Swiss nFADP — revised Federal Act on Data Protection

Scope and territorial reach

Where it applies — 1 jurisdictions

🇨🇭Switzerland

Seven principles (Article 5)

The constitutional backbone — every processing activity must satisfy all seven simultaneously.

01

Lawfulness Art 6(1) nFADP

Personal data must be processed lawfully — on a legal basis or with consent for sensitive data / high-risk profiling.
02

Good faith Art 6(2) nFADP

Processing must be carried out in good faith — no deception, no covert collection, no manipulative dark patterns.
03

Proportionality Art 6(2) nFADP

Process only what's proportionate to the purpose. Swiss equivalent of GDPR data minimisation, but framed as a balancing test.
04

Purpose limitation Art 6(3) nFADP

Data may only be processed for purposes stated at collection, evident from the circumstances, or required by law.
05

Recognizability / transparency Art 6(3) nFADP

Collection must be recognizable to the data subject — covert collection is unlawful unless a legal basis applies.
06

Accuracy Art 6(5) nFADP

Data must be accurate; the controller must take reasonable measures to correct or erase inaccurate or incomplete data.
07

Data security Art 8 nFADP

Controllers and processors must ensure security through appropriate technical and organisational measures (TOMs) — detailed in DPO/DSV ordinance Art 1–6.
08

Accountability Art 24–26 nFADP

Document processing activities (Art 12), conduct DPIAs for high-risk (Art 22), notify breaches to FDPIC (Art 24) — demonstrate compliance on demand.

Six lawful bases (Article 6)

You must identify and document one before processing — and consent isn't always the right one.

Art 6(6) nFADP

Consent

Free, informed, and (for sensitive data / high-risk profiling) explicit. Default lawful basis for sensitive data and high-risk profiling.

Common for: Sensitive data processing, high-risk profiling, marketing where no other basis fits

Art 31(2)(a) nFADP

Performance of contract

Processing is directly connected with the conclusion or performance of a contract with the data subject.

Common for: Account creation, order fulfilment, invoicing

Art 31(1) + Art 31(2) nFADP

Overriding legitimate interest

Controller has an overriding private or public interest — explicitly listed grounds in Art 31(2)(b–e) include credit checks, journalism, statistical/research use, and group-wide processing.

Common for: Fraud prevention, security logging, intra-group HR processing, journalism

Art 31(2) lit. e nFADP + sectoral law

Legal obligation

Processing required to comply with Swiss federal or cantonal law (tax, AML/KYC, employment).

Common for: Invoice retention (10 years OR §958f), AML/KYC, social-insurance reporting

Art 31(2)(d) nFADP

Vital interests

Necessary to protect the life or physical integrity of the data subject or a third party.

Common for: Medical emergencies (rare for web)

Art 34 nFADP

Public task / federal body

Processing by a federal body in fulfilment of a statutory task — separate regime from private-sector processing.

Common for: Government services, public registers

Cookie banner under GDPR Consent Mode v2

Eight data-subject rights (Articles 12–22)

What individuals can demand from you, with the response window and scope.

Right	Article	Response	Scope
Right to information at collection	Art 19–20 nFADP	At collection	Controller must proactively inform data subject at collection — identity, purposes, recipients, foreign disclosure, sources (if indirect collection).
Right of access	Art 25 nFADP	30 days	Free copy of all personal data processed about the data subject. Extendable per Art 25(7) where the request is complex or delivery requires significant effort.
Right to rectification	Art 32(1) nFADP	30 days	Correct inaccurate or incomplete data without delay. If accuracy is contested, controller must mark data as disputed.
Right to erasure	Art 32(2) nFADP	30 days	Delete data when no longer needed, processed unlawfully, or subject withdraws consent. Not absolute — overridden by retention obligations and overriding interests.
Right to data portability	Art 28 nFADP	30 days	Right to receive data — and request its transmission to another controller — only for data the subject provided, processed by automated means, on the basis of consent or contract. Narrower than GDPR Art 20 in practice (federal ordinance scope-limits formats).
Right to object	Art 30(2) nFADP	30 days	Object to processing that is not lawful, proportionate, or in good faith. Unlike GDPR, no separate absolute right to object to direct marketing — handled via Art 6 lawfulness analysis.
Right to information re: automated decisions	Art 21 nFADP	30 days	Where a decision is based exclusively on automated processing and has legal effect / significantly affects the subject, controller must inform and offer human review on request. Narrower enforcement than GDPR Art 22 — no general prohibition.

Topic: DSARs in practice Template: DSR reply (Art 15)

Fines & enforcement

Maximum administrative penalty: €20.0M or 4% of global annual turnover (Art 83(5)). Tiered structure: Art 83(4) = 2% / €10M for procedural failures.

2024-09 €4k

(individual employee, name redacted) Cantonal court Zurich · CH · Art 61(a) nFADP

First publicly-reported criminal fine under nFADP: an employee disclosed customer data without authorization. Fine on the natural person — not the company — illustrating the criminal-individual-liability model. Reported via SWILEX / NZZ.

Sources: national supervisory-authority press releases. Full enforcement database available via CMS Law tracker.

National addons

GDPR is a Regulation — directly applicable, no transposition required. But Member States layer additional rules on top via national acts.

Country	National act	Stricter than GDPR baseline?	Note
🇨🇭 Switzerland CH	nFADP / revLPD / nLPD (SR 235.1) + DPO/DSV (SR 235.11) + ordinance on data-protection certifications	Aligned	Federal act applies uniformly across all 26 cantons for private sector. Cantonal data-protection laws apply only to cantonal-public-sector processing — not to businesses.
🇱🇮 Liechtenstein LI	DSG-LI (Datenschutzgesetz, in force 1 Jan 2019)	Aligned	Liechtenstein is in the EEA — directly applies EU GDPR + national DSG-LI. Distinct regime from Swiss nFADP. Mentioned here only because Swiss businesses trading into LI must comply with GDPR, not nFADP.

Compared to other laws

Side-by-side rule comparison with the same field on each side.

COMPARE · 2 ENTITIES

GDPR vs CCPA / CPRA

Opt-in EU baseline against opt-out California — same rows on each side.

COMPARE · 2 ENTITIES

GDPR vs UK GDPR

Post-Brexit divergence — DPA 2018, ICO, UK Extension to DPF.

COMPARE · 2 ENTITIES

GDPR vs LGPD

EU baseline vs Brazilian privacy law modeled on it.

Common questions

Does the nFADP apply to my non-Swiss business?

Yes if your processing has effects in Switzerland — Art 3(1) nFADP applies the law to processing that has effects in Switzerland regardless of where the controller is established. If you target Swiss residents (CH-language site, .ch domain, CHF pricing, CH delivery) or monitor Swiss users, you are in scope. Foreign controllers in scope must designate a Swiss representative under Art 14 if processing is at-scale or high-risk.

nFADP vs GDPR — what are the key differences?

Five real-world differences. (1) Cookies/non-sensitive analytics default to opt-OUT under nFADP vs strict opt-in under EU ePrivacy. (2) Fines under nFADP are CRIMINAL on the responsible natural person (max CHF 250,000), not administrative on the company — no 4%-of-turnover regime. (3) Enforcement is investigation-and-recommendation-led; FDPIC must refer to court for binding orders. (4) Profiling has a Swiss-specific 'high-risk profiling' tier triggering explicit consent (Art 5(g) nFADP). (5) Right to portability (Art 28) is narrower than GDPR Art 20.

What's the maximum fine under nFADP?

CHF 250,000 — but that's a CRIMINAL fine, imposed by a cantonal criminal court on a natural person (the executive, DPO, or employee responsible), not an administrative fine on the company. There is no GDPR-style 4%-of-turnover regime. Triggering offences are listed in Art 60–63 nFADP and include intentional violation of duty to inform, duty of care, breach of professional secrecy, and disregard of FDPIC orders.

Why are nFADP fines on individuals, not companies?

Switzerland's parliament chose the criminal-law model deliberately. Corporate criminal liability under Art 102 of the Swiss Criminal Code only kicks in if an individual perpetrator cannot be identified due to organisational fault. In data-protection cases the responsible person is almost always identifiable (executive, DPO, employee), so corporate liability rarely activates. Practical effect: leadership has direct skin in the game; companies cannot 'budget' fines as cost-of-business.

Do I need a Swiss representative?

Yes if you are a foreign controller AND your processing meets ALL of these (Art 14 nFADP): (1) targets data subjects in Switzerland, (2) is connected with offering goods/services or monitoring behaviour, (3) is large-scale, AND (4) presents a high risk to data subjects. Most pure-play SaaS with a few CH users will not need one. The representative must be domiciled in Switzerland and listed in your privacy notice.

Cookie consent — opt-out under nFADP, opt-in under EU?

For non-sensitive analytics: yes, the Swiss regime is more permissive. nFADP works on a transparency + objection model (Art 6, 19, 30) — disclose what you collect, let the user object. There is no Swiss equivalent of EU ePrivacy Art 5(3) requiring prior opt-in for cookies. BUT: sensitive data processing (Art 5(c)) and high-risk profiling (Art 5(g)) still require explicit opt-in consent. And if your site also targets EEA users, you must apply the stricter EU rule to those visitors.

Swiss-US Data Privacy Framework — what's covered?

The Swiss-US Data Privacy Framework took effect 15 September 2023, separate from the EU-US DPF (which took effect 10 July 2023). It restores adequacy for transfers from Switzerland to DPF-certified US recipients — including all the major Google, Meta, AWS, Microsoft entities. Verify a vendor is listed at dataprivacyframework.gov BEFORE relying on DPF for the disclosure-abroad analysis under Art 16 nFADP. Non-DPF US vendors still require Swiss SCCs + transfer-impact analysis.

DPF and nFADP — adequacy status?

Switzerland's Federal Council recognises the US under the Swiss-US DPF as providing adequate protection (Annex 1 of the DPO/DSV ordinance, updated 14 Aug 2023). This is the Swiss legal basis for transfers under Art 16(1) nFADP without further safeguards — only for DPF-certified recipients, only for the certified data categories, and only as long as the certification stays active.

Does Switzerland still have EU adequacy?

Yes. The European Commission's 2000 adequacy decision for Switzerland remains valid (re-examined under GDPR Art 45 in 2024, with renewed favourable opinion expected). Practically: EU controllers can transfer data to Switzerland without SCCs. The reciprocal Swiss-side recognition of EEA states is in DPO/DSV Annex 1. Both directions of EU↔CH transfers operate on adequacy, not SCCs.

Does nFADP apply across all 26 cantons or do cantons have their own laws?

The nFADP is federal law and applies uniformly to all PRIVATE-SECTOR processing across Switzerland — no cantonal variation, no German-style Land-level enforcement quirks. Cantonal data-protection laws exist but apply ONLY to processing by cantonal and municipal public bodies. For a Swiss business, the FDPIC (federal) is the single relevant authority and the nFADP is the single relevant law.