The Revised Swiss FADP 2025: What Actually Changes for Swiss Companies

The revised Federal Act on Data Protection (FADP) has been in force in Switzerland since 1 September 2023. More than two years on, conversations with web agencies and SME executives keep revealing the same pattern: many tackled the adjustments dutifully but never quite finished. The classic case — a privacy policy published just before September 2023, a cookie banner that hasn't been touched since, and a nagging feeling that something's still pending.

This article summarises what the revised FADP actually changed and where action is still required in 2026.

What the revised FADP is really about

Switzerland modernised its data protection law for two reasons. First, the old act dated from 1992 and was simply outdated. Second, without adjustment, Switzerland's status as an "adequate third country" under EU law would have been at risk — and with it, the free flow of data between Switzerland and the EU.

The revised FADP has moved closer to the GDPR without being a one-to-one copy. The logic remains pragmatically Swiss: responsibility lies with those who process data, without drowning every operation in bureaucracy.

The five most important changes at a glance

1. Extended duty to inform

When personal data is collected, the data subject must be informed — not just about who, but also about why. Specifically: identity and contact details of the controller, purpose of processing, possibly recipients of the data, and a notice for cross-border transfers.

This information belongs in the privacy policy. A generic template from the internet is not enough — recipients and purposes must match your concrete setup.

2. Records of processing activities

Companies with 250 or more employees must maintain records of all processing activities. What sounds harmless is, in practice, a sober Excel- or tool-based catalogue: what data is processed for what purpose, by whom, where stored, how long retained.

For SMEs under 250 employees, this only applies if processing is extensive or involves sensitive data. In practice, I recommend simple records to all web agencies with customer databases anyway — if only to be able to respond systematically to access requests.

3. Data Protection Impact Assessment (DPIA)

For processing with high risk to personality rights, a DPIA is mandatory. That sounds clunky but is precisely meant: anyone introducing a new tracking tool that aggregates behavioural profiles, or implementing employee monitoring, must assess and document the risks beforehand.

If the DPIA shows that risk cannot be sufficiently reduced, the FDPIC must be consulted. In practice, this path is rarely taken — usually mitigations are found that adequately cushion the risk.

4. Sharper sanctions

Fines up to CHF 250,000 — per violation. Importantly, the fine targets not the company but the natural person responsible. In practice, that's often management. This makes the topic a board-level matter, not a delegable IT problem.

Sanctions apply particularly to intentional violations of duties to inform, provide information and cooperate. Negligent violations are not directly punishable — which doesn't mean they can be ignored.

5. Stronger rights for data subjects

The right to information is not new but has been clarified. Data subjects can demand to know what data is processed about them, where it comes from, and to whom it is disclosed. The deadline is 30 days. An expansion compared to the old law: automated individual decisions must also be explained — for example, credit checks, automatic tariff determinations, or applicant screenings.

What website operators concretely need to do

When I run a Swiss SME website through an FADP audit, I look at five points:

1. Is the privacy policy current? Check the date. If before September 2023, definitely outdated. If from 2024 or 2025, read critically — many templates have been formally adapted but not substantively tailored to the specific company.
2. Is the cookie banner cleanly implemented? Are marketing cookies set only after consent? Is "Reject" equivalent to "Accept"? Is consent documented?
3. Are third-party tools disclosed? Google Analytics, Meta Pixel, HubSpot, Mailchimp — everything must be named in the privacy policy, with purpose and recipient country.
4. Is there a process for access requests? Who responds when someone requests their data? A plain email to info@ is often the weakest point in SME daily operations.
5. Are cross-border transfers transparent? US cloud providers, EU hosting — anything leaving Switzerland belongs in the policy. Ideally with a reference to the mechanism (standard contractual clauses, adequacy decision).

Common pitfalls from practice

Three points I see at almost every audit session:

Pitfall 1 — Outdated cookie lists. The privacy policy mentions three cookies, but the website sets twelve because the marketing team integrated a new tool. Solution: regular automated scans that detect discrepancies.

Pitfall 2 — Non-binding language. "We care about your data" is not a privacy policy. The FADP requires concrete information — what data, what purposes, what recipients.

Pitfall 3 — Forgotten access requests. If no clear responsibility is defined, requests land in the general inbox and get forgotten. With complete radio silence, the 30-day deadline is quickly exceeded — and that's a documented violation.

FADP 2026 practical checklist

A compact list for self-review:

• Privacy policy includes purpose, recipients, cross-border transfers
• Cookie banner with equivalent "Reject" and consent log
• All third-party tools named in the policy
• Access request process documented (recipient, deadline, workflow)
• Cross-border transfers disclosed with mechanism
• Records of processing activities maintained (where required)
• DPIA performed for high-risk processing
• Current cookie inventory verified with scanner

Outlook

The FDPIC began investigating more proactively in 2025 — initially mostly on tip-offs from the public, but increasingly through its own random checks. Anyone who started in 2023 and has done nothing since should plan a spring review for 2026. A systematic cookie scan, a policy update, and a refresh of the access request process are achievable in a half-day session.

For those without their own data protection generator, Aiara helps: cookie banner, privacy policy and legal notice run automatically in sync with your website — FADP and GDPR compliant, with Swiss hosting and version control. The first domain is free, including an audit cookie scan.