ARTICLE
5 June 2026

FinTech And Data Protection In Switzerland: Navigating The Revised FADP

RUGGLE Partner

Contributor

RUGGLE Partner logo
Peter Ruggle is the founder of Ruggle Partner, a boutique law firm with offices in Zürich and Luzern. With over three decades of legal experience, he advises national and international clients on corporate and commercial law, M&A transactions, banking and capital markets, FinTech, and dispute resolution. A graduate of the University of St. Gallen with additional qualifications in FinTech (Oxford) and an MBA (Singapore), Peter began his career as a judge at the District Court of Meilen before joining private practice. He is a qualified mediator and publishes regularly in the fields of commercial law, financial services, and civil procedure. Peter is fluent in German, English, French, and Italian, enabling him to serve clients across multiple jurisdictions with a practical, solution-oriented approach.
Explore Firm Details
Switzerland’s financial-technology sector runs on data — and since the revised Federal Act on Data Protection took effect, the rules for handling that data have become materially stricter. This article sets out what FinTech providers operating in or into Switzerland need to know, how the data protection regime works in practice, and how it dovetails with the financial-market rules supervised by FINMA
Switzerland Technology
Peter Ruggle
Peter Ruggle’s articles from RUGGLE Partner are most popular:
  • within Technology topic(s)
  • in United States
  • with readers working within the Aerospace & Defence, Banking & Credit and Insurance industries
RUGGLE Partner are most popular:
  • within Technology and Finance and Banking topic(s)

FINTECH  ·  DATA PROTECTION  ·  SWISS LAW

Introduction

Switzerland has established itself as one of Europe’s leading hubs for financial innovation, from the “Crypto Valley” around Zug to a dense ecosystem of payment apps, neobanks, lending platforms, robo-advisers, insurtechs and crypto-asset service providers. What every one of these business models has in common is that it is built on the systematic processing of personal data — and, very often, of sensitive financial data. That makes data protection not a back-office formality but a core compliance discipline that shapes the product itself.

Two bodies of law govern FinTech activity in parallel. The first is the revised Federal Act on Data Protection (revFADP; in German the totally revised Datenschutzgesetz, nDSG), in force since 1 September 2023. The second is the sector-specific financial-market regime supervised by the Swiss Financial Market Supervisory Authority (FINMA), layered on top of banking and professional-secrecy duties. The two regimes overlap at almost every turn — a single cloud deployment can simultaneously raise a cross-border transfer question under the revFADP and an outsourcing question under FINMA’s rules — and providers that treat data protection as an afterthought to their licensing analysis expose themselves, and as set out below their managers personally, to real risk.

Crucially, the reach of Swiss data protection law is not confined to firms with a Swiss seat. The points below are therefore as relevant to a foreign FinTech offering services into Switzerland as they are to a Zurich- or Zug-based start-up.

The Revised FADP: the Baseline Every FinTech Must Meet

The revFADP modernised Swiss data protection law and aligned it in substance — though not in every detail — with the EU General Data Protection Regulation (GDPR). Firms that have already implemented a GDPR programme will find the additional effort manageable, but the “Swiss finish” differences are real and should not be glossed over. Three are worth flagging at the outset: the revFADP no longer protects the data of legal entities, only of natural persons; it expands the catalogue of sensitive personal data to include genetic and biometric data that uniquely identify an individual; and — most strikingly for international groups — its sanctions are aimed primarily at responsible individuals rather than at the company.

The core obligations form a familiar architecture: the general processing principles of lawfulness, good faith, transparency, proportionality, purpose limitation, accuracy and data security (Art. 6 revFADP); privacy by design and by default (Art. 7); appropriate technical and organisational measures to ensure data security (Art. 8, concretised in the implementing Data Protection Ordinance, “DPO”); the duty to keep a record of processing activities (Art. 12, with a limited exemption for enterprises of fewer than 250 employees that do not carry out high-risk processing); transparent information duties towards data subjects on collection (Art. 19); and strict requirements for engaging processors, including the controller’s approval of any sub-processor (Art. 9). For a FinTech, each of these touches the product directly — onboarding flows, scoring engines, data-sharing APIs and analytics pipelines — not merely the legal function.

Who Is Caught: the Extraterritorial Reach

The revFADP follows an effects doctrine (Art. 3): it applies to any processing that has an effect in Switzerland, even where the activity is initiated from abroad. In practice, a foreign FinTech that targets goods or services to individuals in Switzerland, or that monitors their behaviour, falls within scope just as the GDPR would catch an analogous activity in the EU. The extraterritorial reach is, if anything, wider than its European model.

A practical consequence is the obligation, under Art. 14 revFADP, for a controller without a seat in Switzerland to appoint a representative in Switzerland where its processing of Swiss data subjects’ data is connected to offering them goods or services or to monitoring their behaviour, and is carried out on a large scale, regularly, and entails a high risk. For many cross-border FinTech platforms, those criteria are readily met, and the representative — together with a clear allocation of controller and processor roles across the group — should be addressed before launch rather than after a complaint.

The Data Protection Impact Assessment: the Pivotal Duty

This is where FinTech is structurally exposed. Under Art. 22 revFADP, a controller must carry out a data protection impact assessment (DPIA; in German Datenschutz-Folgenabschätzung, DSFA) in advance whenever the envisaged processing is likely to entail a high risk to the personality or fundamental rights of the data subjects. Critically, the statute expressly identifies the use of new technologies as a principal indicator of high risk, alongside large-scale processing of sensitive data and systematic large-scale monitoring.

For a sector defined by AI-driven credit scoring, biometric onboarding, algorithmic transaction monitoring, behavioural analytics and the large-scale processing of sensitive financial data, the DPIA is therefore rarely optional — in practice it is the default. The assessment is, in essence, a structured risk analysis carried out before the project goes live: it must describe the planned processing, evaluate the risks to the data subjects, and set out the technical and organisational measures envisaged to mitigate them. The exercise forces a provider to confront, on paper and in advance, exactly how its model handles personal data and what could go wrong.

The documentation must be retained: the implementing Ordinance requires the DPIA to be kept for at least two years after the processing has ended. Where the assessment shows that a high residual risk remains despite the mitigating measures, the controller must consult the FDPIC beforehand (Art. 23); the Commissioner reviews the plan and may recommend adjustments. A private controller that has appointed an (independent) data protection adviser and consulted that adviser may dispense with consulting the FDPIC — a further reason to put proper internal governance in place.

Conversely, a provider may be relieved of the DPIA duty altogether where its product, system or service has been certified under Art. 13 revFADP. Certification confirms, among other things, the confidentiality, integrity, availability and traceability of the data, and doubles as a credible trust signal to clients, banking partners and investors — an increasingly valuable differentiator in a market where counterparties run their own due diligence.

Profiling, Credit Scoring and Automated Decisions

Three further duties bear directly on the typical FinTech use case. First, the revFADP introduces a GDPR-style definition of profiling and singles out “high-risk profiling” — automated processing that combines data so as to assess essential aspects of a person’s personality. Where a private controller relies on consent to justify such high-risk profiling, that consent must be express (Art. 6(7)). Robo-advisory and behavioural-scoring engines need to be designed with this distinction in mind.

Second, the Act sets special conditions for credit checks (Art. 30(2)(c)): an overriding interest justifying a creditworthiness assessment is presumed only if no sensitive personal data and no high-risk profiling are involved, the data are not older than the statutory threshold, and the results are disclosed to third parties solely where they need them to conclude or perform a contract with the data subject. Lending platforms, BNPL providers and credit bureaus must build their data flows around these limits.

Third, where a decision producing legal effects or significant impact on the data subject is taken exclusively on an automated basis (Art. 21), the controller must inform the data subject and, on request, allow the decision to be reviewed by a natural person. Coupled with the strengthened right of access (Art. 25), this means an automated decline of a loan, account or payment must be both explainable and contestable. For AI-driven products, designing in human-in-the-loop review and clear notices is not optional polish but a legal requirement.

Data Security Is an Operational Duty, Not a Paper Exercise

The adequacy of security measures under Art. 8 revFADP — concretised by the minimum requirements of the DPO, which turn on ensuring the confidentiality, integrity, availability and traceability of the data — is judged on the facts of each case. Swiss administrative case law has consistently held that while absolute security is unattainable, controllers must implement effective, robust controls and may not simply rely on contractual assurances from partners or on the self-declaration of their own users. A credit-information business, for example, was criticised by the courts precisely for leaning on user self-declaration instead of building its own verification mechanisms.

For FinTech, where the sensitivity of financial data places the risk profile at the higher end of the spectrum, this translates into genuine access controls, encryption, logging and traceability — evidenced, not merely asserted. The revFADP also introduces a duty to notify the FDPIC of data security breaches that are likely to result in a high risk to the data subjects, and to do so as quickly as possible; unlike the GDPR, the Act sets no fixed 72-hour deadline, but “as quickly as possible” should not be read as licence to delay. Affected individuals must also be informed where this is necessary for their protection (Art. 24).

Cross-Border Data Flows and the Cloud

Few FinTechs keep their entire technology stack within Switzerland. Articles 16 to 18 revFADP permit the transfer of personal data abroad only to states that the Federal Council recognises as providing adequate protection (the list is set out in Annex 1 to the DPO) or, failing adequacy, on the basis of appropriate safeguards — such as the Swiss standard contractual clauses, binding corporate rules, or one of the statutory exceptions. Since 15 September 2024, the United States has been added to the adequacy list, but only for recipients certified under the Swiss–U.S. Data Privacy Framework; transfers to non-certified U.S. recipients still require contractual safeguards and a transfer impact assessment, and prudent providers keep those safeguards in place as a fallback.

This is also the point at which data protection and financial regulation converge most sharply: the very same cloud arrangement that raises a transfer question under the revFADP will usually raise an outsourcing question under FINMA’s rules, and the analyses are best run together rather than in separate silos.

Where Data Protection Meets Financial Regulation

A FinTech licence under Art. 1b of the Banking Act allows an institution to accept public deposits of up to CHF 100 million (or crypto-based assets) provided they are neither invested nor interest-bearing; the institution must be incorporated and operate in Switzerland and must inform clients that such deposits enjoy neither deposit-protection privilege nor protection in bankruptcy. Whatever the licensing status, bank-client confidentiality under Art. 47 of the Banking Act — and the equivalent professional-secrecy duties under the Financial Institutions Act for portfolio managers and trustees — overlays the data protection regime, with its own criminal teeth.

Where significant functions are outsourced — and most cloud and third-party AI arrangements qualify, in particular where a provider obtains access to a significant quantity of client-identifying data (“mass CID”) — FINMA Circular 2018/3 (“Outsourcing”) requires due diligence on the provider, a documented risk analysis, contractual safeguards, an inventory of outsourcing relationships, audit and inspection rights for both the institution and FINMA, business-continuity planning and a workable exit. FINMA Circular 2023/1 (“Operational risks and resilience – banks”), in force since 1 January 2024, adds the concept of “critical data” requiring enhanced protection, and the Swiss Bankers Association’s Cloud Guidelines (third edition, 2025) and its guidance on handling data in day-to-day business operationalise these expectations for cloud deployments. FINMA Guidance 03/2024 sets out its expectations on cyber-incident reporting.

Artificial intelligence — now a core production factor in FinTech — sits inside this same framework. Switzerland decided in February 2025 against a horizontal “AI Act”, opting instead for a technology-neutral, sector-specific approach anchored in existing law and the Council of Europe’s Framework Convention on Artificial Intelligence. For supervised institutions, FINMA Guidance 08/2024 (December 2024) is the practical reference point: it creates no new substantive law but operationalises existing governance, risk-management, outsourcing and — expressly — data protection duties for AI-driven processes, from data quality and testing to explainability and independent review. In practice, a DPIA under Art. 22 revFADP and an AI risk assessment under the FINMA guidance will often address the same system from two regulatory angles, and are best run as a single, integrated exercise rather than as parallel workstreams.

Finally, the regulatory perimeter itself is moving. In October 2025 the Federal Council opened a consultation on amendments to the Financial Institutions Act aimed at strengthening Switzerland’s framework for FinTech businesses, the issuance of stablecoins and the provision of crypto-asset services. Together with the existing distributed-ledger-technology framework for tokenised securities, this signals continued openness to innovation — but on terms that keep data governance, operational resilience and client protection firmly in view.

Enforcement and Personal Exposure

The FDPIC supervises compliance and, under the revFADP, may now open formal investigations (Art. 49 et seq.) and issue binding orders — including an order to stop or adapt a processing activity. The FDPIC itself cannot impose fines. Instead — and this is the feature that most surprises international operators — the criminal sanctions of the revFADP (Art. 60–64) are addressed to responsible individuals, not primarily to the company.

Wilful breaches of certain specified duties — such as the duties to inform, to provide information on request, to observe the minimum data-security requirements and to ensure safeguards for data transfers abroad — can lead to fines of up to CHF 250,000 imposed by the cantonal prosecution authorities. These offences are generally prosecuted only upon complaint, which must be filed within three months of the complainant learning of both the violation and the identity of the responsible person; only contraventions committed within an FDPIC procedure (for instance, refusing to cooperate with an investigation) are prosecuted ex officio. Notably, breaches of the general processing principles, and the failure to notify a data breach, are not in themselves criminally sanctioned — a structural quirk that does not, however, lessen the civil and reputational exposure.

A separate professional-secrecy offence (Art. 62 revFADP) penalises the wilful disclosure of secret personal data learned in the course of a profession, again with a fine of up to CHF 250,000 — of obvious relevance where financial data is involved. The enterprise itself may be fined up to CHF 50,000, but only where identifying the responsible individual would require disproportionate investigative effort. The practical exposure is therefore aimed squarely at management. Civil claims for injunction, removal and damages remain available to affected data subjects, and the reputational cost of a public FDPIC procedure can far outweigh any monetary fine.

Practical Takeaways for FinTech Providers

  1. Check your extraterritorial exposure. If you target or monitor individuals in Switzerland, the revFADP applies — and a Swiss representative under Art. 14 may be mandatory.
  2. Map your processing and run the DPIA early. Treat it as the default for any new-technology or AI-driven feature, and keep the documentation for at least two years after processing ends.
  3. Design profiling and automated decisions for compliance. Obtain express consent for high-risk profiling, respect the Art. 30 credit-check limits, and build in human review and clear notices for automated decisions.
  4. Make data security real. Implement and evidence effective technical and organisational measures; do not rely on user self-declaration or unverified partner assurances.
  5. Integrate, do not duplicate. Align the Art. 22 DPIA, the FINMA outsourcing analysis and any FINMA AI risk assessment into a single governance workflow.
  6. Paper your cloud and AI contracts. Address data location and transfer safeguards (including DPF certification status), audit rights, sub-processor approval, critical-data protection and exit arrangements.
  7. Allocate responsibility consciously. Because criminal exposure falls on individuals, define clearly who owns data protection at management level.
  8. Consider certification. 13 certification can relieve the DPIA burden and serve as a market trust signal.

Conclusion

Swiss data protection law now demands a genuine “privacy by design / privacy by default” posture from FinTech providers, underpinned by a properly conducted DPIA, sharpened by specific rules on profiling, credit checks and automated decisions, and backed by enforceable orders and personal criminal liability. Read together with FINMA’s outsourcing, operational-resilience and AI expectations — and with a regulatory perimeter that continues to expand towards stablecoins and crypto-asset services — the message is consistent: Switzerland remains an open and innovation-friendly jurisdiction, but it rewards firms that build compliance into their architecture from the outset, and exposes those that do not.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Peter Ruggle
Peter Ruggle
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More