ARTICLE
8 May 2025

Data Protection & Cybersecurity

BK
Bär & Karrer

Contributor

Bär & Karrer logo
Bär & Karrer is a renowned Swiss law firm with more than 170 lawyers in Zurich, Geneva, Lugano and Zug. Our core business is advising our clients on innovative and complex transactions and representing them in litigation, arbitration and regulatory proceedings. Our clients range from multinational corporations to private individuals in Switzerland and around the world.
Explore Firm Details
In Switzerland, data protection, privacy and cybersecurity are primarily governed by the Swiss Federal Act on Data Protection of 25 September 2020 (Data Protection Act, FADP)...
Switzerland Privacy
Christian Kunz,Ferdinand Rombach, and Katharina Schreiber
Your Author LinkedIn Connections

1. Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).

In Switzerland, data protection, privacy and cybersecurity are primarily governed by the Swiss Federal Act on Data Protection of 25 September 2020 (Data Protection Act, FADP), together with the Swiss Federal Ordinance on Data Protection of 31 August 2022 (Data Protection Ordinance, FODP), both effective since 1 September 2023. Although the FADP is aligned with the EU GDPR in many respects, it has not just simply adopted its provisions on a one-to-one basis. Therefore, organizations operating in both the EU and Switzerland must keep in mind the specificities of Swiss data protection regulations.

The FADP applies to the processing of personal data of natural persons by private persons and federal bodies. Cantonal or communal authorities follow their own cantonal data protection laws, which also extend to private companies only if they perform a public service mandate. The FADP may have extraterritorial effect on controllers and processors established outside Switzerland when their processing activities have an effect in Switzerland (e.g., if they process personal data of a larger number of individuals located in Switzerland).

Additional sectoral rules apply to areas such as banking, insurance, and telecommunications. Financial institutions regulated by the Swiss Financial Market Supervisory Authority (FINMA) must meet stringent confidentiality and cyber- and information-security obligations.

The Federal Data Protection and Information Commissioner (FDPIC) is responsible for enforcing the FADP, conducting investigations, and issuing recommendations. In serious cases, administrative or criminal sanctions may be imposed by the competent criminal prosecution authorities on individuals (particularly against individuals who, for example, intentionally obstruct investigations or unlawfully disclose personal data). At the cantonal level, cantonal data protection authorities may hold competence over public bodies in their respective cantons.

Switzerland does not have a single comprehensive cybersecurity act but instead relies on various laws and regulations. Criminal offences involving unauthorised access to IT systems, hacking and malware are primarily addressed by the Swiss Federal Criminal Code (SCC), which criminalises computer misuse, data theft and related offences. The Swiss National Cyber Strategy, first adopted in 2012 and updated periodically, sets strategic objectives and encourages public-private cooperation to enhance cybersecurity. The National Cyber Security Centre (NCSC) monitors cyberthreats and works closely with industry to improve cyber resilience. Operators of critical infrastructure — including those in the energy, telecommunications, defence, and related sectors — are subject to additional obligations regarding risk assessments and the reporting of information security incidents to the NCSC. In finance, FINMA Circulars impose duties to maintain adequate IT security systems and to notify FINMA of cyber incidents.

2. Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?

Switzerland's revised FADP only recently took effect in September 2023. Further, since January 2024, the new Information Security Act (ISA) is in force, which consolidates the key legal foundations for the security of the federal government's information and IT resources into a single law. A key provision, which came into effect on 1 April 2025, is the mandatory reporting of cyberattacks on critical infrastructure. Operators of critical infrastructure are required to report cyberattacks to the National Cyber Security Centre (NCSC) within 24 hours of discovery. See Q40 for additional information.

At present, no overarching new legislation in the area of data protection, privacy or cybersecurity has been announced for 2025 – 2026. However, there may be further refinements or regulatory guidance within this timeframe, partly in response to ongoing developments at both EU and international levels (for instance, in connection with changes in cross-border data transfer frameworks).

3. Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register / obtain a licence?

In Switzerland, there is no general registration or licensing requirement under the FADP. In other words, private companies that process personal data are not required to formally register with, or obtain a licence from, the Federal Data Protection and Information Commissioner (FDPIC) simply on account of processing personal data.

Unlike under the EU GDPR, only federal bodies must appoint a data protection officer (DPO). For private companies, appointing a DPO is voluntary. However, if a private company wishes to avoid the obligation to notify the FDPIC of its data protection impact assessment outcomes, it must appoint and register a DPO with the FDPIC. In addition, the revised FADP requires data controllers, with the exception of SMEs with fewer than 250 full-time employees, to maintain internal records of their data processing activities.

4. How do the data protection laws in your jurisdiction define "personal data," "personal information," "personally identifiable information" or any equivalent term in such legislation (collectively, "personal data")? Do such laws include a specific definition for special category or sensitive personal data? What other key definitions are set forth in the data protection laws in your jurisdiction (e.g., "controller", "processor", "data subject", etc.)?

Similar to the definition set out in the EU GDPR, the FADP defines "personal data" as any information relating to an identified or identifiable natural person. "Sensitive personal data" is defined slightly more broadly than under the EU GDPR, encompassing information relating to religious, philosophical, political, or trade union-related views or activities, health, the intimate sphere or affiliation to a race or ethnicity, genetic data, biometric data that uniquely identifies a natural person, details about administrative or criminal proceedings or sanctions, and data relating to social assistance measures.

Furthermore, the FADP defines a "data subject" as a natural person whose personal data is processed.

"Processing" refers to any operation with personal data, regardless of the means or procedures used, and includes in particular the collection, recording, storage, use, modification, disclosure, archiving, deletion, or destruction of such data. The term "disclosure" denotes transmitting or making personal data accessible, while the "controller" is any private person or federal body that alone or jointly with others decides on the purpose and means of the processing, and the "processor" is any private person or federal body that processes personal data on behalf of the controller.

The FADP also defines "profiling", "high-risk profiling", "data security breach", and "federal body".

5. What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a "legal basis" for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.

The FADP encompasses several core principles relating to the processing of personal data. First, the law requires that personal data be processed lawfully (principle of legality), in good faith (principle of good faith), and in accordance with the principle of proportionality, meaning that data may only be processed in a manner that is suitable, required, and necessary to achieve the intended purpose. The processing must therefore be limited to the minimal amount of data and the shortest duration necessary to achieve the specific purpose. While not explicitly mentioned, the principle of good faith is understood to encompass transparency. Data controllers must thus ensure that data subjects know how, why, and by whom their personal data is processed, including any disclosures to third parties. Under the FADP, contrary to the EU GDPR, data subjects must also be informed about the recipient countries to which their data is transferred, together with any safeguards or statutory exceptions relied upon.

Additionally, personal data may only be collected for a specific purpose that is evident to the data subject (principle of purpose limitation), and the data must not be processed in a way that is incompatible with that purpose. Further, every appropriate measure must be taken to ensure personal data is accurate (principle of data accuracy). In keeping with that principle, any data found to be inaccurate or incomplete in light of its processing purpose must be corrected, deleted, or destroyed.

In conceptual contrast to the EU GDPR, which requires a specific legal basis for any processing of personal data, the FADP allows data processing without such basis, provided that the controller observes these core principles of data processing. A legal justification becomes necessary only where a breach of these principles occurs. In such cases, the controller must be able to demonstrate an appropriate justification, such as valid consent from the data subject, an overriding private or public interest, or a statutory basis. Notably, Swiss law does not enumerate these justifications as exhaustively as the EU GDPR does in Article 6.

Although the FADP does not impose a strict maximum data retention period, personal data must be deleted or rendered anonymous once it is no longer needed for the purpose for which it was originally collected. Retaining data beyond what is necessary risks infringing the principle of proportionality. Consequently, controllers should adopt clear internal data retention policies detailing how long data is kept and establishing procedures for the secure deletion or anonymization of personal data.

Finally, although not expressly framed as a data processing principle under the FADP, controllers and processors must at all times preserve data security (that is, the confidentiality, integrity, and availability of the data) by implementing appropriate technical and organisational measures (TOMs).

6. Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?

Under the FADP, consent is generally not required for processing personal data. However, if a controller breaches any of the data processing principles (i.e., lawfulness, proportionality, good faith, purpose limitation, or data accuracy; see question 5 above), the controller must be able to justify its processing activity – for example, by the affected data subject's consent, an overriding private or public interest, or a statutory basis. If a controller elects to rely on consent as the legal basis for processing, the following applies:

  • Freely given, specific, informed: Consent must be given voluntarily and based on clear, comprehensible information regarding the nature, scope and purpose of processing: Data subjects should know what data is processed, why it is processed, how it is used, and whether any transfers occur (including relevant safeguards or exceptions).
  • Form requirements: No strict rule mandates written or signed consent, though verifiable consent is advisable. If a controller relies on consent to process sensitive personal data or conducts high-risk profiling, or if a federal body conducts profiling, such consent must be explicitly given. The same applies where a controller intends to rely on consent as a statutory exception to transfer personal data to a third country or international body that does not guarantee an adequate level of protection.
  • Implied Consent: Permissible if the data subject's intent is clear and the privacy intrusion minimal. The controller must demonstrate that consent was informed.
  • Bundled Consent: Incorporating consent into broader documents (e.g., terms of service) is permissible, provided that data subjects are clearly informed of the specific processing activities to which they are consenting. Multiple separate processing activities should be clearly distinguished.

7. What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children's data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?

Because the FADP follows a "risk-based" approach, the processing of sensitive personal data must meet higher standards than the processing of personal data involving lower risks. Article 5 lit. c FADP defines "sensitive personal data" (see also Q4).

Under the FADP, the disclosure of sensitive personal data to third parties is per se considered a violation of personality rights unless justified by the data subject's explicit consent, by law, or by an overriding private or public interest. In practice, such overriding private or public interests rarely exist; thus, explicit consent is the primary legal basis for disclosure in the absence of a specific statutory provision.

Notably, Article 6 para. 7 FADP does not introduce a general obligation to obtain consent for processing sensitive personal data. Instead, it specifies that, if controllers rely on consent as their justification for processing sensitive personal data, the consent must be given explicitly.

Additionally, under the FADP, controllers must conduct a data protection impact assessment (DPIA) where the intended data processing is likely to result in a high risk to the personality or fundamental rights of the data subject. The FADP explicitly recognizes the large-scale processing of sensitive personal data as a high-risk activity that triggers the obligation to conduct a DPIA.

Furthermore, federal authorities must generally only process sensitive personal date where there is a statutory basis in a formal law. A statutory basis in a substantive law is only sufficient as the basis for processing sensitive personal data if the processing is essential for a task required by a formal law and the purpose of processing poses no particular risks to the data subject's fundamental rights.

Although the FADP does not specifically categorize children's data as sensitive, the Federal Data Protection and Information Commissioner (FDPIC) acknowledges the heightened level of protection that must be afforded to children's data. Enhanced protective measures typically include (i) ensuring informed consent is provided by a legal guardian and (ii) presenting privacy information in clear, age-appropriate language and supplemented by visual aids — such as pictograms or symbols — to facilitate understanding by children.

8. Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.

The FADP does not apply to in the following situations:

  • Household exemption: When personal data is processed by a natural person exclusively for personal use.
  • Parliamentary activities: When personal data is processed by the Federal Assembly and parliamentary committees as part of their deliberations.
  • Entities with immunity: When personal data is processed by institutional beneficiaries under Article 2 para. 1 of the Host State Act of 22 June 2007, which enjoy immunity from jurisdiction in Switzerland.

Additionally, data processing and data subject rights in court proceedings and other proceedings governed by federal procedural law are subject to the applicable procedural laws. However, in administrative proceedings of first instance, the FADP applies.

Finally, the FADP does not apply to public registers concerning private law transactions, in particular with respect to access to these registers and data subject rights, where such matters are regulated by specific provisions under applicable federal law. In the absence of such special provisions, the FADP remains applicable.

9. Does your jurisdiction require or recommend risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?

The FADP requires data controllers to carry out a data protection impact assessment (DPIA) when the intended processing of personal data is likely to result in a high risk to the personality or fundamental rights of the data subjects.

A DPIA is mandatory particularly in situations where sensitive personal data is processed on a large scale, where systematic monitoring of publicly accessible areas takes place, or where new technologies are used in ways that significantly increase risks to individuals. The assessment must evaluate whether the data processing is necessary and proportionate in light of its intended purpose and identify any risks that may arise for the data subjects.

If high risks are identified, the controller must also outline the measures planned to mitigate those risks. In cases where the identified risks cannot be adequately mitigated, the controller is required to consult with the Federal Data Protection and Information Commissioner (FDPIC) before commencing processing, unless the controller previously consulted with its data protection officer (DPO).

Although the FADP does not prescribe a specific format for DPIAs, best practice involves documenting the nature and purpose of the processing, evaluating the necessity and proportionality of the data collection, assessing potential risks, and defining appropriate measures to mitigate those risks. DPIAs should be conducted at an early stage – ideally during the planning and design phase of the processing activity – and must be reviewed and updated where there is a substantial change in the nature, scope, or context of the processing.

The FDPIC has issued a factsheet to assist controllers in complying with Articles 22 and 23 FADP including a flowchart for the preliminary assessment of whether a DPIA must be carried out as well as a template for structuring a DPIA.

Further, the FDPIC provides detailed information on the DPIA (in German, French and Italian) on its website. While the information is primarily aimed at federal bodies, the guidelines are also helpful for private companies.

10. Are there any specific codes of practice applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children's data or health data)?

At present, Switzerland does not have binding sectorspecific codes of practice (codes of conduct) formally issued or approved by the Federal Data Protection and Information Commissioner (FDPIC) under the law.

11. Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).

Yes, under the FADP, organisations are required to maintain records of their data processing activities and establish internal documentation and processes to ensure compliance with data protection obligations.

Specifically, Article 12 FADP mandates both controllers and processors to maintain a register of their processing activities (ROPA) and, if requested, make it available to the Federal Data Protection and Information Commissioner (FDPIC).

Controllers, as a minimum, are obliged to record (i) the identity of the controller, (ii) the purpose of processing, (iii) a description of the categories of data subjects and the categories of processed personal data, (iv) the categories of recipients, (v) if possible, the retention period for the personal data or the criteria for determining this period, (vi) if possible, a general description of the measures taken to guarantee data security, (vii) if data is disclosed abroad, details of the recipient state and the guarantees applied.

The processor's record shall contain (i) information on the identity of the processor and of the controller, (ii) the categories of processing carried out on behalf of the controller, (iii) if possible, a general description of the measures taken to guarantee data security, and (iv) if data is disclosed abroad, details of the recipient state and the guarantees applied.

There is an exemption from the obligation to maintain such records for companies with fewer than 250 employees, provided they are not processing sensitive personal data on a large scale, conducting high-risk profiling, or engaging in processing activities that present a high risk to the data subjects' rights.

While the FADP does not specify a particular format, Swiss organisations typically meet these requirements in practice by adopting templates (e.g., an excel spreadsheet or word document) or specialized IT tools – often aligned with the EU GDPR – to maintain their ROPAs.

In addition to maintaining a ROPA, organisations are also expected to document other key compliance processes. These include conducting and retaining records of data protection impact assessments (DPIAs) where required, documenting consent when it is used as a legal basis for processing, establishing written contracts with processors, and implementing internal policies and procedures for handling data subject requests and ensuring data security.

12. Do the data protection laws in your jurisdiction require or recommend data retention and/or data disposal policies and procedures? If so, please describe such requirement(s).

Under the FADP, there is no explicit obligation to adopt formal data retention or data disposal policies. However, the principles embedded in the FADP – in particular, the principles of proportionality (data minimization), purpose limitation and storage limitation – effectively require organisations to implement appropriate practices for retaining and deleting personal data.

The FADP mandates that personal data must only be processed for as long as it is necessary to achieve the purpose for which it was originally collected. Once that purpose has been fulfilled, the data must be either anonymised or deleted, unless a valid legal basis (such as a statutory retention obligation) justifies continued storage. In practice, this implies that organisations must implement internal mechanisms to monitor applicable retention periods and ensure timely and secure disposal of data.

Although the law does not require written data retention or deletion policies, organisations are strongly recommended to implement documented policies and procedures to support compliance with these principles. This includes defining specific retention periods for various categories of personal data, regularly reviewing stored data to assess its necessity, and securely deleting or anonymising data that is no longer required.

In practice, Swiss businesses often integrate these policies into broader data lifecycle or information governance frameworks, supported by technical controls.

To view the full article click here

Originally published Legal 500 Country Comparative Guides 2025

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Christian Kunz
Christian Kunz
Photo of Ferdinand Rombach
Ferdinand Rombach
Photo of Katharina Schreiber
Katharina Schreiber
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More