Federal Act on Data Protection (Switzerland)
Switzerland's revised Federal Act on Data Protection (nFADP/nLPD) took effect in September 2023, modernizing privacy rules to align with the GDPR and preserve EU adequacy. It adds privacy by design, breach notification, and impact assessments, overseen by the FDPIC.
The revised Federal Act on Data Protection, known in French as nLPD (nouvelle loi sur la protection des données) and in English as the nFADP, is Switzerland's modernized data protection law. The revised Act entered into force on September 1, 2023, replacing the previous 1992 law. The revision aligns Swiss law more closely with the GDPR so that Switzerland can maintain its adequacy recognition with the European Union. It is supervised by the Federal Data Protection and Information Commissioner (FDPIC).
The revised Act keeps Switzerland's traditionally pragmatic approach while adding modern obligations such as privacy by design, records of processing, breach notification, and data protection impact assessments.
Who It Applies To
The Act applies to the processing of personal data of natural persons by private persons and federal bodies. Unlike the GDPR, the revised Act no longer protects the data of legal entities. It has extraterritorial effect, applying to processing that has an effect in Switzerland even if carried out abroad. Controllers based outside Switzerland may need to designate a representative in Switzerland in certain cases.
Key Requirements
Processing must comply with the principles of lawfulness, good faith, proportionality, purpose limitation, accuracy, and data security. Controllers must apply privacy by design and by default and must keep records of processing activities, with an exemption for smaller companies whose processing poses low risk. High-risk processing requires a data protection impact assessment. Controllers must notify the FDPIC of data security breaches that are likely to result in a high risk to data subjects, as quickly as possible. Data subjects have rights to information, access, correction, and to object, and there are rules on automated individual decisions and profiling. Cross-border transfers require an adequate level of protection, a recognized country, or appropriate safeguards such as standard contractual clauses.
Penalties for Non-Compliance
A distinctive feature of Swiss law is that fines are directed primarily at responsible individuals rather than companies. Private individuals who intentionally breach certain duties, such as information, access, or cross-border transfer obligations, can face fines of up to CHF 250,000. Enforcement is handled by the cantonal authorities, with the FDPIC able to investigate and order corrective measures.
How to Comply
Apply privacy by design and by default in systems and processes. Keep records of processing activities unless you qualify for the small-company exemption. Conduct data protection impact assessments for high-risk processing. Establish a breach notification process to inform the FDPIC promptly. Update privacy notices and honor data subject rights, including rules on automated decisions. Review cross-border transfers and apply adequacy or appropriate safeguards.