Data & Privacy - Switzerland

The revised FADP (25 Sept 2020, in force 1 Sept 2023) replaced the 1992 act and applies across all sectors, public and private. It was deliberately revised to match the GDPR's level of protection while retaining Swiss-specific features.

The Federal Data Protection and Information Commissioner (FDPIC / EDÖB) is the independent authority overseeing the FADP (and the Freedom of Information Act). It can open investigations on its own initiative or on report, and can order measures including the adjustment, suspension or termination of processing and the deletion of data.

The law introduced/strengthened duties including records of processing activities, data protection impact assessments (DPIAs), privacy-by-design and by-default, transparency/information duties, and rules on profiling. Sensitive-data categories were expanded to include genetic and biometric data.

Controllers must notify the FDPIC of a data security breach as quickly as possible when it is likely to result in a high risk to the data subject's personality or fundamental rights; affected individuals must be informed where necessary for their protection or if the FDPIC so requires.

Unlike the GDPR's corporate administrative fines, the FADP provides criminal fines of up to CHF 250,000 imposed on responsible private individuals for breaches of specific duties; a business may be fined up to CHF 50,000 where identifying the individual would require disproportionate effort.

On 15 January 2024 the European Commission confirmed Switzerland's adequacy under the GDPR (replacing the 2000 decision under Directive 95/46/EC), so personal data can flow from the EU/EEA to Switzerland without additional safeguards such as Standard Contractual Clauses.