The FADP Explained: Switzerland's Data Protection Law for Businesses
The FADP is the Swiss Federal Act on Data Protection — fully revised and in force since 1 September 2023 with no transition period. This guide explains who it applies to, which duties it imposes and how businesses can implement the requirements pragmatically.
The FADP affects virtually every company in Switzerland — from the one-person business with a website to the multinational. Yet day-to-day uncertainty remains high: what exactly does the law require, what happens in case of violations, and where does common sense suffice? This guide answers the key questions about Swiss data protection law — in plain language, without legalese, and with an implementation checklist.
What is the FADP?
The FADP is the Swiss Federal Act on Data Protection (SR 235.1) — the central Swiss law governing the processing of personal data. It protects the personality and fundamental rights of the people whose data is processed, and it has applied in its fully revised form since 1 September 2023 — with no transition period.
Several names circulate for the same law: nDSG (German shorthand for «new data protection act»), revDSG («revised FADP») or simply «new Swiss data protection act». Officially, the law is still just called the FADP — in German, DSG. Anyone referring to the nDSG does not mean a separate statute, but the version of the FADP in force since 2023.
The complete overhaul had two drivers. First, the predecessor act dated from 1992 — an era before smartphones, cloud services and online tracking. Second, Switzerland had to align its data protection level with European standards so that the EU would continue to recognise it as a country with adequate data protection, allowing personal data to flow across the border without additional hurdles.
Substantively, the FADP rests on a handful of principles (Art. 6): personal data must be processed lawfully, in good faith and proportionately, the processing must be purpose-bound and recognisable to the data subjects, the data must be accurate — and its security must be guaranteed through appropriate technical and organisational measures. Whoever observes these principles has already laid the foundation of compliance.
One frequently overlooked difference from the EU: the FADP follows a permission principle. Processing personal data is permitted by default, without requiring consent or another legal basis — as long as the principles are observed and no violation of personality rights occurs. The GDPR works the other way round: there, all processing is prohibited until a legal basis allows it. The FADP requires consent only in specific constellations — for instance when sensitive personal data is processed contrary to the principles, or for high-risk profiling.
The law is supervised by the Federal Data Protection and Information Commissioner (FDPIC) — Switzerland's data protection supervisory authority. It conducts investigations, advises companies and individuals, and publishes guidelines, for instance on cookies and tracking.
What exactly changed with the revision — new definitions, extended information duties, tightened sanctions — is covered in our article «The Revised Swiss FADP: What Actually Changes for Swiss Companies». This guide focuses on the law as it stands: what does the FADP require of a business today?
Who does the Swiss data protection law apply to?
The FADP applies to all private individuals and companies as well as federal bodies that process personal data — with no thresholds based on size, turnover or industry. Personal data is any information relating to an identified or identifiable person: name, e-mail address, customer number, but also IP addresses or location data.
That makes the scope easy to reach in everyday business:
- the bakery with a contact form on its website
- the fiduciary office with client files and payroll data
- the online shop with order, payment and tracking data
- the startup sending a newsletter
Two distinctions matter. First: cantonal and municipal authorities are not subject to the FADP but to the respective cantonal data protection acts. Second: the FADP has extraterritorial effect. Under Article 3, it applies to circumstances that have an effect in Switzerland — even if they originate abroad. A German online shop actively serving Swiss customers falls within scope just as much as a US software provider processing data of Swiss users.
A special category is sensitive personal data: health data, religious, philosophical or political views, genetic and biometric data, information on criminal proceedings and on social assistance measures. Stricter rules apply to it — where consent is required, it must be given expressly. Whoever processes such data should implement every duty in this guide with heightened care.
The key duties for businesses
At its core, the FADP requires six things from businesses: inform, provide access, document, report data breaches, build in data protection from the start, and bind service providers contractually. The following sections explain each duty together with the relevant article of the act.
One relief up front: unlike the GDPR, the FADP does not require the appointment of a data protection officer. Companies may voluntarily designate a data protection advisor — for most SMEs it is enough to assign the responsibility clearly in-house.
Duty to inform and privacy policy (Art. 19)
Anyone collecting personal data must inform the data subjects — in advance and in an understandable form. Article 19 requires at minimum the identity and contact details of the controller, the purpose of processing, the recipients or categories of recipients, and, for transfers abroad, the destination country and the applicable safeguards.
The information must be provided at the time of collection; if the data is not obtained directly from the data subject, at the latest one month after receipt. For website operators this means: you need a privacy policy that matches your actual setup. A copied template that stays silent about Google Analytics while it is running does not fulfil the duty — if anything, it documents the violation. How a compliant policy comes together is shown in our article «Creating a Privacy Policy for Switzerland».
Right of access for data subjects (Art. 25)
Any person can ask a company which data it processes about them, where that data comes from and to whom it is disclosed. The information is generally free of charge and must be provided within 30 days.
Refusing, restricting or deferring the information is permitted only within narrow limits — for instance where a law provides for it or overriding interests of third parties are affected — and the decision must be justified. In everyday SME life the right of access is the most common weak spot: requests land in the general inbox, nobody feels responsible, the deadline passes. A defined responsibility and a simple response template solve the problem with minimal effort.
Records of processing activities (Art. 12)
The records are an internal catalogue of all data processing: which data, for what purpose, who has access, how long is it retained? For small businesses there is an important relief: companies with fewer than 250 employees are exempt from the obligation — as long as they do not extensively process sensitive personal data and do not carry out high-risk profiling.
A lean overview is still recommended. It forces you to take stock and makes any later access request considerably easier to handle.
Notification of data security breaches (Art. 24)
If data security is breached — through a hacking attack, a lost notebook or a misdirected bulk mailing — and this is likely to result in a high risk for the data subjects, the company must notify the Federal Data Protection and Information Commissioner (FDPIC) as quickly as possible.
In addition, informing the data subjects may be necessary — where it is required for their protection or the FDPIC demands it. In practice this calls for a minimal emergency plan: who decides in an incident, who reports, through which channel? A single page with responsibilities and the reporting path to the FDPIC is a perfectly adequate starting point.
Privacy by design and privacy by default (Art. 7)
Data protection must be considered from the planning stage («by design»), and the most privacy-friendly setting must be the default («by default»). In concrete terms: whoever introduces a new CRM clarifies storage location and deletion concept before buying. Whoever builds a form does not pre-tick the newsletter checkbox. And a cookie banner that starts tracking only after consent is privacy by default in action.
Processing by third parties and DPAs (Art. 9)
Whoever outsources data processing to third parties — hosting provider, newsletter service, external accounting — remains responsible and must govern the processing by contract. This is done with a data processing agreement (DPA). The processor may only process the data in the way the controller itself would be permitted to, and must guarantee adequate data security. If the processor in turn engages third parties — for instance when the newsletter service itself hosts in someone else's cloud — this requires the controller's prior approval. What belongs in such a contract is explained in our article «Data Processing Agreements (DPA) in Switzerland».
Closely related is disclosure abroad: personal data may only flow to countries whose data protection the Federal Council deems adequate — for other countries, contractual safeguards such as standard data protection clauses are required. Since many cloud and marketing tools process data outside Switzerland and the EU, this check belongs in every tool evaluation.
Cookies, tracking and the FADP
For cookies and tracking, Switzerland relies on an interplay of two laws: the FADP requires transparency about the data processing, and Article 45c of the Telecommunications Act requires that users be informed about cookies and be able to refuse them.
This interplay is fleshed out by the FDPIC's cookie guidelines. Their thrust is clear: technically necessary cookies are unproblematic — but tracking, analytics and marketing services require genuine freedom of choice. As soon as high-risk services are running, sensitive personal data is involved or data flows to countries without adequate data protection, there is hardly any way around consent.
The guidelines also address design: freedom of choice must be genuine. Whoever declines must not be pushed towards consent through hidden buttons or pre-ticked categories, and consent once given must be as easy to withdraw as it was to give. For visitors from the EU, their stricter consent rules apply in parallel.
For practice this means: whoever uses Google Analytics, the Meta pixel, YouTube embeds or similar services needs a cookie banner that starts tracking only after consent — and a privacy policy that lists these services in full. When exactly a banner is mandatory and how to implement it correctly is covered in our guide on the cookie banner requirement in Switzerland.
Sanctions: what happens in case of violations?
Intentional violations of core FADP duties can be punished with fines of up to CHF 250,000 (Art. 60 et seq.). This applies in particular to violations of the duties to inform, to provide access and to cooperate, as well as of the duties of care — for instance regarding transfers abroad or processing by third parties.
Three peculiarities set the Swiss sanction regime clearly apart from the GDPR. First, the fine targets not the company but the natural person responsible for the violation — in an SME typically the managing director. Second, only intentional violations are punishable, not negligent ones. Third, these are offences prosecuted only upon complaint: a criminal complaint is required, and prosecution lies with the cantonal authorities — the FDPIC itself does not impose fines, but it can open investigations and issue binding rulings.
Beyond the criminal risk there is a supervisory one: the FDPIC can open an investigation ex officio or upon report and order with binding effect that a processing operation be adjusted, suspended or terminated — up to and including the deletion of data. For a company, such a ruling can cut deeper than a fine, for instance when a central marketing tool may no longer be used. Add to that the reputational damage — data protection violations have long become a media topic.
For comparison: the GDPR provides for corporate fines of up to EUR 20 million or 4 percent of global annual turnover. The Swiss fines look moderate next to that — but decision-makers are personally liable. That makes data protection a matter for top management.
FADP and GDPR: which applies to whom?
The rule of thumb: for Swiss companies the FADP always applies — the European GDPR additionally comes into play when a company actively targets customers in the EU or monitors their behaviour. An online shop delivering to Germany must observe both frameworks; a purely domestic trade business only the FADP.
The good news: the two laws are closely related. Whoever complies with the stricter GDPR largely covers the FADP duties as well. Conversely, the whole Swiss economy benefits from staying in step: the EU recognises the Swiss level of data protection as adequate, which is why personal data may flow from the EU to Switzerland without additional contracts — a tangible locational advantage, for instance for agencies and IT service providers with EU clients.
The differences in detail — consent logic, sanctions, EU representative — are explained in our GDPR guide and in the article «FADP vs. GDPR: The Key Differences».
The Data Protection Ordinance
The Data Protection Ordinance is the Ordinance on Data Protection (SR 235.11) — it fleshes out the FADP and entered into force together with it on 1 September 2023. Among other things, the ordinance governs the minimum requirements for data security, the modalities for providing access, the details of notifying data security breaches, and the exemption from the records of processing activities for companies with fewer than 250 employees.
For everyday purposes it is enough to know: whoever implements an FADP duty and wants to know exactly how, will usually find the answer in the ordinance. Alongside it exists a second implementing decree, the Ordinance on Data Protection Certification — it plays hardly any role in everyday SME life.
FADP checklist for SMEs
The compact self-assessment — every line should get a yes. Work through the list from top to bottom: the first five items cover the duties that experience shows are checked first in the event of a complaint.
- Privacy policy online, up to date and tailored to your own setup (Art. 19)
- All tools and third-party providers named in it, including transfers abroad
- Cookie banner in place that starts tracking only after consent
- Responsibility for access requests defined, response template ready (30-day deadline)
- Emergency plan for data security breaches with reporting path to the FDPIC
- DPA concluded with every service provider that processes personal data (Art. 9)
- Records of processing activities maintained — mandatory from 250 employees, recommended below
- Transfers abroad reviewed: destination countries with adequate protection or contractual safeguards
- New tools and processes set up according to privacy by design and by default
- Data protection anchored as a management responsibility (personal liability risk)
The two most visible items on this list — privacy policy and cookie banner — do not have to be maintained by hand: with Aiara you generate both automatically in compliance with the FADP, including a cookie scanner that keeps your website continuously in sync with your privacy policy. The website part of your compliance stays current without you having to track every change in the law or your tool stack yourself.
Frequently Asked Questions
What is the difference between the FADP and the nDSG?
There is no substantive difference: nDSG is the common German shorthand for «neues Datenschutzgesetz» — the new data protection act — and refers to the fully revised FADP in force since 1 September 2023. Officially the law is simply called the Federal Act on Data Protection (FADP); the «n» merely distinguishes the revised version from its 1992 predecessor. «revDSG» and «revised FADP» mean the same law.
Does the FADP also apply to small websites?
Yes. The FADP has no threshold based on turnover, headcount or traffic. As soon as a website processes personal data — via a contact form, a newsletter or analytics cookies — its operator falls within scope and must in particular fulfil the duty to inform with a privacy policy.
Do I need a privacy policy under the FADP?
In practice, yes. Article 19 FADP obliges anyone collecting personal data to inform the data subjects about the controller's identity, the purpose of processing, the recipients and any transfers abroad. For websites, this duty is fulfilled with a privacy policy that matches the setup actually in use — including all tracking and third-party services.
How high are the fines for violating the FADP?
Intentional violations of core duties — such as the duty to inform or to provide access — can be punished, upon criminal complaint, with fines of up to CHF 250,000. Unlike under the GDPR, the fine targets not the company but the responsible natural person, in an SME typically the managing director. Negligent violations are not punishable.
What is the FDPIC?
The FDPIC is the Federal Data Protection and Information Commissioner — Switzerland's data protection supervisory authority, known in German as the EDÖB. It opens investigations, issues binding rulings and receives notifications of data security breaches. It does not impose fines itself; that is the task of the cantonal prosecution authorities.
Since when has the revised Swiss data protection act been in force?
Since 1 September 2023 — with no transition period. Unlike the GDPR, which allowed a two-year lead time, all obligations of the revised FADP applied in full from day one. Anyone still non-compliant today cannot invoke any grace period.
Do I need a cookie banner under the FADP?
The FADP itself does not mandate a banner — it requires transparency. Combined with Article 45c of the Swiss Telecommunications Act, which requires that users be informed about cookies and given the option to refuse them, and the FDPIC's cookie guidelines, there is practically no way around a proper consent solution when tracking services such as Google Analytics or marketing pixels are in use.
Ready for clean cookie consent?
Aiara handles cookie banners, privacy policies and legal notices for your website — FADP and GDPR compliant.
Discover AiaraMore articles

5 min read
The Revised Swiss FADP 2025: What Actually Changes for Swiss Companies

5 min read
FADP vs. GDPR: The Key Differences for Swiss Companies in 2026

8 min read
The nDSG Explained: Switzerland's New Data Protection Act for SMEs

5 min read