Compliance Briefing — September 1, 2023
Switzerland’s revised Federal Act on Data Protection took effect on 1 September 2023, introducing DPIA triggers, breach notification within 72 hours, and enhanced transparency duties.
Executive briefing: The revised Federal Act on Data Protection (FADP) entered into force on 1 September 2023. Organisations processing personal data in Switzerland must conduct data protection impact assessments for high-risk processing, notify breaches to the FDPIC without delay (generally within 72 hours), and provide expanded information to data subjects.
Key compliance checkpoints
- DPIA requirements. Identify processing activities likely to result in high risk and document mitigation measures before launch.
- Breach notification. Establish procedures to report personal data breaches to the Federal Data Protection and Information Commissioner (FDPIC) promptly.
- Transparency obligations. Update privacy notices to include retention periods, recipients, and international transfer safeguards.
Operational priorities
- Vendor review. Reassess processor contracts for Swiss-specific requirements, including joint responsibility and cross-border transfer clauses.
- Data subject rights. Align request handling to revised access, portability, and objection rights.
- Governance. Appoint Swiss representatives where required and ensure records of processing are complete and current.
Enablement moves
- Integrate Swiss FADP controls into enterprise privacy management platforms.
- Conduct tabletop exercises simulating breach reporting to FDPIC and affected individuals.
- Provide bilingual training materials for Swiss-based teams covering new sanctions and enforcement powers.
Sources
Zeph Tech upgrades privacy programmes to meet Swiss FADP controls, from DPIA workflows to breach reporting automation.