Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Switzerland. Switzerland's nFADP is non-EU but harmonized with GDPR; the opt-out baseline plus individual criminal liability define the local twist.
Applicable laws
The legal framework that governs personal data processing here.
National addons
Country-specific statutes layered on the EU baseline.
- Art 10 Data Protection Advisor — recommended for private controllers, mandatory only for federal bodies (no headcount threshold equivalent to BDSG § 38)
- Art 14 Representative — non-Swiss controllers regularly processing Swiss data of significant scale must designate a Swiss representative
- Art 19-21 Information duties + automated decision-making — transparency and a right to human review
- Art 22 Data Protection Impact Assessment — required for high-risk processing
- Art 24 Breach notification — to FDPIC as soon as possible (no 72-hour hard deadline as in GDPR)
- Art 26-27 Employee data — processing limited to suitability for the position or performance of the contract; read alongside Code of Obligations Art 328b
- Art 60-66 Criminal provisions — intentional breaches of information, access, security, or duty of care punishable by fines up to CHF 250,000 imposed on the responsible natural person
- Art 45c Processing of data on third-party equipment (cookies) — information + opt-out, not prior consent
- Art 3(1)(o) Email/SMS mass marketing — prior consent + sender identification + free opt-out required
Regulators
Supervisory authorities that interpret and enforce privacy law here.
State / Land DPAs · 1 authorities
| Land / state | Authority | Note | |
|---|---|---|---|
| Cantonal data-protection commissioners | Various | Each canton has its own commissioner for cantonal/communal public bodies. Private-sector controllers are supervised exclusively by the federal FDPIC. | site ↗ |
Coordination body
- 2023-09-01 · nFADP entry into force — Joint privatim/FDPIC guidance on transition: existing processing must be brought into line; no grace period.
- 2023-09-15 · Swiss-US Data Privacy Framework — Federal Council recognized adequacy for Swiss-US DPF-certified US importers — transfers permissible without further safeguards while certification is in force.
- 2024-06 · AI and personal data — FDPIC position paper on AI systems and nFADP — transparency, purpose limitation, and human-review obligations apply.
Notable enforcement
FDPIC enforcement is recommendation-based, not fine-based. Under both the old and the new FADP, the regulator opens investigations, issues recommendations, and (since nFADP) can issue binding orders, but it cannot levy administrative fines on companies. Criminal fines up to CHF 250,000 are imposed by cantonal prosecutors on the responsible natural person — typically the controller's executive or DPA — for intentional violations of information, access, security, or due-care duties. As a result, no major company-level fines comparable to GDPR enforcement have been published; the FDPIC's leverage is reputational and procedural. Notable investigations include Tamedia (data-broker subsidiary practices) and several Swiss banks on cross-border data sharing.
GA4 status
GA4 is acceptable on Swiss-targeted sites under the nFADP opt-out baseline — informed users with a refusal option satisfy FMG Art 45c. Transfers to Google's US servers are covered by the Swiss-US Data Privacy Framework (recognized 15 Sep 2023) while Google LLC remains DPF-certified. CrUX and aggregate measurement are permissible. Note: if your site also targets the EU, the stricter EU opt-in regime applies in parallel — most multilingual operators run a single GDPR-grade banner anyway.
| DPA | Stance |
|---|---|
| FDPIC | Permissive — opt-out information notice + DPF acceptable; recommendation-based posture overall. |
Cross-border transfers + Schrems II
Switzerland's adequacy from the EU has been intact since 2000 and was re-confirmed in the 2024 periodic review under GDPR Art 45(3). For transfers from Switzerland to the United States, the Swiss-US Data Privacy Framework has been recognized by the Federal Council since 15 September 2023 — Swiss controllers can rely on it for DPF-certified US importers without additional safeguards while certification is in force. Outside DPF, Swiss controllers use the SCCs adapted with the FDPIC's Swiss-finish addendum, plus a TIA. The FDPIC is markedly less aggressive than German Länder DPAs on TIA review.
FDPIC accepts the EU 2021/914 SCCs with the Swiss-specific amendments published by FDPIC in August 2021 (references to GDPR/EU law replaced or supplemented with FADP/Swiss equivalents).
Employee data
Key thresholds
Vendor signals
Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.
Analytics tools · 12 · 6 green · 5 yellow · 1 red
| Vendor | Status | Rationale |
|---|---|---|
| GREEN | Cookieless by design. EU-routed via Cloudflare. No DPA required for Lite tier (no PII). | |
| GREEN | Self-hosted on your infrastructure. Full data control, configurable IP anon. Meets every jurisdiction with cookieless config. | |
| GREEN | EU-hosted with cookieless mode available. With cookies disabled qualifies for §25(2) exception in Germany. | |
| GREEN | German-hosted, cookieless, GDPR-aligned by design. | |
| GREEN | EU-hosted, no cookies, no PII processed. ePrivacy-exempt for cookieless tracking. No banner required. | |
| GREEN | Open-source, cookieless, fully self-hostable. Default-green when self-hosted. | |
| YELLOW | Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation. | |
| YELLOW | EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain. | |
| YELLOW | nFADP allows opt-out baseline. Still need DPF compliance for transfers. | |
| YELLOW | Less strict than EU — opt-out acceptable. | |
| YELLOW | EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green. | |
| RED | Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization. |
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
| Vendor | Status | Rationale |
|---|---|---|
| GREEN | Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate. | |
| GREEN | Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan. | |
| GREEN | Open-source, self-hosted. No managed updates — site owner maintains vendor list. | |
| GREEN | GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults. | |
| GREEN | German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites. |
Tag managers · 1 · 0 green · 1 yellow · 0 red
| Vendor | Status | Rationale |
|---|---|---|
| YELLOW | Container only — verdict depends on which tags fire and when. Block until consent. Server-side GTM in EU recommended. |
Session replay · 3 · 0 green · 3 yellow · 0 red
| Vendor | Status | Rationale |
|---|---|---|
| YELLOW | — | |
| YELLOW | — | |
| YELLOW | — |
Ad pixels · 3 · 0 green · 0 yellow · 3 red
| Vendor | Status | Rationale |
|---|---|---|
| RED | Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set. | |
| RED | Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem. | |
| RED | PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required. |
Server-side · 3 · 2 green · 1 yellow · 0 red
| Vendor | Status | Rationale |
|---|---|---|
| GREEN | EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic. | |
| GREEN | EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings. | |
| YELLOW | "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing. |
Compare with neighbors
Side-by-side rule comparison.
Common questions
Does the nFADP apply to non-Swiss companies?
What's the difference between Swiss opt-out and EU opt-in for cookies?
Can companies be fined under nFADP?
Is the Swiss-US Data Privacy Framework in force?
How does FDPIC enforce the nFADP?
Is Switzerland's EU adequacy still intact?
Do I need a Swiss DPO?
Do I need a Swiss representative under Art 14?
What about email marketing in Switzerland?
How does Swiss employee monitoring law affect analytics?
// EDITORIAL · NOT LEGAL ADVICE This page summarises Switzerland's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.