← Back to all briefings
Data Strategy 6 min read Published Updated Credibility 40/100

Data Strategy Briefing — September 1, 2023

Switzerland's revised Federal Act on Data Protection is now in force, requiring Swiss and foreign controllers to document board-level accountability, operationalise new inventory, breach, and vendor controls, and modernise DSAR handling around profiling and transparency.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

On 1 September 2023 Switzerland's revised Federal Act on Data Protection (revFADP) and its implementing ordinances entered into force, replacing the 1992 framework with a modernised regime that aligns more closely with European Union standards while retaining Swiss specificities. The law expands individual rights, introduces explicit accountability duties, and empowers the Federal Data Protection and Information Commissioner (FDPIC) with investigative authority and the ability to issue binding decisions. Swiss-resident companies, multinational groups operating in the country, and foreign organisations targeting Swiss data subjects must now overhaul governance documentation, implementation controls, and data subject access request (DSAR) operations to satisfy the new legal landscape.

The revFADP applies to all processing of personal data that has an effect in Switzerland, irrespective of the controller's location. It introduces principles such as privacy by design and by default, reinforces data security expectations, and codifies mandatory breach notification to the FDPIC when security incidents result in a high risk to the personality or fundamental rights of data subjects. Profiling—especially profiling with high risk—is now subject to heightened transparency and consent requirements. Because Switzerland maintains its own adequacy relationships with the EU, the United Kingdom, and others, compliance failures could jeopardise international recognition; boards therefore need to treat revFADP adherence as a strategic imperative.

Governance priorities for Swiss boards and executive leadership

Boards should commission a comprehensive revFADP readiness assessment that maps each article of the Act to current policies, procedures, and controls. Audit committees ought to review whether existing data protection officers (DPOs) or privacy leads possess the authority to oversee implementation and whether escalation protocols cover the FDPIC's investigative powers. The board should also approve a Swiss-specific privacy governance charter that clarifies reporting lines between global and Swiss privacy teams, identifies responsible owners for Article 5 accountability duties, and details how compliance will be evidenced during potential FDPIC audits.

Executive leadership must integrate revFADP compliance into enterprise risk management. Risk registers should list high-risk processing activities—such as large-scale monitoring, high-risk profiling, or processing of sensitive personal data—with mitigation plans referencing privacy by design practices. Governance documentation should include criteria for designating data protection advisors (equivalent to DPOs), expectations for maintaining records of processing activities (ROPAs) under Article 12 of the Ordinance to the FADP (OFADP), and processes for approving automated decision-making systems. Boards should request quarterly updates from the privacy office summarising DSAR metrics, breach notifications, vendor audit results, and regulatory interactions.

Internal audit and compliance functions need to revise their plans to include revFADP coverage. Testing should verify the accuracy of transparency notices, consent capture mechanisms, data minimisation practices, and security safeguards. Findings must be tracked to closure with remediation timelines reported to senior management. Because the revFADP introduces criminal liability for certain intentional violations (such as providing false information to data subjects), governance frameworks should incorporate legal review of responses to DSARs and regulatory inquiries.

Implementation roadmap: policies, inventories, and security controls

Implementation begins with data mapping. Organisations should update ROPAs to reflect processing purposes, categories of data and data subjects, recipients, retention periods, and security measures. These inventories must be available in one of Switzerland's national languages or English, ready for FDPIC inspection. Controllers should also catalogue cross-border transfers, documenting adequacy decisions, standard contractual clauses, or binding corporate rules relied upon, and assess whether supplementary measures are necessary for jurisdictions lacking Swiss adequacy.

Policies and notices require rewrites. Privacy notices must identify the controller, purposes of processing, recipients (including foreign recipients), retention duration, rights available, and contact information for the DPO or Swiss representative. They also need to disclose automated decision-making logic where decisions produce legal or significant effects. Internal policies should incorporate privacy by design obligations, ensuring product development lifecycles include privacy impact assessments (PIAs) for high-risk processing and require management approval for deploying new tracking technologies.

Security teams must align controls with Article 8's requirement for appropriate technical and organisational measures. That entails role-based access controls, encryption, network segmentation, incident detection, and regular penetration testing. Incident response plans should specify thresholds for notifying the FDPIC and affected individuals, emphasising documentation of impact assessments and remediation steps. Given the high-risk profiling provisions, security architecture must also address algorithmic transparency, logging of automated decision outputs, and model validation.

Vendor management under the revFADP requires contractual diligence. Controllers remain responsible for processors and must ensure agreements include instructions on processing scope, confidentiality obligations, security measures, support for DSARs, and audit rights. Procurement should maintain a register of processors with associated risk ratings, certification status (e.g., ISO 27001, SOC 2), and breach history. Regular assessments should verify that processors can meet Swiss requirements, particularly if they rely on sub-processors outside Switzerland.

DSAR operations under the revised regime

The revFADP grants data subjects rights to access, rectification, deletion, data portability, and to object to automated individual decisions. DSAR teams must adapt workflows to the Swiss context, including the obligation to provide information within 30 days unless exceptional circumstances permit an extension. Systems should capture the source of the request, identity verification methods, data repositories queried, and the rationale for any exemptions applied (for example, overriding public interests or trade secrets). Responses must be delivered in writing or electronically, free of charge unless requests are manifestly unfounded or excessive.

Profiling adds complexity. When decisions are made solely through automated processing and produce legal effects or significantly affect individuals, controllers must notify data subjects of their right to express their point of view and to request human review. DSAR processes should therefore include escalation pathways to subject matter experts who can reassess automated outcomes. Organisations deploying AI-driven risk scoring, credit assessments, or behavioural advertising should maintain documentation explaining model inputs, logic, and fairness safeguards; this information supports both DSAR responses and regulatory scrutiny.

Because the revFADP contains criminal penalties for intentional violations related to providing false information, DSAR teams should introduce quality assurance checkpoints. Legal counsel ought to review template responses, while privacy operations monitor metrics such as average fulfilment time, frequency of refusals, and recurrence of similar issues. Training for customer service and frontline staff should emphasise Swiss-specific rights, language requirements, and escalation rules to the DPO or legal department.

Cross-border DSAR coordination is critical for multinational groups. If Swiss data is processed in EU or other jurisdictions, controllers must ensure that local teams understand revFADP timelines and documentation expectations. Service level agreements with processors should incorporate obligations to support Swiss DSARs, and ticketing systems should allow tagging by jurisdiction to facilitate reporting to Swiss leadership.

Continuous monitoring, training, and stakeholder communication

Post-implementation, organisations must sustain compliance through monitoring and education. Training programs should be localised, covering revFADP principles, breach notification thresholds, and high-risk profiling obligations. Attendance should be tracked and reported to governance committees. Privacy offices should establish key risk indicators—such as number of DSARs received, breaches reported, processor audits completed, and PIAs conducted—to detect emerging gaps.

Regular reviews of privacy notices, consent flows, and data processing activities should be scheduled, especially when new products, mergers, or partnerships are proposed. Significant changes should trigger PIAs or consultations with the FDPIC where appropriate. Boards should receive annual attestation reports from the DPO summarising compliance status, open remediation items, and regulatory developments, including any updates to Swiss adequacy decisions.

Externally, organisations should communicate revFADP readiness to customers and partners via trust centres, contractual appendices, and RFP responses. Transparency about DSAR channels, security measures, and governance structures can differentiate providers in the Swiss market. Maintaining open dialogue with industry associations and monitoring FDPIC guidance will help organisations adapt quickly to interpretative clarifications.

By treating the revFADP as a catalyst for mature privacy governance, companies can enhance trust among Swiss stakeholders, reduce enforcement risk, and ensure that their DSAR and implementation practices meet both Swiss and international expectations.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Switzerland regulation
  • Data protection
  • Privacy compliance
Back to curated briefings