FADP
The Swiss Federal Act on Data Protection
The new Swiss LDP, in force since September 2023, imposes reinforced requirements on companies to protect personal data.
What is the FADP, and when does it apply?
Who is affected by the new FADP, and how do fines work?
In Switzerland, the FADP applies to all companies and organizations that collect or process personal data, whether they are based in Switzerland or abroad. This includes Swiss companies managing the data of their customers, employees, or partners, as well as foreign businesses whose activities involve individuals located in Switzerland.
The FADP imposes strict obligations on companies, and the principles of data minimization and purpose limitation must be strictly respected: only necessary data may be collected, processed transparently, and retained for a limited period.
In cases of non-compliance, the law provides fines of up to CHF 250,000. Unlike the GDPR, these sanctions may directly target responsible individuals—executives, HR managers, or data processing managers—and not only the company itself. Beyond financial risks, violations can severely damage an organization’s reputation and customer trust, making compliance a critical strategic priority for all businesses.
How to Comply with the law?
With the new responsibilities imposed by the FADP, companies must strengthen their data management and security practices to ensure full compliance with Swiss and European regulations. These are the key steps to follow:
1. Identify all personal data processed by the company and assess associated risks to determine priority actions.
2. Update data protection notices on the website, in marketing content, contracts, and other materials to ensure complete transparency with data subjects.
3. Implement internal procedures to respond quickly and effectively to access, rectification, or deletion requests submitted by customers, employees, or partners.
4. Create a data processing register, listing processing activities, their purposes, responsible parties, and associated security measures.
5. Conduct Data Protection Impact Assessments (DPIA) when certain processing operations pose a high risk to individuals’ rights and freedoms.
6. Review and adapt contracts with subcontractors to ensure that data security and confidentiality are guaranteed at every stage of processing.
7. Appoint a Data Protection Officer (DPO)—internal or external—responsible for overseeing compliance, supporting teams, and acting as the main point of contact with supervisory authorities.
8. Integrate “Privacy by Design” and “Privacy by Default” principles, meaning that data protection must be considered from the design phase of systems, and that data collection must be limited to what is strictly necessary.
Additionally, it is strongly recommended to carry out regular audits to identify potential vulnerabilities and to train all employees in good data protection practices. These actions not only reduce compliance risks but also reinforce customer and partner trust.
How can I protect citizens’ personal data?
The FADP increases the responsibility of Swiss companies regarding the protection of personal data. Even those already compliant with the GDPR must ensure that their practices also meet Swiss requirements, particularly in terms of transparency and personal data management.
To reduce the risk of data leaks while maintaining operational value, anonymization is a key approach. It renders data irreversibly anonymous, preventing any identification of individuals while preserving the data’s usefulness for testing, analysis, or outsourcing.
DOT Anonymizer provides a concrete response to these challenges: a consistent anonymization solution that effectively protects personal information while ensuring compliance with the FADP.