SecurePrivacy Logo

Swiss Federal Act on Data Protection (FADP)

View Law Text
Maximum Fine
CHF 250,000
Scope
National
Regulator
FDPIC
Enacted
2023

Need Help with Swiss Federal Act on Data Protection (FADP) Compliance?

Get expert guidance on implementing Swiss data protection requirements and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

The revised Federal Act on Data Protection (FADP) modernizes Swiss data protection law, introducing enhanced requirements and stronger enforcement mechanisms.

Key Facts

  • Enacted in 2023
  • Enforced by Federal Data Protection and Information Commissioner
  • Aligns with GDPR while maintaining Swiss specificity

Key Principles

Lawfulness and Transparency

Personal data must be processed lawfully, fairly, and transparently.

Requirements

  • Valid legal basis for processing
  • Clear privacy notices
  • Transparent processing activities
  • Documentation of legal grounds
  • Regular compliance reviews

Examples

  • Privacy notices on websites
  • Consent management systems
  • Processing records
  • Documentation of legal bases

Data Minimization

Collection and processing of personal data must be limited to what is necessary.

Requirements

  • Assess data necessity
  • Limit collection scope
  • Regular data reviews
  • Deletion procedures
  • Documentation of necessity

Examples

  • Data collection forms
  • Necessity assessments
  • Deletion schedules
  • Review procedures

Swiss-Specific Requirements

Additional requirements specific to Swiss data protection law.

Requirements

  • Cross-border transfer rules
  • Employee data protection
  • Professional secrecy obligations
  • Direct marketing restrictions
  • Data breach notification

Examples

  • Transfer documentation
  • Employee privacy policies
  • Secrecy agreements
  • Marketing consent forms

Compliance Requirements

Data Protection Officer

Requirements for appointing and maintaining a Data Protection Officer position.

Implementation Steps

  • Assess DPO requirement
  • Appoint qualified DPO
  • Ensure independence
  • Provide resources
  • Document activities

Required Documentation

  • DPO appointment letter
  • Qualification records
  • Activity reports
  • Training certificates
  • Resource allocation

Processing Records

Maintenance of records of processing activities.

Implementation Steps

  • Document processing activities
  • Map data flows
  • Update regularly
  • Review compliance
  • Maintain records

Required Documentation

  • Processing records
  • Data flow diagrams
  • Review logs
  • Update history
  • Compliance reports

International Transfers

Requirements for transferring personal data outside Switzerland.

Implementation Steps

  • Assess transfer mechanisms
  • Implement safeguards
  • Obtain authorizations
  • Document transfers
  • Monitor compliance

Required Documentation

  • Transfer agreements
  • Adequacy decisions
  • Authorization records
  • Transfer logs
  • Monitoring reports

Enforcement & Penalties

Administrative Penalties

The Federal Data Protection and Information Commissioner (FDPIC) can impose significant administrative fines for violations.

Penalty Categories

Severe Violations
Up to CHF 250,000
For violations of basic principles or data subject rights
Standard Violations
Up to CHF 125,000
For violations of technical and organizational measures
Local Provisions
Up to CHF 50,000
For violations of specific national requirements

Example Cases

Healthcare Provider
CHF 200,000
2023 - Insufficient security measures and unauthorized data sharing
Financial Institution
CHF 100,000
2022 - Failure to implement appropriate data protection measures

Additional Measures

The FDPIC can impose various corrective measures beyond monetary penalties.

Penalty Categories

Processing Bans
Temporary or Permanent
Prohibition of specific processing activities
Corrective Orders
Mandatory Changes
Orders to bring processing into compliance
Public Warnings
Publication
Public disclosure of violations

Example Cases

Digital Service Provider
Processing Ban
2023 - Ordered to cease illegal data collection practices
Technology Company
Corrective Order
2022 - Required to implement additional security measures