Compliance Briefing — September 1, 2023
Switzerland’s revised Federal Act on Data Protection and its new ordinance entered into force on 1 September 2023, requiring boards to evidence governance over DPIAs, cross-border transfers, and DSAR fulfilment while operations teams stand up Swiss-specific controls and breach reporting playbooks.
Executive briefing: Switzerland’s revised Federal Act on Data Protection (FADP) and the accompanying Ordinance to the FADP (OFADP) took effect on 1 September 2023 after a two-year transition period. The modernised law aligns closely with the EU GDPR yet preserves Swiss distinctions: penalties of up to CHF 250,000 apply to responsible individuals rather than the company; breach notices must be filed “as soon as possible” with the Federal Data Protection and Information Commissioner (FDPIC); and non-Swiss controllers processing data about people in Switzerland must appoint a local representative. Boards now need evidence that governance, DPIA, vendor, and DSAR operations comply with the updated regime and that Swiss data subjects receive the same protections as in the EU.
Governance expectations for leadership
The Federal Council’s message accompanying the law emphasises that ultimate responsibility for data protection sits with the highest management level. Audit and risk committees should therefore incorporate Swiss privacy compliance into their annual plans, reviewing how Article 12 record-of-processing requirements map to enterprise data governance frameworks and verifying that executive compensation or risk dashboards capture Swiss-specific metrics such as the number of high-risk profiling activities and pending data subject requests. Because the FADP imposes criminal liability on individuals who intentionally violate core duties (Articles 60–65), Swiss subsidiaries are updating directors’ and officers’ insurance disclosures and confirming that escalation paths enable senior leaders to intervene rapidly when DSAR service levels or DPIA findings fall outside tolerance.
Where a controller designates a data protection advisor (Article 10), the board should approve the advisor’s mandate, reporting cadence, and independence safeguards. Organisations leveraging a global data protection officer model must show how Swiss expertise is embedded—many enterprises are adding a Swiss deputy DPO to manage FDPIC engagement and coordinate with cantonal authorities. Internal audit teams are scheduling thematic reviews for 2024 to assess how the OFADP’s logging, archiving, and automated decision documentation requirements are implemented across marketing, HR, and product platforms operating in Switzerland.
Implementation roadmap
Immediate actions (September–October 2023): Programmes kicked off with a reconciliation of Swiss data inventories against Article 24 breach reporting triggers and Article 21 transparency obligations. Privacy teams are calibrating DPIA templates to include OFADP Article 14 criteria on profiling with high risk and automated decision-making that produces legal effects. Legal and procurement groups have been refreshing template data processing agreements so that the Swiss addendum to the EU Standard Contractual Clauses (SCCs) is applied consistently when data leaves Switzerland. Where multinationals rely on binding corporate rules, they are updating Swiss-specific appendices to document the FDPIC notification filed in July 2023.
Stabilisation phase (Q4 2023): Engineering and security functions are mapping system changes to support privacy-by-design, including logging data lifecycle events, tagging Swiss residents’ records, and enforcing retention policies required by Article 6. Identity and access management teams are confirming that privileged access reviews include Swiss-based processors and that joint controllers exchange incident information under Article 9 agreements. Finance and human resources departments are validating that employee data transfers to payroll or benefit providers outside Switzerland are backed by adequacy decisions (e.g., the EU and UK) or the Swiss-U.S. Data Privacy Framework recognised by the Federal Council on 8 September 2023.
Optimisation phase (2024 and beyond): Once baseline compliance is achieved, organisations are embedding continuous controls monitoring. Privacy-by-design checklists now require Swiss product managers to document profiling logic and explainability steps for automated decisions affecting customers, especially for fintech and healthcare services. Companies are also integrating FDPIC guidance updates into agile release rituals so that new features triggering DPIAs cannot deploy without legal sign-off. Incident response plans are being re-tested quarterly with Swiss-language tabletop exercises that span legal, communications, and customer care teams.
DSAR and individual rights fulfilment
Article 25 grants data subjects the right to confirmation, access, and information about processing within 30 days; extensions of another 30 days are permitted with justification. Customer service and privacy operations teams are therefore aligning DSAR playbooks with this statutory clock, setting an internal target of 21 days to allow for identity verification and translations into German, French, Italian, or English, depending on the requestor. Automated DSAR portals must capture whether the data relates to profiling (Article 21) or automated decisions (Article 22) so that human review of the logic and the right to express a point of view can be fulfilled. Where companies rely on third-party SaaS platforms to manage DSAR workflows, vendor questionnaires now ask for Swiss data localisation options or encryption guarantees while data resides in EU or U.S. processing centres.
Enterprises are also refining redaction tools to handle sensitive categories defined in Article 5 (religious, health, genetic, biometric data) and to segregate trade secrets or IP legitimately withheld under Article 26. Records of denial decisions, including legal rationale and senior approvals, are retained in accordance with the OFADP so they can be produced during FDPIC inspections. HR teams are aligning employee DSAR policies with works council agreements and clarifying how video surveillance or telematics data is provided, recognising cantonal labour law nuances.
Breach reporting, security, and accountability
Although the FADP does not prescribe a strict hour limit, the FDPIC’s guidance urges controllers to notify without undue delay once a breach is likely to result in a high risk to the personality or fundamental rights of data subjects. Multinationals are harmonising this requirement with the EU’s 72-hour GDPR standard to avoid divergent playbooks. Security operations centres now tag Swiss incidents in ticketing systems, enabling privacy, legal, and communications leads to coordinate notifications to the FDPIC and, where necessary, affected individuals. Response plans specify when to involve cantonal authorities or sector regulators (e.g., FINMA for financial institutions, the Federal Office of Public Health for medical data) and ensure evidence preservation aligns with Article 54’s criminal procedure references.
Governance teams are also updating key risk indicators: counts of near-miss incidents involving Swiss data, mean time to detect breaches affecting Swiss residents, and status of remediation actions from DPIAs. Executives expect quarterly dashboards that show DSAR backlog, completion of privacy impact assessments, and third-country transfer approvals. Internal audit is testing controls around encryption, logging, and retention to confirm that Article 8’s data minimisation principle is operationalised.
Third-country transfers and vendor management
Controllers exporting data from Switzerland must document the legal basis under Articles 16–18. For jurisdictions with recognised adequacy (EU/EEA, UK, Canada (PIPEDA), Argentina, Japan, South Korea, Israel, and—since September 2023—the United States for organisations certified under the Swiss-U.S. Data Privacy Framework), companies record the applicable decision in transfer registers. For other destinations, privacy teams are running transfer impact assessments to evaluate surveillance laws and remedy mechanisms, referencing the FDPIC’s July 2023 position paper. Contract clauses incorporate Swiss-specific terminology (e.g., referencing “personality rights”) and stipulate cooperation in the event of FDPIC inquiries. Vendor onboarding now requires evidence of Swiss-compliant sub-processor cascades, and procurement scorecards track remediation of audit findings tied to Article 9 joint controller agreements.
Where cloud providers host DSAR data or consent records, organisations are insisting on transparency reports and encryption key management arrangements to demonstrate accountability if authorities request access. Many firms are enabling Swiss residency options offered by hyperscalers in Zurich or Geneva to reduce transfer complexity, while smaller organisations leverage EU data centres with Swiss addenda.
Training, culture, and change management
The revised FADP mandates that processors follow controllers’ instructions and maintain confidentiality. To operationalise this, companies are rolling out mandatory training tailored to Swiss nuances: multilingual e-learning that highlights fines targeting individuals, microlearning on recognising high-risk profiling, and workshops for marketing teams on consent for electronic communications under the Telecommunications Act. Human resources policies now spell out disciplinary steps for intentional violations, ensuring staff understand personal liability. Leadership town halls are communicating why Swiss compliance is not optional—even for teams located outside Switzerland but serving Swiss users.
Customer-facing staff, including DSAR case managers and call centre agents, receive scripts detailing how to authenticate requestors, manage expectations about response times, and escalate complex cases involving automated decisioning. Organisations operating in regulated sectors (finance, pharma, telecoms) pair the new training with sector-specific obligations such as FINMA circulars, the Therapeutic Products Act, or telecommunications retention laws.
Technology enablement and documentation
Privacy offices are deploying tooling updates to evidence compliance. Records-of-processing systems now flag Swiss legal bases, retention schedules, and cross-border flows, while DPIA platforms capture mitigations tied to Articles 6–10. Some enterprises are integrating FDPIC guidance feeds into governance, risk, and compliance solutions so that regulatory updates trigger workflows. DevOps teams embed privacy checks into CI/CD pipelines, requiring sign-off when code changes introduce new data elements about Swiss individuals. Documentation packages for audits include OFADP-compliant logging policies, encryption standards for data in transit and at rest, and transcripts of DPIA steering committee meetings.
For analytics and AI initiatives, governance forums evaluate whether profiling or automated decision projects create “high risk” requiring a DPIA and prior consultation with the FDPIC. They scrutinise training datasets for Swiss personal data, check anonymisation methods, and ensure opt-out mechanisms exist for personalised offers. DSAR tooling integrates with data lakes so that Swiss requestors can obtain transparency into AI-derived profiles, fulfilling Articles 21–22.
Next steps for 2023–2024
By the end of 2023, boards expect confirmation that Swiss compliance remediation is complete, residual risks are documented, and funding for ongoing monitoring is secured. 2024 priorities include integrating Swiss privacy metrics into enterprise ESG reporting, preparing for potential revisions to the Privacy Act for federal bodies, and tracking enforcement trends as the FDPIC exercises its strengthened investigative powers. Organisations will also watch developments around the proposed revision of the Swiss Data Protection Ordinance for telecommunications, which could influence consent banners and marketing analytics. Continuous engagement with Swiss regulators, industry associations, and peer networks will help benchmark DSAR volumes, breach experiences, and supervisory expectations as the new regime matures.
Continue in the Compliance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Third-Party Risk Oversight Playbook — Zeph Tech
Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.
-
Compliance Operations Control Room — Zeph Tech
Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.
-
SOX Modernization Control Playbook — Zeph Tech
Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.