August 10, 2025
3 min read
The revised Federal Act on Data Protection (FADP), effective as of September 1, 2023, represents a significant evolution in Swiss data protection law, aligning it more closely with the European General Data Protection Regulation (GDPR). The following discussion summarizes the principal changes and their implications for organizations processing personal data in or affecting Switzerland.
Scope of Protection:
The nFADP limits its coverage exclusively to the personal data of natural persons, explicitly excluding data relating to legal entities (Art. 2 nFADP). This shift narrows the law’s application compared to its previous iteration, focusing regulatory efforts on individual privacy.
Extraterritorial Application:
The law applies to all processing of personal data that “has an effect” in Switzerland, regardless of where the processing physically occurs. This “effects doctrine” mirrors GDPR’s extraterritoriality, ensuring protection for Swiss residents even when their data is processed abroad (Bühler & Pärli, 2023).
Transparency Obligations:
Controllers must provide comprehensive privacy notices to data subjects, detailing the nature and purpose of processing, recipients of data, and cross-border disclosures (Art. 19 nFADP). This requirement increases administrative duties for organizations while enhancing individual awareness and control over their data.
Privacy by Design and Default:
The law formally introduces the principles of privacy by design and privacy by default (Art. 7 nFADP). Organizations are now legally obligated to integrate data protection into processing activities and IT systems from the outset and ensure that, by default, only necessary personal data are processed.
Data Protection Impact Assessment (DPIA):
DPIAs become mandatory when intended processing is likely to result in a high risk to data subjects’ rights and freedoms (Art. 22 nFADP). This mirrors GDPR Art. 35 and aims to proactively identify and mitigate risks.
Automated Decision-Making:
If decisions are taken solely on the basis of automated processing, data subjects must be informed and given the opportunity to express their point of view or contest the decision (Art. 21 nFADP). This provision strengthens individual rights in the context of algorithmic and AI-driven decision-making.
The nFADP thus brings Swiss data protection law into closer alignment with European standards, particularly the GDPR, while introducing certain distinctive features tailored to the Swiss context. Its requirements raise the compliance bar for organizations and enhance legal certainty for cross-border data transfers, which is critical for maintaining Switzerland’s adequacy status with the EU (European Commission, 2023).
