Legal & Compliance · Lesson 2 of 5

Swiss Data Protection Act (nDSG/FADP)

The revised FADP in force since 2023 — what you need to know

The Revised FADP (nDSG)

Switzerland's revised Federal Act on Data Protection (nDSG/FADP) entered into force on September 1, 2023. While inspired by the GDPR, it has important differences and applies to all companies processing data of Swiss persons.

Key Obligations

  • Privacy notices: Clear information when collecting personal data
  • Data subject rights: Right of access, rectification, deletion, portability
  • Data breach notification: Must notify the FDPIC within 72 hours for high-risk breaches
  • Cross-border transfers: Only to countries with adequate protection (or with safeguards)
  • Data processing register: Companies >250 employees must maintain a record of processing activities

Key FADP vs GDPR Differences

Unlike GDPR, FADP does NOT require a legal basis for processing if the purpose is apparent and legitimate. No mandatory DPO appointment required for most companies. Maximum fine: CHF 250,000 (targeting individuals, not companies — unusual approach).

What Swiss Companies Should Do

  • Update privacy notices on website and service agreements
  • Review data processing contracts with vendors
  • Ensure cross-border data transfers to non-adequate countries use standard contractual clauses
  • Designate a data protection contact person (recommended, not mandatory)
Previous Next Lesson