Guide

GDPR for Swiss Companies: When It Applies and What to Do

The EU General Data Protection Regulation does not automatically apply to every Swiss website — but it applies more often than many assume. This guide shows when Swiss companies must comply with the GDPR and how to cover both the FADP and the GDPR with a single setup.

Updated

What is the GDPR?

The General Data Protection Regulation (GDPR) is the data protection law of the European Union: Regulation (EU) 2016/679, applicable since 25 May 2018. It governs how companies and public bodies must collect, use and protect the personal data of people in the EU — uniformly and directly in all EU and EEA states, without national parliaments having to transpose it first.

The regulation rests on a few core ideas: every processing of personal data needs a legal basis. Data subjects have enforceable rights — access, rectification, erasure, data portability. Companies must document their data processing and report breaches. And non-compliance carries substantial fines imposed on the company itself.

For Swiss companies, the GDPR matters for one simple reason: it does not stop at the EU's external border. The regulation explicitly claims jurisdiction over companies outside the EU as soon as they address people within the EU. Exactly this question — when that is the case — decides whether a company in Zurich, Lausanne or Lugano must comply with the GDPR.

Does the GDPR apply to Swiss companies?

Yes — but not automatically. It applies only when the GDPR's targeting rule is triggered. The decisive provision is Article 3(2) of the GDPR: the regulation applies to companies without an EU establishment if they either offer goods or services to people in the EU (whether or not payment is involved) or monitor the behaviour of people in the EU, for example through tracking and profiling.

One distinction matters that many guides gloss over: the mere fact that a Swiss website can be reached from Germany or France does not trigger the GDPR. There must be a recognisable targeting of the EU market. The regulation's recitals name indicators such as prices in euros, delivery options to EU countries, advertising aimed at EU customers or the explicit mention of customers in EU member states. The fact that a website is available in German is not enough on its own — German is, after all, a Swiss national language.

There is also the simpler case of Article 3(1): any company operating an establishment, subsidiary or branch in the EU falls under the GDPR for that entity's data processing anyway — no targeting analysis required.

Another frequent misunderstanding: the GDPR protects people who are in the EU — citizenship is irrelevant. The data of a German national living in Zurich does not fall under the GDPR; the data of a Swiss citizen living in Berlin does. What counts in practice is where your target audience is located, not which passport they hold.

Examples: these Swiss companies fall under the GDPR

  • Online shop with EU delivery: A shop in Winterthur displays prices in euros and ships to Germany and Austria. That is a textbook case of offering goods to people in the EU — the GDPR applies to this processing.
  • Hotel targeting EU guests: A hotel in the Bernese Oberland promotes its rooms on German booking platforms and runs Google ads aimed at searchers in Germany. The booking data of these guests is subject to the GDPR.
  • Website with EU tracking: A Swiss software vendor uses analytics and remarketing tools that record and evaluate the behaviour of visitors from the EU for advertising purposes. That is behavioural monitoring within the meaning of Article 3(2) — the GDPR applies.
  • Agency with EU clients: A web agency in Basel actively serves clients in southern Germany and processes their customer data. Here too, the GDPR is part of the job.

Counter-examples: here only the Swiss FADP applies

  • Local trade: A carpentry business in Aarau with purely regional customers, prices in Swiss francs and no advertising abroad does not fall under the GDPR — even if its website can be opened in Munich.
  • One-off order from the EU: If, exceptionally, a person from Germany orders from a Swiss provider that does not actively address the EU market, this alone does not create GDPR obligations. The targeting element is missing.
  • Domestically focused service providers: A fiduciary firm that serves exclusively Swiss clients and does not track people in the EU stays within the Federal Act on Data Protection (FADP).

The honest practical question is therefore not "Can my website be accessed from the EU?" but: "Do I deliberately address people in the EU — or do I monitor their behaviour?" Anyone answering yes to either question should take the GDPR seriously.

How do I comply with the GDPR and the FADP at the same time?

The short answer: whoever implements the stricter GDPR properly covers the Swiss Federal Act on Data Protection almost entirely as a side effect. Swiss companies with EU business are therefore best served by one setup — the GDPR standard.

The most important conceptual difference lies in the legal-basis principle. The GDPR follows a prohibition with reservation of permission: every processing of personal data is prohibited unless a legal basis under Article 6 allows it — consent, contract performance or legitimate interest, among others. The FADP thinks the other way round: processing is permitted in principle, as long as it does not unlawfully violate the personality rights of the individuals concerned. In practice this means: under the GDPR you must be able to justify and document why you are allowed to carry out each processing activity.

Consent is also more formal under the GDPR. It requires a freely given, informed, unambiguous and documented agreement that can be withdrawn at any time. The FADP demands express consent only in specific cases, such as sensitive personal data or high-risk profiling.

The sanctions differ most starkly. The GDPR threatens fines of up to 20 million euros or 4 percent of worldwide group turnover — directed at the company. The FADP provides for fines of up to CHF 250,000 — directed at the responsible natural person, typically the management. Two entirely different logics, both of which can become uncomfortable.

You will find the details of Swiss law in the guide on the Swiss Federal Act on Data Protection (FADP), and a direct comparison of the two regimes in the article FADP vs. GDPR: the key differences.

Do I need an EU representative?

If the GDPR applies to you via the targeting rule and you have no establishment in the EU: in principle, yes. Article 27 of the GDPR obliges companies outside the EU to designate, in writing, a representative in an EU member state — preferably where the data subjects are located.

There is an exception, and it matters for small businesses: the representation duty does not apply if the processing is only occasional, does not include large-scale processing of sensitive data and is unlikely to result in a risk to the rights of the individuals concerned. A Swiss business-to-business service provider who sporadically corresponds with a few EU contacts does not need a representative. An online shop that continuously handles orders from Germany, on the other hand, processes EU customer data on a regular basis — it usually falls under the obligation.

What the EU representative actually does: they act as a contact point for EU supervisory authorities and data subjects, keep a copy of the record of processing activities and must be named with contact details in the privacy policy. They are not liable in the company's place; they function as a mailbox with duties. In practice, specialised providers take on this role for a few hundred euros per year — considerably cheaper than founding an EU subsidiary.

Do I need a data protection officer?

For most Swiss SMEs the answer is: no. Article 37 of the GDPR requires a data protection officer in only three cases: for public authorities and bodies, where the company's core activity consists of large-scale, regular and systematic monitoring of individuals, or where the core activity involves large-scale processing of sensitive data — health data, for example.

The key word is core activity. The fact that a company maintains a customer database, sends newsletters or evaluates web statistics does not make data processing its core activity. An advertising network that lives off tracking, or a hospital group processing patient data at scale, meets the criteria — an architecture firm or an online shop with a normal customer base does not.

Voluntarily appointing a data protection lead is often sensible nonetheless: one defined person where access requests, deletion requests and data breaches converge. Swiss law knows the voluntary data protection advisor for this purpose — the same person can fill both roles.

Under the GDPR, non-essential cookies require a clear opt-in: consent must be actively given before the cookies are set. The legal basis is the interplay between the European ePrivacy Directive (the EU directive on privacy in electronic communications) and the GDPR's consent standard. Pre-ticked boxes, continue-browsing notices or banners without a genuine reject option are not sufficient — the Court of Justice of the EU has confirmed this repeatedly.

This makes the EU stricter than Swiss practice. Swiss telecommunications law permits cookies in principle, provided users are informed and can object — an opt-out model. A banner that is good enough for the Swiss market can therefore fall short for visitors from the EU. Which rules apply when, and what a proper banner looks like, is covered in the guide on the cookie banner obligation in Switzerland.

On top of the law comes a practical tightening: anyone using Google's advertising products for audiences in the European Economic Area has been required to implement Google Consent Mode V2 since March 2024 — a mechanism that transmits visitors' consent status to Google. Without it, measurement data and remarketing functions are lost. What this means in concrete terms is explained in the article Google Consent Mode V2 for Swiss websites.

The pragmatic line for Swiss companies with EU business: one uniform consent banner to the GDPR standard for all visitors. It automatically satisfies the Swiss requirements as well and avoids the error-prone distinction by country of origin.

How does data transfer between Switzerland and the EU work?

The good news first: personal data may flow freely between Switzerland and the EU in both directions. The European Commission has recognised Switzerland as a third country with an adequate level of data protection since 2000 through an adequacy decision; it confirmed this classification in its review of January 2024. EU companies may therefore transfer personal data to Swiss recipients without additional safeguards such as standard contractual clauses.

The same applies in reverse: the Swiss Federal Council lists the EU and EEA states on Switzerland's adequacy list (Annex 1 of the Data Protection Ordinance). Swiss companies may thus pass personal data to recipients in the EU without extra formalities.

One obligation remains regardless: anyone commissioning service providers to process data — hosting, newsletter tool, accounting software — needs a data processing agreement (DPA) with each of these processors. Both the GDPR and the FADP require this, no matter where the provider is based. What such an agreement looks like is shown in the article on the data processing agreement for Swiss companies.

What belongs on the GDPR checklist for Swiss companies?

If the GDPR applies to your company, these ten steps lead to compliance in a sensible order:

  1. Clarify applicability: Do you visibly target people in the EU with goods or services — or monitor their behaviour? Record your assessment in writing.
  2. Create a record of processing activities: Document which personal data you process for which purpose, who has access and how long it is stored.
  3. Assign legal bases: Determine the appropriate basis under Article 6 for each processing activity — consent, contract, legal obligation or legitimate interest.
  4. Update your privacy policy: Add the mandatory information under Articles 13 and 14 — including legal bases, retention periods, the right to complain and, where applicable, the EU representative.
  5. Switch your cookie banner to opt-in: Active consent before non-essential cookies are set, with an equivalent reject option and documented decisions.
  6. Check and appoint an EU representative: If no exception under Article 27 applies, designate a representative in the EU in writing and name them in your privacy policy.
  7. Conclude data processing agreements: With every service provider that processes personal data on your behalf — from the hosting provider to the newsletter tool.
  8. Set up a process for data subject rights: Access, rectification and erasure requests must be answered within one month. Define a responsible person and a template.
  9. Define a breach notification process: Data security breaches must be reported to the competent supervisory authority within 72 hours — that only works with a prepared procedure.
  10. Raise awareness in your team: Determine who is responsible for data protection and train the employees who work with personal data every day.

Anyone working through this list also fulfils the core obligations of the Swiss Federal Act on Data Protection along the way — the additional effort for pure FADP compliance is minimal afterwards.

How does Aiara help with GDPR implementation?

Aiara is built for exactly this Swiss dual world. The generated privacy policy covers the FADP and the GDPR in a single document — in German, French, Italian and English. The cookie banner works to the stricter GDPR standard with documented consent and supports Google Consent Mode V2. You configure once and satisfy both regimes without maintaining two systems.

Frequently Asked Questions

Does the GDPR automatically apply to every Swiss website?

No. The mere fact that a website can be accessed from the EU is not enough. The GDPR only applies when a Swiss company visibly targets people in the EU with goods or services — for example with euro prices, delivery to Germany or EU-focused advertising — or monitors the behaviour of people in the EU, for instance through tracking and profiling.

What happens if I ignore the GDPR?

The GDPR provides for fines of up to 20 million euros or 4 percent of worldwide group turnover — imposed on the company. Enforcement against firms without an EU establishment is more difficult, but possible, for example via the EU representative or EU business partners. In practice, something else often weighs more heavily: EU customers and clients demand proof of GDPR compliance before signing contracts.

Is an FADP-compliant privacy policy also sufficient for the GDPR?

Not necessarily. Articles 13 and 14 of the GDPR require more mandatory information than the Swiss Federal Act on Data Protection — including the legal basis for each processing activity, the right to lodge a complaint with an EU supervisory authority and, where applicable, the EU representative. The reverse is true, however: a GDPR-compliant privacy policy almost always covers the FADP as well.

Do I need an EU representative as a Swiss company?

If the GDPR applies to you via its targeting rule and you have no establishment in the EU, then in principle yes (Article 27 GDPR). The only exception covers occasional, low-risk processing that does not involve large amounts of sensitive data. Anyone regularly running an online shop for EU customers or processing EU customer data usually falls under the representation duty.

Is Switzerland considered a safe third country by the EU?

Yes. The European Commission has recognised Switzerland as a country with an adequate level of data protection since 2000; this adequacy decision was confirmed in the review of January 2024. Personal data may therefore flow from the EU to Switzerland without additional safeguards — and, thanks to Switzerland's own adequacy list, in the other direction too.

Does my cookie banner have to work differently for visitors from the EU?

Yes, if the GDPR applies to you. For people in the EU, active consent is required before non-essential cookies are set — pre-ticked boxes or continue-browsing logic are not sufficient. Most Swiss companies with EU business therefore run a single opt-in banner for all visitors, which automatically satisfies the Swiss requirements as well.

Do I need a data protection officer under the GDPR?

Most Swiss SMEs do not. The obligation under Article 37 GDPR applies to public authorities and to companies whose core activity consists of large-scale, systematic monitoring or large-scale processing of sensitive data. A fiduciary office or an online shop with a normal customer base does not usually meet these criteria.

Ready for clean cookie consent?

Aiara handles cookie banners, privacy policies and legal notices for your website — FADP and GDPR compliant.

Discover Aiara