FADP — Swiss Federal Act on Data Protection

A Swiss health insurer migrates its claims processing to a US cloud. The FDPIC makes a sample enquiry. What is demanded: the register of processing activities, the transfer impact evidence and the justification for the outsourcing in the absence of an adequacy decision for the US. Without this documentation, only an immediate notification to all affected policyholders and a long evening with the board remain.

The Swiss Federal Act on Data Protection has been fundamentally revised and entered into force on 1 September 2023. It replaces the FADP of 1992 and moves structurally closer to the GDPR while keeping Swiss particularities — among them the focus of sanctions on natural persons instead of organisations. For every organisation operating in Switzerland or processing data of people in Switzerland, the FADP is relevant.

Who is affected?

The FADP applies extraterritorially. The decisive criterion is the place of effect, not the location of the processing entity. Concretely, it covers:

Controllers (Art. 5 lit. j) — anyone who decides alone or jointly with others on the purpose and means of processing.
Processors (Art. 5 lit. k) — cloud providers, external payroll offices, IT maintenance.
Private processors and federal bodies — both are subject to the FADP; for cantons, the respective cantonal data protection laws apply in addition.
Foreign organisations with effects in Switzerland — e.g. an online shop delivering into Switzerland. With extensive processing, a representative in Switzerland must be designated (Art. 14 FADP).

Exempt are processing activities for purely personal purposes, journalistic activity and processing by courts in the exercise of their judicial functions.

What does the law require?

Principles (Art. 6 FADP) largely correspond to the GDPR principles: lawfulness, good faith, proportionality, purpose limitation, accuracy, data security. From these flow the operational duties:

Register of processing activities (Art. 12) — mandatory for controllers and processors; SMEs with fewer than 250 employees are partly exempt, provided there is no large-scale processing of particularly sensitive personal data and no high-risk profiling.
Data Protection Impact Assessment (Art. 22) — required where there is a high risk to personality, with an obligation to consult the FDPIC where residual risk remains.
Disclosure abroad (Art. 16) — only to countries with adequate protection or with additional safeguards (standard contractual clauses, BCRs, consent). The Federal Council maintains a country list.
Data security (Art. 8 FADP, Art. 1 ff. DPO) — appropriate technical and organisational measures with reference to risk; the DPO concretises this in Art. 1–4.
Breach notification (Art. 24) — notification to the FDPIC as quickly as possible, once a data security breach is likely to result in a high risk.
Information obligations (Art. 19 ff.) — information upon collection, transparent and in an understandable form.
Rights of access, rectification, deletion and objection (Art. 25 ff.) — access is free of charge, usually within 30 days.
Processing on behalf (Art. 9) — written contract with specific minimum content.

In practice

Maintain the register of processing activities even without the SME exemption. Organisations that are legally exempt still benefit from the register during audits, insurance enquiries and certifications. In Swiss practice, many large customers demand the register as evidence before signing a contract.

Document a Transfer Impact Assessment for US processors. In 2024 Switzerland recognised adequacy for US providers under the Swiss-US Data Privacy Framework. For non-certified providers, standard contractual clauses plus a documented risk balancing still apply. FDPIC practice expects a reproducible justification per processor.

Set up a breach notification chain. The FADP notification duty is worded more softly than the 72-hour deadline of the GDPR (“as quickly as possible”). Anyone subject to both regimes should run the GDPR process as the standard — the FADP duty is then automatically covered.

Mapping to ISO 27001

The data security requirements from Art. 8 FADP and Art. 1–4 DPO are formulated in a technology-neutral way and overlap substantially with the ISO 27001 Annex A catalogue. Anyone running a certified ISMS largely meets the FADP security requirements.

Directly relevant controls:

A.5.34 — Privacy and protection of personally identifiable information: the bridge to the FADP; identification and fulfilment of data protection requirements.
A.5.13 — Labelling of information: classification of particularly sensitive personal data.
A.5.14 — Information transfer: secure transmission and disclosure abroad.
A.5.24 — Information security incident management planning and preparation: prerequisite for notification to the FDPIC.
A.5.36 — Compliance with policies, rules and standards for information security: compliance review against the FADP.
A.6.3 — Information security awareness, education and training: data protection training for all employees.
A.7.10 — Storage media: secure disposal of storage media holding personal data.
A.8.10 — Information deletion: implementation of the right to destruction.
A.8.11 — Data masking: pseudonymisation as a technical measure.
A.8.24 — Use of cryptography: encryption as a central TOM.
A.8.25 — Secure development life cycle: data protection by design and by default (Art. 7 FADP).

Typical audit findings

Register of processing activities missing or tailored to the old FADP — old terminology like “data master position” has not been updated, processor arrangements are incompletely captured.
Disclosure abroad without a documented basis — US cloud providers without a TIA, data in unspecified cloud regions.
Information on collection incomplete — the privacy notice does not cover the mandatory content under Art. 19 FADP.
Representative in Switzerland missing — foreign organisation with extensive processing in Switzerland has not designated a representative.
Access rights not operationalised — no responsible person named, no template, the 30-day deadline is missed.
Breach notification process exists only in theory — no tabletop exercise, the escalation path is unclear.

Sources

FADP full text (Fedlex) — official version of the Federal Chancellery
Data Protection Ordinance (DPO) — concretises the data security requirements
FDPIC — Federal Data Protection and Information Commissioner — supervisory authority, guidelines and templates
Privatim — Association of Swiss Data Protection Officers — cantonal supervisory authorities and practical recommendations

ISO 27001 Controls Covered

A.5.34 Privacy and protection of PII A.5.13 Labelling of information A.5.14 Information transfer A.5.24 Information security incident management planning and preparation A.5.32 Intellectual property rights A.5.36 Compliance with policies, rules and standards for information security A.6.3 Information security awareness, education and training A.7.10 Storage media A.8.10 Information deletion A.8.11 Data masking A.8.24 Use of cryptography A.8.25 Secure development life cycle

Frequently asked questions

Does the revised FADP apply to companies outside Switzerland?

Yes. Art. 3 FADP covers any processing that has an effect in Switzerland, regardless of the location of the processing entity. Anyone offering goods or services to Switzerland or monitoring the behaviour of people in Switzerland falls under the act and usually has to designate a representative in Switzerland.

What is the practical difference between FADP and GDPR?

The requirements are largely parallel: register of processing activities, TOMs, breach notification, data subject rights. Differences show up in terminology (processing as 'Bearbeitung' rather than 'Verarbeitung'), sanctions (CHF 250,000 against the responsible natural person, smaller fines against the organisation) and in detailed requirements. Anyone working in a GDPR-compliant way is largely also FADP-compliant — the terminology just has to be correct.

When is a Data Protection Impact Assessment required under the FADP?

Whenever the processing entails a high risk to the personality or fundamental rights of the data subjects (Art. 22 FADP). Indicators are systematic monitoring, large-scale processing of particularly sensitive personal data or high-risk profiling. The DPIA must be prepared in advance and, where residual risk remains, submitted to the FDPIC for consultation.