Legal framework

The primary laws and regulations governing data protection in Switzerland are the Federal Act on Data Protection (FADP), the Federal Ordinance to the Federal Act on Data Protection (FDPO), and the Federal Ordinance on Data Protection Certification (DPCO). The revised versions of these laws and ordinances entered into force on 1 September 2023. The FADP largely follows the European Union’s General Data Protection Regulation’s (GDPR) approach.

Detailed information about the revision of the FADP is available here. Unless explicitly stated otherwise, the information provided on pertains to the legislation currently in force.

Categories of data

The FADP only applies to personal data of individuals.

Unlike under the previous law, the data of legal entities, such as corporations, is no longer protected by the FADP. The scope of application of the FADP therefore coincides with that of the GDPR. Legal entities will have to either invoke the protection of their legal personality provided for under Article 28 Swiss Civil Code, the protection of manufacturing and trade secrecy as set out under Article 162 Swiss Criminal Code, as well as the relevant provisions of federal law on unfair competition and cartels to ensure protection of their data. Like the GDPR, the FADP distinguishes between personal data and sensitive personal data.

Principles of data processing

Personal data may only be processed lawfully and in accordance with the following principles: the processing of personal data must be made in good faith and must be proportionate. Personal data may only be collected for a specific purpose which is evident to the data subjects, and it may only be processed in a way that is compatible with such purpose. If the purpose of the processing changes, the consent of the data subjects must be obtained or there must be otherwise overriding interests. Further, personal data must be destroyed or anonymized as soon as it is no longer needed. Moreover, anyone who processes personal data must ascertain that the data is accurate and take all appropriate measures to ensure that the data is up-to-date. Data which is inaccurate or incomplete with regard to the purpose of its collection or processing must be corrected, deleted or destroyed. Lastly, data security must be ensured at all times. These principles and obligations apply equally to electronic and to manual processing of personal data.

Consent is not generally required for the processing of personal data but only in exceptional cases. E.g., if a processing activity by a private entity breaches a processing principle, it may be justified by the consent of the data subjects.

Formal requirements

Unless an exception applies, both data controllers and data processors are required to maintain a so-called record of data processing activities. Federal bodies are required to notify their records to the Federal Data Protection and Information Commissioner (FDPIC), which provides a portal for this purpose. By contrast, private data processors do not have such an obligation. In certain cases, controllers must consult the FDPIC in case of high-risk projects following a data protection impact assessment. Further, the duties of data controllers to provide information to data subjects have been extended under the new FADP.

Cross-border disclosure

Disclosure of personal data abroad is restricted. Unless certain exceptions apply, personal data may only be disclosed abroad if the Federal Council has ascertained that the legislation in the third country guarantees adequate protection. The corresponding country list is contained in Annex 1 of the FDPO. In the absence of a decision by the Federal Council, personal data may be disclosed abroad only if an adequate level of data protection is guaranteed by other means (such as e.g. international treaties, standard data protection clauses that the FDPIC has approved, or binding corporate rules). The Standard Contractual Clauses approved by the European Commission (SCC) under the General Data Protection Regulation (GDPR) are recognised by the FDPIC, but certain amendments must be made to adapt the SCC for disclosure of personal data from Switzerland to third countries without an adequate level of data protection.