What is the revised Swiss FADP?

The revised Swiss Federal Act on Data Protection (FADP/nDSG), effective 1 September 2023, modernises Switzerland's data protection framework. It introduces mandatory DPIAs, a 72-hour breach notification duty to the FDPIC, stricter cross-border transfer rules (Art. 16–17), and a Record of Processing Activities obligation for controllers. The full text is published at fedlex.admin.ch.

How does the Swiss FADP differ from the EU GDPR?

Key differences include: the FADP protects only natural persons (not legal entities as under the old law), criminal sanctions target individuals rather than companies, there is no 'legitimate interest' legal basis — instead Swiss law uses 'overriding private or public interest', and the supervisory authority (FDPIC) has recommendation powers rather than direct fining authority. Both frameworks require ROPA, DPIAs, and breach notification.

Does Priverion support both FADP and GDPR compliance?

Yes. Priverion maps processing activities to both the Swiss FADP and the EU GDPR simultaneously. ROPAs, DPIAs, privacy notices, and cross-border transfer documentation are generated with the correct legal bases and requirements for each framework.

Where is Priverion data hosted?

Priverion is hosted on Google Cloud Switzerland (Zurich region), not merely an EU region. The platform is ISO 27001 certified and governed by Swiss law, ensuring data residency within Switzerland.

What are the penalties for non-compliance with the Swiss FADP?

Under Art. 60–63 FADP, intentional violations — such as failing to provide required information, failing to cooperate with the FDPIC, or breaching professional secrecy — can result in fines of up to CHF 250,000. Unlike the GDPR, fines target responsible individuals, not the organisation itself.

Swiss-made FADP compliance software, hosted in Switzerland Talk to our Swiss team

Swiss-made for Swiss law

FADP compliance for Swiss corporate groups — built by a Swiss team, hosted in Switzerland

Updated 2026-05-17

Key Takeaways: Priverion is a Swiss-hosted SaaS platform that automates all seven areas of revised FADP compliance — ROPA, DPIAs, breach notification, cross-border transfers, and vendor management.

The revised FADP tightened requirements significantly — especially around DPIAs, cross-border transfers, and breach notification. Many Swiss companies are still catching up. If you’re one of them, here’s how to close the gaps.

Talk to our Swiss compliance team Not ready yet?

Trusted by 50+ privacy teams across 14 countries

Healthcare

Aviation

Energy

Legal

Technology

Revised FADP requirements

Everything you need for Swiss FADP compliance

Priverion maps to all 7 areas of the revised FADP — with Swiss-specific legal bases, FDPIC-ready reports, and cross-border transfer documentation built in.

Record keeping

Processing Records

Under the revised FADP, every controller must keep a Record of Processing Activities (sometimes also called a “Processing Directory”), similar to the GDPR’s ROPA. This record provides the foundation for accountability and transparency.

The processing record must document:

The identity and contact details of the controller (and any joint controllers)
The purposes of data processing
The categories of data subjects and personal data processed
The categories of recipients, including data transfers abroad
The retention periods, if known
A general description of data security measures
The basis of justification (e.g., consent, overriding private/public interest, legal duty)

Result: Keep every processing activity documented and current — with Swiss-specific minimum content requirements covered automatically.

Accountability

Governance and Accountability Documents

Controllers should maintain a Data Protection Policy that outlines compliance principles, roles, and responsibilities.

This document demonstrates implementation of the accountability principle and defines how data protection is integrated into daily operations.

Complementary training logs, internal audits, and data protection governance records show ongoing awareness and oversight.

Result: Demonstrate FADP accountability with policy management, training logs, and audit trails — all in one place.

Privacy notices

Transparency and Communication Documents

To meet the information duties, controllers must provide clear Privacy Notices describing:

Identity of the controller and purposes of processing
Recipients and transfer details
Rights of data subjects
Automated decision-making, if applicable

These notices ensure that data subjects can understand and control how their data is used.

Result: Generate privacy notices that match your processing records — always current, always FADP-compliant.

DPIA requirements

Risk and Impact Assessment Documents

For processing activities that pose a high risk to data subjects’ personality or fundamental rights, a Data Protection Impact Assessment (DPIA) must be conducted.

A DPIA Register or documentation file should include:

Description of processing and risks
Assessment of necessity and proportionality
Measures to mitigate risks
Evidence of consultation with the FDPIC if required

This serves as proof that risks were evaluated and addressed.

Result: Complete DPIAs with FDPIC consultation tracking — hours instead of weeks.

See how Priverion handles FADP compliance for your organization

Talk to our Swiss team

Third-party management

Processor and Third-Party Management Documents

Controllers are responsible for ensuring that processors provide sufficient guarantees for data protection.

A Processor Contract Register should record:

Processor identities and purposes
Key contractual clauses ensuring compliance
Any cross-border subcontractors

This register demonstrates due diligence and compliance with controller–processor responsibilities.

Result: Full vendor oversight — every processor contract, subprocessor, and cross-border arrangement tracked.

Breach notification

Security and Incident Management Documents

The Technical and Organizational Measures (TOMs) Documentation provides detailed information about security controls such as access management, encryption, and data backup.

Controllers must also maintain a Data Breach Register to document all personal data breaches, including:

Date, nature, and scope of the breach
Risk assessment and mitigating actions
Notifications made to the FDPIC and affected persons

Together, these ensure evidence of compliance with Art. 8 (Data Security) and Art. 24 (Breach Notification).

Result: Breach response documented from detection to FDPIC notification — 72-hour timeline managed automatically.

Data transfers

Cross-Border Transfer Documentation

For transfers to countries without adequate protection, controllers must document:

The destination country and legal safeguard used (e.g., standard clauses, consent, overriding interest)
The Transfer Impact Assessment (TIA) if risks exist

This documentation supports compliance with Art. 16–17 FADP and evidences transfer due diligence.

Result: Switzerland’s unique adequacy decisions and TIA requirements handled — Art. 16–17 compliance documented.

Why a Swiss platform

Your data stays in Switzerland. Your DPA is governed by Swiss law.

Swiss

Hosted on Google Cloud Switzerland

Not “EU region” — actually in Switzerland

75%

Less manual ROPA upkeep

Avg. across enterprise customers

FADP + GDPR

Both frameworks in one platform

ROPAs automatically map to both regulations

GDPR compliance

ISO 27001 compliance

Ready to simplify your privacy management?

You’re in good company. Priverion replaces scattered Excel sheets and manual workflows with a unified, smart platform for privacy and InfoSec. Our team guides you from day one to ensure a smooth rollout and long-term success.

See how it works

The Privacy Compliance Briefing

Monthly insights on GDPR enforcement trends, Swiss FADP updates, and automation strategies for DPOs and compliance teams.

By submitting this form, you consent to us contacting you for the purpose of supplying you with information on our products and services. For further details please view our Privacy Notice.

Thank you for signing up to our newsletter. We are happy to have you on board and will keep you updated on newest developments and trends.

Oops! Something went wrong while submitting the form.

▸ About this page — references, definitions, and FAQs

Key Takeaways — Swiss FADP Compliance with Priverion

The revised Swiss Federal Act on Data Protection (FADP/nDSG), in force since 1 September 2023, requires controllers to maintain processing records, conduct DPIAs for high-risk activities, notify the FDPIC of serious breaches, and document cross-border transfers with adequate safeguards. Priverion is a Swiss-hosted SaaS platform that automates all seven compliance areas — ROPA, governance, privacy notices, DPIAs, vendor management, breach notification, and cross-border transfers — under both the FADP and the EU GDPR in a single workspace.

What is the Swiss FADP (nDSG)?

The Swiss Federal Act on Data Protection (FADP), known in German as the Datenschutzgesetz (DSG), is Switzerland's primary data protection statute. The fully revised version entered into force on 1 September 2023, replacing the 1992 law. It aligns Swiss data protection more closely with the EU GDPR while retaining Swiss-specific features such as individual criminal liability and the FDPIC's advisory enforcement model. The full consolidated text is available at fedlex.admin.ch.

How does the revised FADP differ from the EU GDPR?

While both frameworks share core principles — lawfulness, purpose limitation, data minimisation, and accountability — key differences exist. The FADP does not include a "legitimate interest" legal basis; instead, Swiss law permits processing based on "overriding private or public interest" (Art. 31 FADP). Criminal fines under Art. 60–63 FADP target responsible individuals (up to CHF 250,000), not the organisation. The FDPIC issues recommendations rather than binding orders with direct fines. According to the IAPP, this individual-liability model is unique among major data protection regimes globally.

Who must comply with the Swiss FADP?

All private persons and federal bodies processing personal data of individuals in Switzerland must comply. The FADP applies extraterritorially: foreign companies whose processing produces effects in Switzerland are also subject to the law (Art. 3 para. 1 FADP). The FDPIC (Federal Data Protection and Information Commissioner) supervises compliance and publishes guidance for both domestic and foreign controllers.

What is a DPIA under the Swiss FADP?

Under Art. 22 FADP, a Data Protection Impact Assessment must be conducted when planned processing is likely to pose a high risk to the personality or fundamental rights of data subjects. The assessment must describe the processing, evaluate necessity and proportionality, identify risks, and document mitigation measures. If residual high risk remains after mitigation, the controller must consult the FDPIC before proceeding (Art. 23 FADP). The EDPB's DPIA guidelines, while EU-focused, are widely referenced by Swiss practitioners as methodological guidance (EDPB Guidelines 4/2017).

What are the breach notification requirements under the FADP?

Art. 24 FADP requires controllers to notify the FDPIC "as quickly as possible" of personal data breaches that pose a high risk. The FDPIC recommends a 72-hour notification window, consistent with GDPR practice. Affected data subjects must also be informed when necessary for their protection. A documented breach register — recording date, nature, scope, risk assessment, and remedial actions — is essential evidence of compliance.

What are the penalties for FADP non-compliance?

Intentional violations of key obligations — including failure to provide information (Art. 60), failure to cooperate with the FDPIC (Art. 63), and breach of professional secrecy (Art. 62) — carry fines of up to CHF 250,000 against the responsible individual. According to a 2024 survey by IAPP, 68% of Swiss privacy professionals reported that the individual-liability model has increased board-level attention to data protection compliance.

How does Priverion automate FADP compliance?

Priverion maps every processing activity to both the Swiss FADP and the EU GDPR simultaneously. The platform automates Record of Processing Activities (ROPA) with Swiss-specific minimum content fields, generates FDPIC-ready DPIA documentation, tracks processor contracts and subprocessor chains, manages breach notification timelines, and documents cross-border transfers with Transfer Impact Assessments (TIAs) under Art. 16–17 FADP. All data is hosted on Google Cloud Switzerland (Zurich region) with ISO 27001 certification.

Statistics and Context

According to the IAPP-EY 2023 Privacy Governance Report, the average organisation spends approximately 54% of its privacy budget on operational compliance tasks such as ROPA maintenance, DPIA execution, and vendor assessments. A 2024 Gartner forecast projects that by 2026, 60% of large enterprises will use automated privacy management platforms, up from fewer than 15% in 2021. The FDPIC's 2023–2024 activity report noted a significant increase in consultation requests following the revised FADP's entry into force, underscoring the compliance burden on Swiss organisations. ENISA's 2023 threat landscape report (ENISA) identified ransomware and supply-chain attacks as the top threats to personal data, reinforcing the importance of robust breach notification and vendor management processes.

FADP vs GDPR — Comparison Table

Aspect	Swiss FADP (nDSG)	EU GDPR
Effective date	1 September 2023	25 May 2018
Scope	Natural persons in Switzerland; extraterritorial	Natural persons in EEA; extraterritorial
Supervisory authority	FDPIC (advisory/recommendation powers)	National DPAs (binding orders, direct fines)
Maximum fine	CHF 250,000 (individual)	€ 20 million or 4% global turnover (organisation)
Legal basis for processing	Overriding private/public interest, consent, legal duty	Legitimate interest, consent, contract, legal obligation, vital interest, public task
DPIA required	Yes (Art. 22 FADP)	Yes (Art. 35 GDPR)
Breach notification	FDPIC, as quickly as possible (72 h recommended)	DPA within 72 hours (Art. 33 GDPR)
DPO requirement	Optional (Data Protection Advisor)	Mandatory in certain cases (Art. 37 GDPR)
Cross-border transfers	Art. 16–17 FADP; Federal Council adequacy list	Art. 44–49 GDPR; EU Commission adequacy decisions

Your trusted partner for a smarter, more efficient approach to data privacy management.

Product

Priverion Platform System Status

about us

About Priverion Careers

Imprint Privacy Notice Terms of Service Refund Policy

OneTrust, TrustArc, Drata, Vanta, BigID, DataGuard, Kertos, Securiti and Sprinto are trademarks of their respective owners. Priverion Solutions AG is an independent Swiss company and is not affiliated with, sponsored by, or endorsed by any of these companies. References to these products are made under the fair-use exception for comparative advertising (Swiss UWG Arts. 3(1)(a)(b)(e); EU Directive 2006/114/EC Art. 4) for the sole purpose of informing prospective customers. Methodology and sources for comparative claims are disclosed on each page that contains them; see also our comparative advertising policy. To challenge a specific claim, write to [email protected].