Back to overview
FADPFinesFDPIC

Data Protection Fines in Switzerland: Who Gets Punished — and for What

The Swiss data protection act threatens fines of up to CHF 250,000 — but who actually imposes them, and who do they hit? The surprising answer: not the FDPIC, and not the company. What is actually punishable, which cases have become public so far, and where the real risk lies in everyday web practice.

Aiara Team··8 min read
Data Protection Fines in Switzerland: Who Gets Punished — and for What

«Fines of up to 250,000 francs — so the FDPIC hands those out the way EU authorities hand out their GDPR millions?» That is roughly how the conversation sounds in many Swiss boardrooms when data protection comes up. Both assumptions are wrong: the FDPIC cannot impose fines at all, and the fine does not hit the company either. Anyone who understands how the sanctions of the Swiss Federal Act on Data Protection (FADP) actually work can assess their own risk realistically — without panic, but also without false complacency. This article explains who gets punished in Switzerland and for what, what has actually happened since the revised act entered into force, and which mistakes in everyday web practice create the greatest risk.

For the fundamentals of the act itself, see our FADP guide and the article «The nDSG Explained».

The most important clarification: the FDPIC does not impose fines

The Federal Data Protection and Information Commissioner (FDPIC) cannot impose fines — the Federal Act on Data Protection (FADP, SR 235.1) simply does not give him that instrument. What the FDPIC can do is nevertheless drastic: he opens investigations ex officio or following reports, and since the revision of the act he issues binding rulings. With these he can order that a data processing operation be adjusted, suspended or terminated entirely, or that data be deleted or destroyed — in effect, genuine processing bans. Rulings of general interest are also published, naming the company.

The fines themselves are imposed by the cantonal prosecution authorities — public prosecutors or, depending on the canton, district governor's offices. The FADP explicitly assigns the prosecution and adjudication of its criminal provisions to the cantons (Art. 65 FADP). The FDPIC may file a criminal complaint and exercise the rights of a private claimant in the proceedings — nothing more.

Three requirements further limit the risk of a fine:

  • Criminal complaint: The offences under Art. 60–62 FADP are prosecuted only upon complaint — typically by the person whose rights were violated. No complaint, no proceedings. The single exception: disregarding an FDPIC ruling (Art. 63 FADP) is prosecuted ex officio.
  • Intent: Only intentional conduct is punishable. Negligence — the accidental omission, the sloppy form — goes unpunished. But beware: conditional intent suffices. Anyone who knows something is wrong and consciously accepts it is acting intentionally.
  • Natural persons: The addressee of the fine is not the firm but the human being responsible for the violation.

Who the fine hits: people, not companies

The fine targets the responsible natural person — in an SME typically the managing director, in larger organisations the executive who took the decision, and in individual cases specialists such as in-house counsel or data protection officers. The legislator constructed it this way deliberately: a fine against the company account can be priced in; criminal proceedings against your own person cannot.

The only exception is Art. 64 FADP: where a fine of no more than CHF 50,000 is at stake and identifying the punishable individual within the company would require disproportionate investigative effort, the authority may refrain from prosecuting individuals and instead order the business to pay the fine. This is meant as a simplification for the authorities, not as a shield for management — where responsibility is clearly attributable, personal liability remains.

Whether an employer may cover a fine imposed on an employee is legally disputed. Nobody should rely on it: the criminal proceedings themselves — questioning, lawyers' fees, a file with your name on it — are borne by the person concerned in any event.

What fines exist for: the catalogue of offences in Art. 60–63 FADP

Four groups of violations are punishable — all carrying fines of up to CHF 250,000, all requiring intent:

  • Violation of the duties to inform, to provide access and to cooperate (Art. 60 FADP): Anyone who intentionally fails to inform data subjects when collecting data, or informs them falsely — the privacy policy is the main use case here — commits an offence. The same applies to anyone who responds to an access request with false or incomplete information, or who refuses to cooperate in an FDPIC investigation or provides false information there. A peculiarity of the right of access: under the prevailing reading, simply ignoring an access request is not punishable — responding and intentionally providing false or incomplete information is. With the duty to inform, by contrast, the complete omission is punishable as well.
  • Violation of duties of care (Art. 61 FADP): This covers disclosing personal data abroad contrary to the statutory requirements, handing processing over to a service provider without meeting the requirements of Art. 9 FADP — think missing data processing agreement — and disregarding the minimum data security requirements issued by the Federal Council.
  • Violation of professional confidentiality (Art. 62 FADP): Anyone who intentionally discloses secret personal data of which they gained knowledge while exercising their profession is fined upon complaint. This provision reaches considerably further than the classic professional secrecy of doctors or lawyers — it covers virtually any professional activity.
  • Disregarding rulings (Art. 63 FADP): Anyone who intentionally fails to comply with a ruling of the FDPIC or a decision of the appeal courts is fined ex officio. This is the lever that gives the FDPIC's rulings teeth: the ruling itself costs nothing — disregarding it costs up to CHF 250,000.

FADP and GDPR: two completely different sanction logics

The EU General Data Protection Regulation fines companies; the Swiss FADP punishes people — that is the core difference. Under the GDPR, the supervisory authorities directly impose administrative fines on the undertaking: up to EUR 20 million or 4 percent of worldwide annual turnover, whichever is higher. Negligent violations can be sanctioned too, and no criminal complaint is required.

The Swiss model is a criminal-law model: cantonal criminal proceedings, an intent requirement, complaint-based offences, personal responsibility. The amounts are smaller and the procedural hurdles higher — but the risk is strictly personal. For Swiss companies with EU customers, both regimes tend to apply in parallel: the GDPR for processing with an EU connection, the FADP for everything. We have laid out the details of both frameworks in our FADP guide and our GDPR guide.

What has actually happened so far

Since the revised FADP entered into force on 1 September 2023, only a few fines have become public — and the known amounts are small. One publicly documented case: the Statthalteramt of the District of Zurich issued a summary penalty order dated 4 March 2025 fining an in-house counsel of TX Group AG CHF 600 (plus CHF 430 in costs) — for intentionally providing false or incomplete information in response to an access request (Art. 60 para. 1 let. a FADP). The penalty order was not legally binding when it became public; the person concerned filed an objection. In addition, commercial law firms report first legally binding fines for intentional violations of the duty to provide access — all below CHF 1,000 including costs, none officially published.

Far more visible is the supervisory activity of the FDPIC. On his rulings page he publishes concluded investigations naming the companies involved: against Cembra Money Bank AG (January 2025, deadlines and scope of responses to access requests), against Inkasso-Team AG (April 2025, online publication of debtor data), and in April 2026 against two companies connected to the fashion brand Philipp Plein (processing principles, deletion and objection rights). In his 2024/2025 activity report, the FDPIC moreover announces stepped-up action against violations — with roughly 30 percent more staff in supervision.

The honest assessment is therefore this: the practical danger today lies less in a spectacular fine than in three other consequences. First, in the FDPIC investigation itself — it ties up resources, may end with a published ruling bearing the company's name, and via Art. 63 FADP creates a genuine fine risk for the future. Second, in reputational damage: a published ruling or a media report about data protection proceedings lingers far longer than any fine. Third, in civil claims by data subjects, from access and deletion actions to claims for satisfaction. And not to forget: even a CHF 600 fine means criminal proceedings against a specific person — with everything that entails.

Which mistakes in the web context create the greatest risk

Three situations from everyday website practice lead most directly into the criminal provisions and the supervisor's focus:

First: the false or missing privacy policy. Art. 60 FADP criminalises both the failure to inform and false information. The most delicate case is the copied template that does not match the actual setup: anyone who knows that analytics and marketing services are running on the website that never appear in the policy, and deliberately leaves it that way, is moving towards conditional intent — and documenting the contradiction themselves.

Second: ignored or wrongly answered access requests. The only publicly documented fine case to date concerns precisely this duty, and the first published FDPIC ruling against a company also revolved around access request deadlines. The remedy is unspectacular: one responsible person, one response template, the 30-day deadline in view.

Third: tracking without transparency and without consent where it is required. Cookies and tracking services that are disclosed nowhere violate the duty to inform; with high-risk profiling or visitors from the EU, there is hardly a way around genuine consent. This is exactly where the review criteria the FDPIC uses for its supervision come in — we have broken them down in our article on the risk radar based on FDPIC Annex A. If you want to know where your own website stands, you can check it with the free website scanner: it shows which cookies and services are actually running — the foundation for a privacy policy that matches reality.

Conclusion: small fines, real personal risk

The Swiss sanction system is no GDPR clone: the FDPIC investigates and issues rulings, while fines come from the cantonal prosecution authorities — upon complaint, only for intentional conduct, and against the responsible person rather than the firm. The fines known so far are small and the number of cases manageable. All-clear would still be the wrong conclusion: the FDPIC is visibly expanding its supervision, published rulings hit reputations, and the criminal risk is borne personally by management.

The good news: the duties that create the greatest risk in the web context can be secured systematically. With Aiara, your privacy policy and cookie banner stay automatically in sync with what is actually running on your website — the cookie scanner keeps verifying it. That eliminates precisely the contradiction between paper and reality that weighs heaviest when it matters.

Frequently Asked Questions

Can the FDPIC impose fines?

No. The Federal Data Protection and Information Commissioner (FDPIC) investigates violations and can issue binding rulings — for example ordering that a data processing operation be adjusted, suspended or prohibited altogether. Fines are imposed exclusively by the cantonal prosecution authorities, and for most offences only upon a criminal complaint by a person concerned.

How high can fines under the Swiss data protection act be?

Up to CHF 250,000 — directed at the responsible natural person, not at the company. Only where a fine of no more than CHF 50,000 is at stake and identifying the responsible individual would require disproportionate effort can the business itself be ordered to pay instead, under Art. 64 FADP.

Who gets fined — the company or the management?

As a rule, the natural person responsible for the violation: the managing director, the executive who took the decision, or in individual cases specialists such as in-house counsel or data protection officers. This is a fundamental difference from the EU General Data Protection Regulation, which provides for corporate fines.

Are negligent data protection violations punishable?

No. Only intentional conduct is punishable — although conditional intent suffices, meaning the conscious acceptance of a violation. The offences under Art. 60–62 FADP are moreover prosecuted only upon complaint; only disregarding an FDPIC ruling (Art. 63 FADP) is prosecuted ex officio.

Have there already been fines under the new Swiss data protection act?

A few — and the known amounts are small. One publicly documented case is a summary penalty order issued by the Statthalteramt of the District of Zurich in March 2025, fining an in-house counsel CHF 600 for providing false information in response to an access request; law firms also report first legally binding fines below CHF 1,000. The practical danger currently lies more in FDPIC investigations, reputational damage and civil claims.

Ready for clean cookie consent?

Aiara handles cookie banners, privacy policies and legal notices for your website — FADP and GDPR compliant.

Discover Aiara