The Revised FADP 2023, OPDo and FTA: Complete Guide to Data Protection in Switzerland

  1. Introduction
    • Context of the FADP revision in Switzerland
    • Entry into force and main objectives
    • Alignment with the European GDPR
  2. The Revised FADP 2023: Legal Framework and Fundamental Principles
    • History and evolution of data protection in Switzerland
    • Scope of application and key definitions
    • Fundamental principles of the new law
  3. OPDo: The Data Protection Ordinance
    • Role and scope of the OPDo
    • Technical and organizational requirements
    • Documentation and transparency obligations
  4. FTA: The Federal Transparency Act and Its Implications
    • Objectives and scope of application
    • Interaction with data protection
    • Specific obligations for public bodies
  5. Obligations Regarding Cookies and Consent
    • Legal framework for cookies in Switzerland
    • Consent requirements (opt-in vs opt-out)
    • Best practices for cookie compliance
  6. Legal Information Required for Websites
    • Mandatory legal notices
    • Compliant privacy policy
    • Recommended terms of use and disclaimers
  7. Web Security and Data Protection
    • Encryption and HTTPS requirements
    • Security audits and impact assessments
    • Data breach notification
  8. Hosting and International Data Transfers
    • Rules for transfers outside Switzerland
    • Countries recognized as adequate
    • Appropriate safeguards and contractual clauses
  9. Sanctions and Fines under FADP 2023
    • Fines up to CHF 250,000 for responsible individuals
    • Equipment confiscation for breaches
    • Comparison with GDPR sanctions
  10. Compliance Checklist for Businesses
    • Practical steps to comply with FADP 2023
    • Required documentation and processes
    • Recommended resources and tools
  11. Conclusion and Future Perspectives
    • Expected evolution of law enforcement
    • International trends in data protection
    • Preparation for future regulatory requirements

book you free audit

1.Introduction

The revised Federal Act on Data Protection (FADP) entered into force on September 1, 2023, in Switzerland, marking a major transformation of the Swiss regulatory landscape regarding personal data protection. This revision, anticipated for several years, significantly modernizes the Swiss legal framework to align it with international standards, particularly the European Union’s General Data Protection Regulation (GDPR).

Accompanied by the Data Protection Ordinance (OPDo) and complemented by the Federal Transparency Act (FTA), this new legislation imposes enhanced obligations on companies and organizations processing personal data in Switzerland. One of the most striking aspects of this reform is the introduction of fines of up to CHF 250,000 for individuals responsible for intentional violations, a significant evolution compared to the previous regime.

This article provides an in-depth analysis of the requirements of FADP 2023, OPDo, and FTA, focusing particularly on the practical implications for businesses: cookie policies, mandatory legal information, web security measures, data hosting and transfer rules, as well as the sanctions regime. We also offer a compliance checklist to help you navigate this new regulatory framework.

2.The Revised FADP 2023: Legal Framework and Fundamental Principles

History and Evolution of Data Protection in Switzerland

Data protection in Switzerland has undergone significant evolution since the adoption of the first Federal Act on Data Protection in 1992. This pioneering law laid the foundations for personal data protection in the country, but after almost three decades of application, it needed modernization to address the challenges of the digital world.

The revision of the FADP takes place in an international context marked by the strengthening of data protection legislation, particularly with the entry into force of the GDPR in 2018. Switzerland, although not a member of the European Union, maintains close economic relations with the bloc and needed to ensure that its legal framework was recognized as « adequate » by the European Commission to facilitate cross-border data flows.

After several years of legislative work and consultations, the Swiss Parliament adopted the revised version of the FADP on September 25, 2020. The Federal Council then set its entry into force for September 1, 2023, giving organizations time to achieve compliance.

Scope of Application and Key Definitions

The revised FADP applies to the processing of personal data concerning natural persons by:

  • Private persons (companies, associations, etc.)
  • Federal bodies
  • Entities established in Switzerland or whose activities produce effects in Switzerland

The law defines personal data as any information relating to an identified or identifiable natural person. It also introduces the concept of profiling, defined as the automated evaluation of certain personal characteristics based on personal data, particularly to analyze or predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Special attention is given to sensitive data, which includes data on religious, philosophical, or political opinions, health, racial or ethnic origin, sexual life, genetic and biometric data, as well as data on criminal prosecutions or administrative sanctions.

Fundamental Principles of the New Law

The revised FADP is based on several fundamental principles that should guide all personal data processing:

  1. Lawfulness: Processing must comply with the law and be based on a valid legal basis (consent, legitimate interest, legal obligation, etc.).
  2. Good faith and transparency: Data controllers must act transparently and clearly inform the data subjects.
  3. Purpose: Data may only be collected for specified and clearly communicated purposes.
  4. Proportionality: Only data necessary for the pursued purpose may be processed.
  5. Accuracy: Data must be accurate and, if necessary, updated.
  6. Storage limitation: Data should not be kept longer than necessary.
  7. Security: Appropriate technical and organizational measures must be implemented to protect the data.
  8. Accountability: The data controller must be able to demonstrate compliance with the above principles.

These principles, although similar to those of the GDPR, present specific nuances to the Swiss context and must be interpreted in light of the jurisprudence and guidelines of the Federal Data Protection and Information Commissioner (FDPIC).

3.OPDo: The Data Protection Ordinance

Role and Scope of the OPDo

The Data Protection Ordinance (OPDo) complements the revised FADP by specifying the modalities for applying the law. Adopted by the Federal Council on August 31, 2022, it entered into force simultaneously with the revised FADP on September 1, 2023.

The OPDo plays a crucial role in the Swiss regulatory ecosystem for data protection, as it provides essential technical and operational details for the practical implementation of the principles set out in the law. It specifies the minimum requirements for data security, the modalities for data protection impact assessment, and documentation obligations.

Technical and Organizational Requirements

The OPDo requires data controllers and processors to implement appropriate technical and organizational measures to ensure the security of personal data. These measures must be adapted to the risks involved and take into account the state of the art, implementation costs, the nature, scope, context, and purposes of the processing.

Among the specific requirements are:

  • Access control to facilities and systems
  • Encryption of sensitive data
  • Logging of automated processing operations
  • Implementation of regular testing and evaluation procedures
  • Training of personnel with access to personal data

The OPDo also specifies the cases where a data protection impact assessment is required, particularly when the processing involves high-risk profiling or large-scale processing of sensitive data.

Documentation and Transparency Obligations

One of the major innovations of the OPDo is the obligation to maintain a record of processing activities. This record must contain, for each processing activity:

  • The identity of the data controller
  • The purpose of the processing
  • A description of the categories of data subjects and categories of personal data
  • The categories of recipients
  • Retention periods
  • A general description of security measures
  • In case of disclosure abroad, the destination country and appropriate safeguards

The OPDo also imposes enhanced transparency obligations, particularly the obligation to inform data subjects clearly and accessibly about the collection of their data, including when the data is not collected directly from them.

An important innovation is the obligation to notify personal data breaches to the FDPIC as soon as possible when the breach is likely to result in a high risk to the rights and freedoms of data subjects. This notification must contain a description of the nature of the breach, its likely consequences, the measures taken or envisaged, as well as the contact details of a contact person.

4.FTA: The Federal Transparency Act and Its Implications

Objectives and Scope of Application

The Federal Act on Freedom of Information in the Administration (FTA), which entered into force in 2006, aims to promote transparency in the activities of the federal administration by guaranteeing public access to official documents. Although distinct from the FADP, the FTA interacts closely with it, particularly regarding the balance between the right of access to information and the protection of personal data.

The FTA applies primarily to federal authorities, including the federal administration, bodies, and persons under public or private law outside the federal administration, insofar as they issue acts or make decisions at first instance. Certain exceptions are provided, particularly for the Swiss National Bank and the Financial Market Supervisory Authority.

Interaction with Data Protection

The interaction between the FTA and the FADP raises complex questions when official documents contain personal data. In such cases, the FTA provides that documents must be anonymized before being communicated, unless:

  • The data subject has consented to the disclosure
  • The data subject has made the data publicly accessible themselves
  • The public interest in transparency outweighs the interest in data protection

The Federal Data Protection and Information Commissioner (FDPIC) plays a mediator role in case of conflict between the right of access to documents and the protection of personal data. The FDPIC can issue recommendations and, if necessary, the matter can be brought before the Federal Administrative Court.

Specific Obligations for Public Bodies

Organizations subject to the FTA have the obligation to:

  • Inform the public about their activities
  • Organize their documents to facilitate public access
  • Implement simple procedures for access to documents
  • Process access requests within 20 days (extendable in certain cases)

In case of non-compliance with these obligations, administrative sanctions can be imposed, and in serious cases, fines of up to 1.5 million euros (or the equivalent in Swiss francs) can be imposed for violations of transparency obligations.

It is important to note that the FTA also provides exceptions to the right of access, particularly when access may harm the internal or external security of Switzerland, foreign policy interests, international relations, or the country’s economic or monetary interests.

book your free audit

5.Obligations Regarding Cookies and Consent

Legal Framework for Cookies in Switzerland

In Switzerland, the use of cookies is primarily governed by the revised FADP, which does not contain specific provisions for cookies unlike the EU’s ePrivacy Directive. However, the general principles of the FADP fully apply when cookies allow the collection of personal data.

It is important to note that Switzerland does not have a specific law equivalent to the European ePrivacy Directive. Cookies fall under the FADP regime if and only if they allow the collection of personal data, i.e., information relating to an identified or identifiable person.

In practice, this means that:

  • Cookies strictly necessary for the functioning of the website generally do not require explicit consent
  • Anonymized analytical cookies may benefit from a lighter regime
  • Tracking, profiling, or advertising cookies that allow user identification require a valid legal basis, generally consent

Consent Requirements (opt-in vs opt-out)

Under the revised FADP, the obligation to obtain consent for the use of cookies depends on the nature of the data collected and the processing carried out:

  1. Explicit consent (opt-in): Required for:
    • Cookies that collect sensitive data
    • Cookies used for high-risk profiling
    • Cookies that involve data transfer to countries without an adequate level of protection
  2. Implicit consent or opt-out: May be sufficient for:
    • Certain analytical cookies if anonymization measures are in place
    • Cookies that collect non-sensitive data for clearly defined and limited purposes

Consent, whether explicit or implicit, must always be:

  • Free (without constraint)
  • Specific (for determined purposes)
  • Informed (after adequate information)
  • Unambiguous (manifested by a clear positive act)

It is important to note that although Switzerland may accept an opt-out regime in certain cases, companies that also target EU residents will have to comply with the stricter requirements of the GDPR and the ePrivacy Directive, which generally require explicit consent (opt-in) for most non-essential cookies.

Best Practices for Cookie Compliance

To ensure compliance with the revised FADP regarding cookies, companies should adopt the following best practices:

  1. Cookie audit: Identify all cookies used on the website, their purpose, their lifespan, and whether they collect personal data.
  2. Compliant cookie banner: Implement a cookie banner that:
    • Clearly informs users about the types of cookies used
    • Allows giving or refusing consent in a granular way (by cookie category)
    • Does not pre-check consent options for non-essential cookies
    • Allows easy withdrawal of consent
  3. Detailed cookie policy: Develop an accessible cookie policy that explains:
    • The types of cookies used and their purpose
    • The retention period of cookies
    • Third parties who may access the collected data
    • How to manage or delete cookies
  4. Consent documentation: Keep a record of the consent given by users, including when and how it was obtained.
  5. Regular review: Regularly update the cookie audit and cookie policy to reflect any changes in cookie usage.

Although Switzerland may have a more flexible approach than the EU regarding cookies, it is generally recommended to adopt the highest standards, especially if the company also operates in the EU or processes data of EU residents.

6.Legal Information Required for Websites

Mandatory Legal Notices

In Switzerland, the requirements for legal notices on websites are mainly governed by the Code of Obligations (CO), particularly Article 957, which applies to commercial entities. According to these provisions, a commercial website must clearly display:

  1. Complete identity of the website owner:
    • Exact company name as registered in the commercial register
    • Legal form of the company
    • Address of the registered office (complete physical address)
  2. Contact information:
    • Valid email address
    • Phone number
    • Possibly a contact form
  3. Registration information:
    • Business identification number (IDE)
    • Commercial register registration number
    • VAT number if applicable

This information must be easily accessible, generally via a « Legal Notice » or « Legal Information » link in the footer of the website.

For regulated professions (lawyers, doctors, etc.), additional information may be required, such as references to practice authorizations and supervisory bodies.

Compliant Privacy Policy

Under the revised FADP, a comprehensive and accessible privacy policy is now practically mandatory for any website that collects personal data. This policy must contain:

  1. Identity and contact details of the data controller and, where applicable, the representative in Switzerland and the data protection advisor.
  2. Processing purposes for which personal data is collected.
  3. Categories of personal data processed.
  4. Legal basis for processing (consent, legitimate interest, legal obligation, etc.).
  5. Recipients or categories of recipients of personal data, including processors.
  6. Data transfers abroad, if applicable, with mention of destination countries and appropriate safeguards.
  7. Retention period of data or criteria used to determine this period.
  8. Rights of data subjects:
    • Right of access
    • Right to rectification
    • Right to erasure
    • Right to restriction of processing
    • Right to data portability
    • Right to object
    • Right to withdraw consent
    • Right to lodge a complaint with the FDPIC
  9. Existence of automated decision-making, including profiling, and useful information regarding the underlying logic.
  10. Updates to the policy with indication of the date of the last update.

The privacy policy must be written in clear and simple language, easily accessible and understandable for data subjects.

Recommended Terms of Use and Disclaimers

Although not explicitly required by Swiss law for all websites, Terms of Use (ToU) and disclaimers are strongly recommended, particularly for e-commerce sites or those offering online services. These documents allow:

  1. Defining the conditions of use of the website and services offered.
  2. Limiting the liability of the website owner within the limits authorized by law.
  3. Protecting intellectual property (copyright, trademarks, etc.).
  4. Specifying the conditions of sale for e-commerce sites.
  5. Defining the applicable jurisdiction and applicable law in case of dispute.

For e-commerce sites, additional information is required in accordance with the Code of Obligations, particularly:

  • Technical steps for concluding the contract
  • Technical means to identify and correct input errors
  • Languages proposed for concluding the contract
  • Delivery conditions and payment methods
  • Return policy and guarantees

These documents must be easily accessible before the conclusion of any transaction and written in clear and understandable language.

book your free audit

7.Web Security and Data Protection

Encryption and HTTPS Requirements

The revised FADP and the OPDo require data controllers to implement appropriate technical and organizational measures to ensure the security of personal data. Although these texts do not explicitly mention the obligation to use HTTPS, this technology is considered an essential basic security measure.

Article 8 of the revised FADP stipulates that security measures must be appropriate to the risks involved and the state of the art. In the current context, this implies at a minimum:

  1. Systematic use of the HTTPS protocol with valid and up-to-date SSL/TLS certificates for all pages of the website, particularly those that collect personal data.
  2. Secure configuration of SSL/TLS certificates:
    • Use of recent versions of TLS (TLS 1.2 or higher)
    • Disabling obsolete protocols (SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1)
    • Appropriate configuration of cryptographic suites
  3. Implementation of complementary mechanisms such as HTTP Strict Transport Security (HSTS), which forces HTTPS connections even in case of attempted HTTP access.
  4. Encryption of sensitive data stored in databases, with secure management of encryption keys.

These measures are particularly important for sites that process sensitive data or that offer authentication or online payment functionalities.

Security Audits and Impact Assessments

The revised FADP introduces the obligation to carry out a data protection impact assessment (DPIA) when processing is likely to result in a high risk to the personality or fundamental rights of data subjects. The OPDo specifies the cases where such an analysis is required, particularly:

  1. Large-scale processing of sensitive data
  2. High-risk profiling
  3. Systematic large-scale surveillance of publicly accessible areas

A DPIA must contain at a minimum:

  • A description of the envisaged processing and its purposes
  • An assessment of the risks to the rights of data subjects
  • The measures envisaged to address these risks

Beyond formal DPIAs, best practices in web security recommend:

  1. Regular security audits:
    • Penetration tests (pentests)
    • Vulnerability analyses
    • Code reviews
  2. Compliance assessments with recognized security standards and norms (ISO 27001, NIST, etc.)
  3. Backup restoration tests to ensure data availability in case of incident

These measures must be documented and regularly updated to take into account the evolution of threats and technologies.

Data Breach Notification

One of the major innovations of the revised FADP is the introduction of an obligation to notify personal data breaches. According to Article 24 of the FADP and the details provided by the OPDo, the data controller must:

  1. Notify the FDPIC as soon as possible in case of a data security breach resulting in a high risk to the personality or fundamental rights of data subjects.
  2. Inform the data subject if this information is necessary for their protection or if the FDPIC requires it.

The notification to the FDPIC must contain at a minimum:

  • The nature of the breach
  • The consequences for the data subjects
  • The measures taken or envisaged
  • The name and contact details of a contact person

Unlike the GDPR, which imposes a 72-hour deadline for notification, the revised FADP uses the formulation « as soon as possible », which leaves some room for interpretation. However, in practice, it is recommended to act quickly, ideally within a timeframe comparable to that of the GDPR.

It is important to note that not all breaches necessarily need to be notified: only those presenting a « high risk » for the data subjects are subject to this obligation. The assessment of this risk must take into account the nature, scope, context, and purposes of the processing.

8.Hosting and International Data Transfers

Rules for Transfers Outside Switzerland

The revised FADP maintains the principle that personal data may only be disclosed abroad if the level of data protection in the destination country is adequate. Article 16 of the FADP specifies the conditions under which international data transfers are authorized:

  1. Transfer to a country ensuring an adequate level of protection: The Federal Council publishes a list of States that ensure an adequate level of protection.
  2. Transfer with appropriate safeguards in the absence of an adequacy decision:
    • Standard contractual clauses approved by the FDPIC
    • Binding corporate rules (BCR) approved by the FDPIC
    • Approved codes of conduct or certifications
  3. Derogations for specific situations:
    • Explicit consent of the data subject
    • Performance of a contract with the data subject
    • Overriding public interest
    • Protection of a vital interest
    • Data made public by the data subject
    • Establishment, exercise, or defense of legal claims

For data controllers, this implies:

  • Identifying all data transfers outside Switzerland
  • Checking if the destination country offers an adequate level of protection
  • Implementing appropriate safeguards if necessary
  • Documenting transfers and safeguards put in place

Countries Recognized as Adequate

The Swiss Federal Council recognizes the following countries as offering an adequate level of protection:

  1. Member States of the European Union (EU) and the European Economic Area (EEA)
  2. Third countries recognized as adequate by the EU and also recognized by Switzerland:
    • Andorra
    • Argentina
    • Canada (for private entities subject to the Canadian data protection law)
    • Guernsey
    • Isle of Man
    • Faroe Islands
    • Israel
    • Jersey
    • New Zealand
    • United Kingdom
    • Uruguay
  3. Countries specifically recognized by Switzerland:
    • Japan

It is important to note that this list may evolve based on regular assessments carried out by the Federal Council. Data controllers must therefore stay informed of updates.

For the United States, the situation is particular: following the invalidation of the Privacy Shield by the Court of Justice of the European Union (Schrems II judgment), Switzerland also considered that this mechanism no longer offered sufficient guarantees. A new framework, the « Data Privacy Framework » (DPF), has been put in place, but its adequacy is still being evaluated.

Appropriate Safeguards and Contractual Clauses

When data transfer is made to a country not offering an adequate level of protection, appropriate safeguards must be put in place. The main options are:

  1. Standard Contractual Clauses (SCC):
    • Switzerland generally recognizes the standard contractual clauses adopted by the European Commission
    • The FDPIC may also approve specific clauses
    • The clauses must be adapted to the Swiss context (references to Swiss legislation, competence of the FDPIC, etc.)
  2. Binding Corporate Rules (BCR):
    • Binding internal policies adopted by a group of companies
    • Must be approved by the FDPIC
    • Approval process generally long and complex
  3. Codes of conduct and certifications:
    • Mechanisms approved by the FDPIC
    • Must contain binding and enforceable commitments

Regardless of the chosen safeguard, additional measures may be necessary depending on the risk assessment specific to the transfer, particularly:

  • Technical measures: encryption, pseudonymization, etc.
  • Organizational measures: internal policies, training, etc.
  • Contractual measures: audit rights, notification obligations, etc.

It is also essential to document the risk assessment and the measures put in place, in order to be able to demonstrate compliance in case of control by the FDPIC.

book your free audit

9.Sanctions and Fines under FADP 2023

Fines up to CHF 250,000 for Responsible Individuals

One of the most significant changes introduced by the revised FADP concerns the sanctions regime. Unlike the GDPR, which provides for administrative fines of up to 20 million euros or 4% of global annual turnover, the Swiss FADP opts for a system of criminal sanctions primarily targeting natural persons.

Article 60 of the revised FADP provides for fines of up to CHF 250,000 for intentional breaches of the following obligations:

  1. Violation of information, disclosure, and cooperation obligations
  2. Violation of due diligence obligations
  3. Violation of the duty of confidentiality
  4. Non-compliance with minimum data security requirements
  5. Non-compliance with a decision of the FDPIC

It is important to note that these sanctions apply to natural persons who committed the offense, generally the managers or employees responsible for data processing. If the offender cannot be identified without disproportionate effort, the company may be fined up to CHF 50,000 maximum.

For offenses committed through negligence, fines are reduced to a maximum of CHF 50,000.

Equipment Confiscation for Breaches

Beyond fines, the revised FADP also provides for the possibility of confiscating equipment used to commit offenses. This measure, provided for by the OPDo, can apply particularly to:

  • Servers and storage equipment
  • Computers and mobile devices
  • Specific software used for unlawful processing

Confiscation can be ordered independently of a criminal conviction if the equipment:

  • Compromises the safety of persons
  • Is used to commit other offenses
  • Has been acquired through the proceeds of offenses

This measure can have particularly serious consequences for companies, especially in terms of business interruption and data loss.

Comparison with GDPR Sanctions

The sanctions regime of the revised FADP differs significantly from that of the GDPR in several aspects:

AspectRevised FADP (Switzerland)GDPR (EU)
Nature of sanctionsMainly criminalMainly administrative
Target of sanctionsNatural persons (responsible individuals)Legal persons (companies) and natural persons
Maximum amountCHF 250,000 for individuals, CHF 50,000 for companies20 million euros or 4% of global annual turnover
Competent authorityCriminal authorities (upon denunciation by the FDPIC)Data protection authorities
Application criteriaIntent or negligenceSeverity, duration, number of people affected, etc.

This difference in approach can create complex situations for companies operating in both Switzerland and the EU, which must comply with both regimes.

It is important to note that despite apparently less severe financial sanctions, the criminal nature of Swiss sanctions can have serious consequences for the individuals concerned, particularly in terms of criminal record and professional reputation.

10.Compliance Checklist for Businesses

Practical Steps to Comply with FADP 2023

To ensure compliance with the revised FADP, OPDo, and FTA, companies should follow a methodical approach in several steps:

  1. Data processing mapping:
    • Identify all personal data processing
    • Document the purposes, categories of data, recipients, etc.
    • Establish a record of processing activities
  2. Compliance assessment:
    • Verify the legal basis for each processing
    • Ensure compliance with fundamental principles
    • Identify gaps with legal requirements
  3. Compliance of legal documents:
    • Update the privacy policy
    • Revise the website’s legal notices
    • Adapt contracts with processors
    • Implement a compliant cookie policy
  4. Implementation of technical and organizational measures:
    • Strengthen information system security
    • Implement procedures for managing data subjects’ rights
    • Develop data breach notification procedures
    • Train staff on data protection requirements
  5. Management of international transfers:
    • Identify all transfers outside Switzerland
    • Implement appropriate safeguards if necessary
    • Document transfers and safeguards
  6. Implementation of governance processes:
    • Designate a data protection officer (DPO) if necessary
    • Establish internal audit procedures
    • Implement an incident management system

Required Documentation and Processes

To demonstrate their compliance, companies must maintain comprehensive documentation, including:

  1. Record of processing activities containing:
    • Processing purposes
    • Categories of data and data subjects
    • Data recipients
    • Transfers to third countries
    • Retention periods
    • Security measures
  2. Internal policies and procedures:
    • Data protection policy
    • Procedure for managing data subjects’ rights
    • Data breach notification procedure
    • Data retention and archiving policy
    • Information security policy
  3. Data Protection Impact Assessments (DPIAs) for high-risk processing
  4. Documentation of technical and organizational measures implemented to ensure data security
  5. Proof of consent when processing is based on data subjects’ consent
  6. Contracts with processors including the clauses required by Article 9 of the revised FADP
  7. Documentation of international transfers and appropriate safeguards

These documents must be regularly updated and easily accessible in case of control by the FDPIC.

Recommended Resources and Tools

To facilitate compliance with the revised FADP, companies can rely on various resources and tools:

  1. Official resources:
    • FDPIC guide on the revised FADP
    • Templates and recommendations published by the FDPIC
    • FAQ and thematic guides from the FDPIC
  2. Compliance management tools:
    • Processing mapping software
    • Consent management solutions
    • Risk assessment and DPIA tools
    • Platforms for managing rights exercise requests
  3. Training and certifications:
    • Training for DPOs and compliance officers
    • Recognized certifications (CIPP/E, CIPM, etc.)
    • Specialized webinars and workshops
  4. Professional assistance:
    • Law firms specialized in data protection
    • GDPR/FADP compliance consultants
    • Information security experts
  5. Networks and professional associations:
    • Swiss Association of Data Protection Professionals
    • Best practice exchange groups
    • Specialized forums

It is recommended to adopt a proportionate approach, adapting resources and tools to the size of the company, the nature of the data processed, and the associated risks.

11.Conclusion and Future Perspectives

The revision of the Federal Act on Data Protection (FADP), complemented by the Data Protection Ordinance (OPDo) and the Federal Transparency Act (FTA), marks a crucial step in the evolution of the Swiss legal framework for personal data protection. This reform, which entered into force on September 1, 2023, significantly modernizes the Swiss regime and aligns it more closely with international standards, particularly the European GDPR.

The main innovations of this new regulatory framework include:

  • Enhanced transparency obligations
  • Introduction of impact assessments for high-risk processing
  • Obligation to notify data breaches
  • A criminal sanctions regime with fines of up to CHF 250,000

For companies, compliance with these new requirements represents a significant challenge but also an opportunity to strengthen the trust of customers and partners. A methodical approach, based on precise mapping of processing activities and rigorous risk assessment, is essential to navigate effectively in this new regulatory landscape.

In the future, several trends are to be monitored:

  • The evolution of jurisprudence that will clarify the interpretation of certain provisions
  • FDPIC decisions that will establish important precedents
  • International developments, particularly the evolution of the GDPR and new data transfer agreements
  • The emergence of new technologies (AI, blockchain, etc.) that will raise new challenges in terms of data protection

In this dynamic context, active regulatory monitoring and a proactive approach to compliance are essential for companies wishing to operate smoothly in Switzerland and internationally.

book your free audit

References

  1. Federal Act on Data Protection (FADP) of September 25, 2020, entered into force on September 1, 2023
  2. Data Protection Ordinance (OPDo) of August 31, 2022
  3. Federal Act on Freedom of Information in the Administration (FTA) of December 17, 2004
  4. Official website of the Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch/
  5. Swiss Code of Obligations, Article 957
  6. Fedlex – Systematic Compilation of Federal Law: https://www.fedlex.admin.ch/
  7. Digital Guardian, « What is the New Swiss Data Protection Act and How Do You Achieve Compliance? », 2024
  8. Didomi, « Switzerland’s new Federal Act on Data Protection (nFADP ) », 2023
  9. Pestalozzi Law, « The revised Federal Data Protection Act – sanctions increase as of 1 September 2023 », 2023
  10. Data Privacy Manager, « Implications of new Swiss Federal Act on Data Protection », 2023

This article was updated in June 2025 and reflects the current state of regulations. The information provided is for informational purposes only and does not constitute legal advice. Consult a specialized attorney for advice tailored to your specific situation.