FADP vs. GDPR: The Key Differences for Swiss Companies in 2026

"We're a Swiss company, so only the FADP applies to us." I hear this sentence often — and it's sometimes true, sometimes not. The reality: as soon as you operate beyond the Swiss border, you probably need to observe both regimes. Here are the key differences in a pragmatic overview.

Scope — the decisive point

The revised FADP is tied to the processing entity. Whoever sits in Switzerland and processes personal data falls under it — regardless of where the data subjects reside. Foreign companies that specifically target persons in Switzerland can also fall under its scope.

The GDPR, by contrast, is tied to the protection of the data subject. Anyone targeting persons in the EU ("offer goods or services") or monitoring their behaviour falls under the GDPR — even if the company is in Switzerland.

The practical question: "Do I actively address EU customers?" If yes, both apply. If no, only FADP.

Consent — where it really diverges

The GDPR generally requires a legal basis for every processing. One of these is consent (opt-in, documented, revocable). Others are contract performance, legal obligation or legitimate interest.

The FADP is less formal. Consent is only mandatory when sensitive data is processed or there's high risk to personality rights (e.g. profiling). For many standard processings (order fulfilment, newsletter with customer-specific consent), recognisability from context suffices.

Practice: If you want to be both FADP and GDPR compliant, treat consents GDPR-conform. That automatically lies above the FADP standard.

Right to information — similar, not identical

Both laws give data subjects the right to information about processing of their data. Both set a 30-day deadline. But:

• GDPR defines very precisely what the information must contain — purposes, recipient categories, retention period, data origin, automated decisions.
• FADP is more openly formulated, but in practice very similar. A GDPR-compliant response also fulfils the FADP.

In practice, a joint information process pays off: a defined recipient in the company, a template, a documented workflow.

Privacy policy — formal difference, same content

GDPR Art. 13 and 14 list the mandatory disclosures of a privacy policy. The FADP has had similar requirements since the revision, but formulates them more compactly.

Anyone with a GDPR-compliant privacy policy automatically covers the FADP. The reverse is not necessarily true — an FADP template could be incomplete under GDPR eyes.

Representation — GDPR specific

Swiss companies that regularly process EU person data need a representative in the EU under GDPR Art. 27. This person acts as a contact point for EU supervisory authorities and data subjects.

In practice this means: a legal representation service (several hundred euros per year) or a separate EU subsidiary. The FADP knows a similar obligation for foreign companies processing data in Switzerland — Swiss companies with EU business may need to organise two representations.

Sanctions — the largest discrepancy

Here it gets drastically different:

• GDPR: fines up to EUR 20m or 4% of worldwide group turnover — whichever is higher. Addressee: the company.
• FADP: fines up to CHF 250,000. Addressee: the natural person responsible for the violation (typically managing director).

Both logics have their justification. The GDPR hits the company — which has deterrent effect for large groups. The FADP hits persons — which is closer to reality for SMEs because managing directors are usually directly responsible.

Practical dual compliance approach

For Swiss SMEs with DACH business, I recommend the following strategy:

1. GDPR-compliant cookie banner — opt-in, documented, revocable, layered approach
2. GDPR-compliant privacy policy — all Art. 13/14 points fulfilled
3. GDPR-compliant access process — 30-day deadline, defined recipient
4. EU representative — legal service (e.g. VGS Datenschutz) from approx. CHF 500/year
5. Records of processing activities — even if not mandatory under FADP, gives structure

With this setup you're both FADP- and GDPR-compliant. The effort feels heavy at the beginning, then it's routine.

Where the FADP comes through gentler

Three points where Swiss law is more pragmatic:

• Data Protection Impact Assessment — only for genuinely high-risk processings, not for every new tool
• Data Protection Officer — voluntary, not mandatory
• Sanction logic — persons instead of companies, which keeps the threshold of threat low for small fines but sensitises managing directors

For SMEs, the FADP is the more pleasant regime overall — provided you take it seriously and don't hide behind the myth that "it's just a misdemeanour anyway."

What Aiara delivers

Aiara is built from the ground up for the Swiss dual world. Cookie banner, privacy policy and legal notice cover FADP and GDPR simultaneously. You configure once, and the system automatically chooses the stricter standard. For Swiss web agencies with DACH customer base, this saves half a day of manual work per customer — and the risk of unintentionally violating one of the two laws.