In contrast to the previous FADP where the FDPIC could only issue non-binding recommendations and initiate proceedings before the Federal Administrative Court, the FDPIC can now issue binding orders. These include orders to cease processing, or to destroy personal data or cease disclosure abroad, as well as orders to carry out a data protection impact assessment or provide information to data subjects.
The FADP provides for criminal sanctions of up to CHF250,000 in the event of an intentional breach (including contingent intent) of certain provisions; for example, in the case of a breach of the information obligation, or incomplete or inaccurate information in the case of a data subject access request, or where a controller uses a processor without entering into a processing agreement. These sanctions are directed against the individual responsible for the breach (including members of management but not limited to them).
Data subjects can, in a civil lawsuit, claim damages and the handing over of profits, as well as concrete measures concerning the data processing (for instance a total or partial ban on the data processing in question).