Data Strategy Briefing — September 1, 2023

Executive briefing: Switzerland’s revised Federal Act on Data Protection (revFADP) took effect on 1 September 2023. The law modernises Switzerland’s privacy regime by introducing explicit transparency obligations, regulating high-risk profiling, and requiring controllers to notify the Federal Data Protection and Information Commissioner (FDPIC) of serious breaches.

Key governance checkpoints

• Processing records. Maintain inventories of processing activities including purposes, categories, retention, and safeguards to evidence accountability.
• Transparency updates. Refresh privacy notices to disclose controller identity, processing purposes, data recipients, and cross-border safeguards.
• Profiling assessments. Evaluate automated decision-making and profiling practices, ensuring explicit consent for high-risk profiling.

Operational priorities

• Breach readiness. Implement procedures to notify the FDPIC without delay when a security breach is likely to result in a high risk to data subjects.
• Cross-border compliance. Review transfer mechanisms for data exported outside Switzerland, aligning with Swiss adequacy, standard contractual clauses, or binding corporate rules.
• Vendor management. Update processor agreements with revFADP-mandated clauses covering confidentiality, sub-processing, and audit rights.

Enablement moves

• Leverage FDPIC guidance on certification, codes of conduct, and breach reporting formats to streamline compliance.
• Align Swiss privacy controls with GDPR programmes to optimise multinational governance and assurance.

Sources

• Federal Act on Data Protection (revFADP)
• Federal Council communication on the entry into force of the revised FADP

Zeph Tech guides Swiss organisations through revFADP readiness assessments, breach response drills, and GDPR-aligned governance updates.