FADP / nDSG Compliance Software for Swiss Businesses
Switzerland's revised data protection law (nDSG / FADP / LPD) is in force. ComplyOne is the only EU compliance platform hosted in Switzerland — purpose-built for Swiss SMBs navigating both FADP and GDPR.
Your data stays in Switzerland
ComplyOne's infrastructure is hosted in Swiss data centres — not on US-based cloud platforms subject to the CLOUD Act. This matters for FADP compliance, where cross-border data transfers to third countries require appropriate safeguards. Our Swiss hosting means no additional transfer mechanism needed for data processed within ComplyOne.
What the FADP Requires
Privacy Notices
Individuals must be informed when their data is collected — including the purpose, legal basis, and who receives it. FADP notices must be Swiss-law compliant, not just GDPR copy-pastes.
Breach Notification
Data breaches that pose a high risk must be reported to the FDPIC 'as quickly as possible'. Unlike GDPR, there is no fixed 72-hour deadline — but delay is not recommended.
Data Subject Rights
Right of access, correction, deletion, and objection. Swiss residents can request their data at any time. You need processes to respond within 30 days.
Data Protection Impact Assessments
Required before processing that could lead to a high risk to the privacy or fundamental rights of individuals — similar to GDPR DPIAs.
Profiling Rules
The FADP introduces specific rules for profiling — particularly 'high-risk profiling' which requires explicit consent. Stricter than GDPR in some respects.
Cross-Border Transfers
Transfers to countries without adequate protection require additional safeguards (SCCs or equivalent). Switzerland maintains its own adequacy list, distinct from the EU's.
The FADP Targets Individuals, Not Companies
Unlike GDPR, where fines are levied against the organisation, the FADP imposes penalties of up to CHF 250,000 on responsible individuals — including directors, executives, and employees who wilfully violate the law.
This means personal liability is real. If a data breach occurs due to negligence and the responsible person is identified, they — not just the company — face prosecution and fines.
ComplyOne assigns ownership of compliance tasks to specific team members, creating a clear audit trail that demonstrates due diligence.
How to Approach FADP Compliance: First Steps
Most Swiss businesses can reach a solid FADP compliance baseline in 6–10 weeks by following a structured approach.
Confirm you are in scope
The FADP applies to any company that processes personal data of individuals located in Switzerland — regardless of where your business is based. If you have Swiss customers, employees, or business partners, you are almost certainly in scope.
Audit your data inventory
Map every category of personal data you collect: what it is, where it is stored, who can access it, and how long you keep it. The FADP requires a processing register (Bearbeitungsverzeichnis) for certain higher-risk activities — even if not formally mandatory for all companies, it is essential for demonstrating compliance.
Update your privacy notices
FADP-compliant privacy notices must inform individuals about data collection, purpose, legal basis, and international transfers. EU GDPR notices are not automatically sufficient — Swiss-specific requirements apply, including your legal basis under Swiss law and information about the FDPIC as supervisory authority.
Prepare your breach response process
You must notify the FDPIC 'as quickly as possible' after a breach that poses a high risk to individuals. Build an internal incident response procedure before you need it — including who decides whether a breach is notifiable, and how to notify the FDPIC and affected individuals.
Assign individual accountability
The FADP targets responsible individuals with fines up to CHF 250,000 — not just the company. Clearly document who is responsible for each data protection decision. Consider appointing a Data Protection Advisor (voluntary but strongly recommended) and keep records of key decisions to build an audit trail.
Are you FADP compliant?
Free compliance check for Swiss companies. See your FADP and GDPR gaps side by side in 5 minutes.
Start Free FADP CheckFADP / nDSG FAQ
What is the FADP (nDSG)?
The Federal Act on Data Protection (Datenschutzgesetz / nDSG / LPD) is Switzerland's data protection law, revised and in force since September 1, 2023. It modernises Swiss privacy law to align with GDPR principles while maintaining Swiss-specific rules — including notably that fines apply to individuals, not organisations.
Does the FADP apply to my company?
The FADP applies to any private person or company that processes personal data about individuals located in Switzerland — regardless of where your company is based. If you handle data of Swiss residents, you must comply.
What are the fines for FADP violations?
Up to CHF 250,000 per individual (not the company). This is a key distinction from GDPR: the FADP targets responsible individuals — executives, data protection officers, or employees who deliberately violate the law. Criminal prosecution is possible for wilful breaches.
How is the FADP different from GDPR?
The FADP is closely modelled on the GDPR but has important Swiss-specific rules: fines apply to individuals not companies; there is no strict requirement to appoint a DPO (though strongly recommended); and there are specific rules around profiling and high-risk data processing that differ from GDPR. If you comply with GDPR, you're mostly there — but gaps remain.
We already comply with GDPR. Are we FADP compliant?
You're close but not fully covered. The FADP has specific requirements around individual liability, data breach notification to the FDPIC (Federal Data Protection and Information Commissioner), privacy notices, and data transfer rules that need to be verified against Swiss law specifically. ComplyOne identifies exactly which gaps remain.
What is the FDPIC?
The Federal Data Protection and Information Commissioner is Switzerland's supervisory authority for data protection. Unlike EU data protection authorities, the FDPIC currently has limited direct sanctioning powers — enforcement is primarily through criminal proceedings and reputational pressure.
Does the FADP require a Data Protection Officer?
Unlike GDPR, the FADP does not formally require a Data Protection Officer (DPO). However, companies that process particularly sensitive data or conduct high-risk profiling are strongly advised to appoint a Data Protection Advisor (Datenschutzberater). The role is voluntary — but having one demonstrates good governance, may reduce individual liability risk, and is increasingly expected by Swiss enterprise customers and public sector bodies.
How does the FADP handle profiling differently from GDPR?
The FADP introduces specific rules for 'high-risk profiling' — defined as automated processing that carries a significant risk to the personality or fundamental rights of individuals. High-risk profiling generally requires explicit consent and individuals have a right to object. This is stricter than GDPR in some respects, particularly for automated decision-making that produces significant effects on individuals without human review.
Related compliance areas