Launch Q3 2026
BearGuard®
BearGuard®
Governance & AI Guardrails
DE EN
🔒 EU/EEA Data Protection

Swiss Federal Act on Data Protection (FADP 2023)

The revised Swiss FADP (nFADP) entered into force on 1 September 2023, modernizing data protection with GDPR-aligned requirements for natural persons.

LinkedIn X WhatsApp

Summary

The revised Swiss Federal Act on Data Protection (nFADP) entered into force on 1 September 2023, replacing the 1992 Data Protection Act. It substantially modernizes Switzerland's data protection framework, aligning it with European standards (GDPR) without being identical.

  • Focus on natural persons: The nFADP protects – like the GDPR – only data of natural persons. The old FADP (1992) uniquely also protected legal entities; this protection was removed in the revision.
  • New rights: Right to access, rectification, erasure, and data portability.
  • Privacy by design: Privacy by design and privacy by default are mandatory.
  • Breach notification: Data security breaches must be reported to the FDPIC.

History

The original Swiss Data Protection Act dated from 1992. It was internationally unique in that it protected both natural and legal persons. It had become outdated in the digital age. The revision was initiated in 2011. After lengthy parliamentary deliberations, the revised FADP was adopted by parliament on 25 September 2020. The implementing ordinance (OFADP/DSV) entered into force simultaneously. The law came into effect on 1 September 2023, with no transition period. The revision was also necessary to maintain Switzerland's recognition as a "safe third country" by the EU.

Scope

The nFADP applies to the processing of personal data of natural persons by private individuals and federal bodies in Switzerland. It also applies to situations outside Switzerland if they have effects in Switzerland (effects principle). Like the GDPR, the nFADP protects only data of natural persons (the old FADP of 1992 still covered legal entities). It contains no provisions for fines against companies (only criminal offences for natural persons).

Key Requirements

  • Lawfulness of processing: Data may only be processed lawfully, in good faith, and proportionately.
  • Duty to inform: Data subjects must be informed when their data is collected.
  • Data protection impact assessment (DPIA): Required when processing poses a high risk to the personality of data subjects.
  • Records of processing activities: Mandatory for companies with 250+ employees (exceptions possible).
  • Data breach notification: Must be reported to the FDPIC as quickly as possible.
  • Data protection officer: Not mandatory but recommended; companies may request FDPIC consultation.
  • Penalties: Intentional violations by natural persons: up to CHF 250,000.

Related Frameworks

GDPR/DSGVO

Content last reviewed: 22 February 2026. Found an error or need an update? [email protected]