AuditXYZ

Compliance Framework

Federal Act on Data Protection (Bundesgesetz über den Datenschutz)

Switzerland's revised FADP modernizes the country's data protection framework to align closely with the GDPR, introducing enhanced transparency obligations, breach notification requirements, and significant personal liability for violations.

$8,000–$100,0002–8 months2020 (revised FADP enforced September 1, 2023)
Request a ConsultationSee process
Issuing BodySwiss Federal Assembly / Federal Data Protection and Information Commissioner (FDPIC)
First Published1992-06-19
Latest Version2020 (revised FADP enforced September 1, 2023)
Typical Cost$8,000–$100,000
Typical Timeline2–8 months
Audit RequiredNo
Audit FrequencyNo mandatory external audit. The FDPIC may open investigations. Data Protection Impact Assessments required for high-risk processing.
Geographyswitzerland

FADP: The Complete Guide

Switzerland's revised Federal Act on Data Protection, effective September 1, 2023, represents a major overhaul of the country's data protection framework. Originally enacted in 1992, the revised FADP aligns Swiss law closely with the GDPR to maintain the EU's adequacy finding and ensure seamless cross-border data flows with Europe.

What the FADP Covers

The revised FADP applies to the processing of personal data of natural persons by private individuals and federal bodies. Unlike the GDPR, it does not directly protect legal entities' data, though related provisions may apply. The law requires data controllers to process data lawfully, in good faith, and proportionately to the purpose.

A key feature is the broad duty to inform. Controllers must proactively notify data subjects when collecting any personal data — not just sensitive data — providing identity, purpose, recipients, and cross-border transfer details. This goes beyond the previous law, which only required notification for sensitive data collection.

Privacy by design and by default are codified requirements. Technical and organizational measures must be implemented from the design stage, and default settings must limit processing to what is necessary for the stated purpose.

Who Needs to Comply

The FADP applies to processing that has effects in Switzerland, regardless of where the processing occurs. Foreign organizations targeting Swiss residents or processing data with effects in Switzerland must comply and, in certain cases, designate a representative in Switzerland.

Criminal Penalties — A Key Distinction

Unlike the GDPR, which focuses on organizational fines, the FADP imposes criminal penalties on responsible individuals. Willful violations of information duties, breach notification obligations, and certain other provisions can result in fines of up to CHF 250,000 against the responsible natural person. This personal liability makes the FADP a uniquely powerful deterrent at the individual level.

Practical Compliance Steps

  1. Gap analysis against GDPR — Identify Swiss-specific requirements beyond existing GDPR compliance
  2. Information notices — Update privacy notices to meet the FADP's broad duty to inform
  3. Records of processing — Maintain processing activity records (exemptions available for SMBs with low-risk processing)
  4. DPIA process — Establish Data Protection Impact Assessment procedures for high-risk processing
  5. Breach notification — Implement processes to notify the FDPIC as quickly as possible
  6. Cross-border transfers — Verify adequacy of destination countries per the Swiss Federal Council's list
  7. Representative appointment — Designate a Swiss representative if required as a foreign controller

Get the FADP (nDSG) starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

gdpriso-27701pipedaccpa

Get matched with a FADP (nDSG) auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

CCPA
Framework
The CCPA is California's landmark consumer privacy law granting residents the right to know, delete, and opt out of the sale of their personal information. This guide covers applicability thresholds, consumer rights, and practical compliance steps.
View
GDPR
Framework
The GDPR is the world's most influential data protection law, setting the standard for how organizations collect, process, and protect personal data of individuals in the EU and EEA. This guide covers lawful bases, data subject rights, breach notification, and practical compliance steps.
View
ISO 27701
Framework
ISO 27701 extends ISO 27001 with a privacy information management system (PIMS). Learn how it helps organizations demonstrate GDPR compliance and manage personal data responsibly.
View
PIPEDA
Framework
PIPEDA is Canada's federal private-sector privacy law built on ten fair information principles. It governs how commercial organizations collect, use, and disclose personal information in the course of business activities.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View