Data Protection Regulations in Switzerland
The New Swiss Data Protection Law
The Swiss Federal Act on Data Protection (FADP) was comprehensively revised and the new version entered into force in September 2023. The main objective of this revision is to align Switzerland’s data protection framework with the EU General Data Protection Regulation (GDPR). This alignment ensures that Switzerland continues to be recognized by the EU as a country with an adequate level of data protection, allowing for the unrestricted flow of personal data between the EU and Switzerland.
Below is an overview of the key changes introduced by the revised FADP and their implications:
Key Regulatory Changes in the Revised FADP
Switzerland must guarantee at least the same level of data protection as under the GDPR to maintain EU adequacy status.
Unlike the previous version, the revised law no longer covers data of deceased individuals.
Companies now have a proactive duty to inform data subjects, based on a broad general clause.
Organizations may appoint a Data Protection Advisor (similar to a DPO under the GDPR), who supports internal compliance and acts as a point of contact.
Industry-specific codes of conduct can be submitted to the Federal Data Protection and Information Commissioner (FDPIC) for review.
Companies must maintain a register of data processing activities. Exception for SMEs with fewer than 250 employees—this applies to ~99% of all Swiss companies.
Foreign companies processing data of persons in Switzerland must appoint a Swiss-based representative.
Data transfers abroad are only permitted if the recipient country offers an adequate level of protection or safeguards are in place.
Data subjects have the right to object to fully automated decisions that produce legal effects.
A DPIA is required where processing may result in a high risk to the privacy of individuals.
Data breaches must be reported to the FDPIC as soon as possible.
Data subjects have the right to receive their personal data in a commonly used format.
Individuals can assert claims related to their data rights before civil courts.
Special provisions apply to federal institutions processing personal data.
The FDPIC now has enhanced powers, including investigative and advisory responsibilities.
Establishes procedures for cooperation with foreign authorities.
Violations can result in fines of up to CHF 250,000, particularly for individuals responsible for willful misconduct.
Transitional arrangements and clarifications for entry into force.