

On 1 September 2023, Switzerland’s revised Federal Act on Data Protection came into force. The revDSG — or FADP in English — modernises Swiss data protection law significantly, strengthening individual rights, tightening obligations on organisations, and introducing something that many Swiss businesses were not expecting: personal liability for the individuals who make decisions about personal data.

For organisations operating in Switzerland, the revised FADP raises pressing practical questions. What exactly has changed? Does the EU’s GDPR also apply? And what does compliance actually require? This post works through each of those questions.

 

What the Revised FADP Requires

The FADP protects the personal data of natural persons and imposes several obligations on organisations that process it:

 

  • Transparency: Organisations must clearly inform individuals about what data is collected, for what purpose, and how it is processed. Privacy notices need to be intelligible, not buried in legal boilerplate.
  • Individual rights: Organisations must respond to requests for access, correction, deletion, and — in certain cases — data portability. Response timelines are defined and enforceable.
  • Risk management: High-risk processing activities must be assessed and documented. Where required, a Data Protection Impact Assessment (DPIA) must be conducted before processing begins.
  • Breach notification: Serious data breaches must be reported to the Federal Data Protection and Information Commissioner (FDPIC) as quickly as possible. Unlike GDPR’s 72-hour window, the FADP specifies reporting ‘without delay’ — but the expectation is similarly urgent.
  • Cross-border transfers: Transfers of personal data outside Switzerland must meet Swiss adequacy standards or be covered by appropriate safeguards such as standard contractual clauses.

 

Why Compliance Is a Personal Matter

The feature of the revised FADP that tends to get the most attention — and which organisations have been slowest to internalise — is personal liability.

Under the revised law, fines of up to CHF 250,000 are directed at the individuals responsible for unlawful processing, not at the company. Directors, managers, and employees who make decisions about how personal data is handled can be held personally liable if those decisions violate the law.

This is structurally different from GDPR, where fines are levied against the organisation itself. Under the FADP, a company cannot simply absorb a regulatory fine and continue. The person who made the decision — who approved the data sharing arrangement, who signed off on the retention policy, who authorised the marketing campaign — is the one at legal risk.

In practice, this means that data protection is not something that can be delegated entirely to a legal or compliance team and forgotten about. Anyone in an organisation who makes meaningful decisions about personal data needs to understand what those decisions require of them under the FADP.

 

Does the GDPR Apply to Swiss Organisations?

Potentially yes, and for more Swiss organisations than often assume.

The GDPR applies to Swiss organisations that:

 

  • Offer goods or services to individuals located in the EU or EEA — even if no payment is involved, and even if the organisation has no physical presence in the EU; or
  • Monitor the behaviour of individuals in the EU — for example through web analytics, tracking pixels, or behavioural advertising.

 

If either condition applies, the organisation must comply with both the revised FADP and the GDPR simultaneously. The two frameworks are aligned in many respects, but not identical, and the areas of difference matter.

The most significant practical differences are: GDPR requires a documented lawful basis for every processing activity; the FADP does not (though processing must not unlawfully infringe personality rights). GDPR fines are directed at the organisation and can reach 4% of global annual turnover or €20 million — substantially higher than the FADP’s individual-directed CHF 250,000. And GDPR mandates the appointment of a Data Protection Officer in certain circumstances where the FADP treats this as optional.

 

Key Differences at a Glance

 

 

Revised FADP

GDPR

Lawful basis

Not required — but processing must not unlawfully infringe personality rights

Required for every processing activity

Fines

Up to CHF 250,000 — directed at responsible individuals

Up to 4% of global turnover or €20M — directed at the organisation

Data Protection Officer

Optional

Mandatory in certain circumstances

Transparency requirements

Clear but less prescriptive

Detailed and prescriptive

Breach notification

‘Without delay’ to the FDPIC

Within 72 hours to the supervisory authority

 

What Compliance Actually Looks Like

The organisations that struggle most with data protection compliance are usually not those that actively resist it — they are those that have never clearly assigned ownership of it. Strong compliance begins with a simple question: who in this organisation is responsible for data protection decisions, and do they know what that responsibility entails?

From that foundation, practical compliance involves:

 

  • Mapping what personal data the organisation holds, where it came from, where it goes, and what it is used for — a record of processing activities
  • Reviewing external-facing privacy notices and internal policies for accuracy and completeness
  • Establishing a clear process for responding to individual rights requests within the required timeframe
  • Identifying any high-risk processing activities that require a DPIA before they continue
  • Implementing a breach detection and notification procedure that can operate under time pressure
  • Reviewing any cross-border data transfers for adequacy or appropriate safeguards

 

For organisations subject to both the FADP and the GDPR, the compliance work is broadly the same — but the GDPR’s additional requirements (lawful basis documentation, stricter transparency obligations, DPO appointment where mandated) need to be layered on top.

 

A Note on Where I Come In

I hold the CIPP/E certification (Certified Information Privacy Professional / Europe) and am based in Switzerland. Privacy compliance work: FADP gap assessments, policy development, GDPR applicability reviews, breach response frameworks, arises naturally in my practice alongside diaster recovery,  information security management, and IT risk work, since the obligations frequently overlap.

If you have questions about how the revised FADP applies to your organisation, or whether you have GDPR obligations you have not yet addressed, feel free to get in touch.