ARTICLE
17 June 2025

Swiss Data Protection: Almost Two Years In – What Have We Learned?

FP
FABIAN PRIVACY LEGAL GmbH

Contributor

FABIAN PRIVACY LEGAL GmbH logo
We are a boutique law firm specializing in data, privacy and data protection laws and related issues, information security, data and privacy governance, risk management, program implementation and legal compliance. Our strengths are the combination of expert knowledge and practical in-house experience as well as a strong network with industry groups, privacy associations and experts around the world.
Explore Firm Details
It's been almost two years since the revised Federal Act on Data Protection (FADP) came into force on September 1, 2023...
Switzerland Privacy
Daniela Fabian

It's been almost two years since the revised Federal Act on Data Protection (FADP) came into force on September 1, 2023—a major milestone for privacy in Switzerland. In this article series, we take a practical look back at the key takeaways from the law and its implementation so far.

We'll be publishing a new article every 3 to 4 days, each one highlighting the key points on the following topics:

  1. What privacy laws govern data protection in Switzerland?
  2. What counts as personal data under the FADP?
  3. What is the cornerstone of personal data processing in Switzerland?
  4. Does the FADP require a legal basis for data processing?
  5. Must processing activities be recorded internally?
  6. What privacy rights do individuals have under the FADP?
  7. Is appointing a Data Protection Officer mandatory under the FADP?
  8. What rules must be followed when appointing a processor?
  9. Do you need consent for electronic direct marketing?
  10. Are cookies and tracking technologies regulated by consent requirements?
  11. Can personal data freely cross borders, or are there limitations?
  12. How much transparency is required when processing personal data?
  13. What security measures are organisations required to take to secure personal data and prevent cybersecurity incidents?
  14. Data breach in Switzerland – here is what you must do – fast
  15. What are the penalties for violating Swiss data protection laws?

At FABIAN PRIVACY LEGAL GmbH, we've guided a wide range of clients – from multinational corporations and fast-moving start-ups to SMEs and federal authorities – through the challenges of aligning with the new rules. If you are looking for expert support in privacy, data protection, data governance, cybersecurity, artificial intelligence and related areas, we're here to help.

For a more detailed overview of Swiss data protection legislation, you may also consult our contribution to the ICLG Data Protection Laws and Regulations Report 2024-2025 here.

Now let's start with Part 1:

What privacy laws govern data protection in Switzerland?

In this first part of our series, we explore what privacy laws govern data protection in Switzerland, to whom they apply and who is responsible for ensuring compliance.

Main privacy legislation in Switzerland

The cornerstone of Swiss data protection law is the Federal Act on Data Protection (FADP), which was fully revised and came into force on 1 September 2023. The FADP governs the processing of personal data by private-sector organisations and federal bodies. The FADP is complemented by the Ordinance on Data Protection and the Ordinance on Data Protection Certification. The authority overseeing compliance with the FADP is the Federal Data Protection and Information Commissioner (FDPIC).

The processing of personal data by cantonal and communal authorities is governed by cantonal data protection laws. The application of these laws is overseen by the cantonal data protection authorities.

Does the FADP apply to foreign companies?

The FADP has an extraterritorial scope, meaning that it applies to activities that have an effect in Switzerland, even if they are initiated abroad. Organisations established outside Switzerland may therefore also be subject to the FADP if they process the personal data of Swiss residents.

Private controllers established outside Switzerland that process the personal data of persons in Switzerland must appoint a representative in Switzerland if the processing:

  • is related to the offering of goods or services to or the monitoring of the behaviour of persons in Switzerland,
  • is on a large scale,
  • is carried out regularly, and
  • poses a high risk to the personality of the data subjects.

The representative serves as a contact point for data subjects and the FDPIC, and its name and address must be published by the controller.

Other laws that impact data protection

The Swiss Federal Act on Information Security applies to federal and cantonal authorities and to private-sector operators of critical infrastructure, such as energy & drink water supply, waste disposal, finance, healthcare, information & communication, food & drink, transport, traffic, safety and security.

Certain general laws also have an impact on data protection, such as the Federal Act on Unfair Competition, which contains regulations on direct marketing, and the Telecommunications Act, which regulates the use of cookies.

Furthermore, there are several sector-specific laws that contain dispositions on data protection, for example in the medical sector (Federal Act on Research Involving Human Beings, Federal Act on the Electronic Patient Record, etc.), or in the financial sector (Federal Banking Act, Federal Act on Financial Institutions, etc.).

In part 2 of our series, we will explore the definition of personal data under the FADP.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Daniela Fabian
Daniela Fabian
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More