Switzerland's revised Federal Act on Data Protection (revFADP) came into force on 1 September 2023. It significantly strengthened Swiss data protection law — aligning it more closely with GDPR while introducing some important differences, including personal criminal liability for responsible individuals.
The Swiss Federal Data Protection and Information Commissioner (FDPIC) is actively monitoring compliance. The law applies to any organisation that processes personal data of people in Switzerland, regardless of where the organisation is based. Here is what you need to do.
1. Map all personal data processing activities involving Swiss residents
The FADP applies based on the location of the data subject, not the location of the company. If you collect, process, or store personal data of people in Switzerland — customers, employees, website visitors — the law applies to you.
Start with a complete inventory of what personal data you process about Swiss residents. Where does it come from? Where is it stored? Who has access to it? How long do you keep it? This mapping is the foundation of everything else.
2. Create a Register of Processing Activities
Unlike GDPR, which exempts smaller organisations from mandatory record-keeping in most cases, the FADP requires a Register of Processing Activities for any organisation whose processing carries particular risk — which includes processing of sensitive personal data, large-scale profiling, or systematic monitoring.
If your processing falls into any of these categories, the register is mandatory regardless of company size. It must document each processing activity, the categories of data involved, the purpose, the legal basis, data recipients, retention periods, and data transfers abroad.
3. Review your privacy policy against FADP requirements
A privacy policy that satisfies GDPR is often not sufficient for FADP compliance. The Swiss law has its own specific transparency requirements, and the differences matter.
Your privacy policy must clearly explain: what personal data you collect and process, the purpose of the processing, the legal basis (where applicable), who you share data with and why, how long you retain data, whether you transfer data abroad and what safeguards apply, and what rights data subjects have under Swiss law. Review your existing policy specifically against FADP requirements — don't assume GDPR compliance carries over.
4. Identify every cross-border data transfer involving Swiss personal data
Transfers of Swiss personal data to countries outside Switzerland require adequate protection. Switzerland maintains its own list of countries with adequate data protection standards — this list does not automatically mirror the EU's adequacy decisions, and there are differences.
For transfers to countries not on Switzerland's adequacy list, you must implement specific safeguards. Standard Data Protection Clauses approved by the FDPIC are the most common mechanism. Review your data flows: where does Swiss personal data go? Which providers are outside Switzerland? What safeguards are in place?
5. Build a process for responding to data subject requests
Swiss residents have the right to access their personal data, have it corrected, have processing restricted, and — in some cases — have it deleted. They also have the right to data portability and to object to certain processing.
You must have a documented process for receiving, verifying, and responding to these requests. Assign a named responsible person. Establish the timelines (the FADP requires response within 30 days, extendable). Test the process with an internal test request. The most common enforcement trigger under data protection laws is failure to respond properly to access requests.
6. Conduct a Data Protection Impact Assessment for high-risk processing
A DPIA is required under the FADP before commencing any processing likely to result in a high risk to the personality or fundamental rights of the data subject. Triggers include: new technologies, large-scale processing of sensitive data, systematic monitoring, and profiling that produces legal or similarly significant effects.
If your DPIA identifies a residual high risk that cannot be adequately mitigated, you must consult the FDPIC before proceeding. Document the assessment, the risks identified, the mitigations implemented, and the conclusion.
7. Implement technical and organisational security measures
The FADP requires that personal data is protected by appropriate technical and organisational measures against unauthorised access, loss, destruction, or alteration. What is "appropriate" depends on the nature of the data and the risk.
Document what security measures you have in place: access controls, encryption, pseudonymisation, backup procedures, incident detection, staff access policies. The documentation itself is a compliance requirement — you must be able to demonstrate to the FDPIC what you have implemented and why it is proportionate to your risks.
8. Appoint a data protection advisor
Under the FADP, appointing a data protection advisor is voluntary — unlike the GDPR's mandatory Data Protection Officer for certain organisations. But the incentive structure makes the decision relatively straightforward: if you appoint an advisor and register them with the FDPIC, you are entitled to prior consultation with the FDPIC on processing that presents high risks, and the FDPIC will generally address complaints to the advisor first.
For organisations with large-scale or sensitive processing, appointing a data protection advisor significantly reduces regulatory exposure. The advisor does not need to be an employee — an external consultant can fulfil the role.
9. Review your employee data practices
The FADP has specific rules about processing personal data in the employment context. Workplace monitoring — surveillance of email, internet usage, location tracking — is subject to strict conditions. Automated decisions that have a significant impact on employees require specific protections. HR data processing must be transparent and proportionate.
Review your HR data practices specifically against FADP requirements. Employment contracts, HR policies, IT acceptable use policies, and staff monitoring practices may all need updating.
10. Understand the personal criminal liability provisions
This is the aspect of the FADP that most distinguishes it from GDPR. Under FADP, the individual responsible for the violation can be personally fined — up to CHF 250,000 — in addition to any organisational liability. The prosecution is handled by cantonal authorities.
Violations that can trigger personal criminal liability include: intentional failure to inform data subjects, intentional provision of false information to the FDPIC, and intentional breach of professional confidentiality. The "responsible individual" is typically the person who made the relevant decision — which, for a small or medium business, is often the owner or a senior manager.
This is not a theoretical risk. The FDPIC has been actively engaged since the law entered force. Understand which decisions in your organisation carry personal liability exposure.
The FADP has been in force since September 2023. The FDPIC is actively monitoring compliance and has published enforcement priorities.
Knowing the 10 steps and having them documented, monitored, and auditable are two different things.
Check your FADP compliance
Find out where your data protection programme has gaps under Swiss law — before the FDPIC does.
Free Compliance CheckThis article is for informational purposes only and does not constitute legal advice. For legal advice specific to your situation, consult a qualified attorney licensed in your jurisdiction.