The revised FADP was adopted by the Swiss Parliament on 25 September 2020 and entered into force on 1 September 2023. The revision of the FADP largely followed the GDPR’s approach. However, the FADP is less formalistic and has, for example, fewer governance obligations. There are only a few points where the FADP is stricter than the GDPR. Examples are some aspects of the information obligations and, in some regards, the sanctions for individuals.

Although the FADP applies primarily to the territory of Switzerland, its scope of application can be extraterritorial. In particular, it extends to processing that occurs abroad but has an effect in Switzerland. Consequently, if personal data is processed outside of Switzerland but affects natural persons in Switzerland, the data handler abroad must comply with the FADP. In addition, private controllers with their domicile or residence abroad must designate a representative in Switzerland if they process personal data of persons in Switzerland and the data processing meets all of the following requirements:

• the data processing is connected to offering goods or services in Switzerland, or to monitoring the behaviour of persons residing in Switzerland;

• the processing is extensive;

• the processing is regular; and

• the processing involves a high risk for the personality of the data subjects.

Links to legislation:

• FADP
• FDPO
• DPCO
  

Further materials (drafts, explanatory reports):

Please find below the relevant official documentation published by the Federal Department of Justice and Police, in particular:

• Explanatory report to draft FADP
• Explanatory report on the FDPO and on the DPCO
• FAQ on data protection law by the Federal Office of Justice.
• Modernised Convention 108