The revFADP — the revised Federal Act on Data Protection — is Switzerland’s modernised data protection law, in force since 1 September 2023. It replaced the country’s ageing data protection regime with one fit for the digital era and, crucially, aligned Swiss rules closely with the European GDPR. For Swiss companies, and for any organisation processing the data of people in Switzerland, the revFADP is now the domestic counterpart to the GDPR and a law that must be understood in its own right.
Why the law was revised
Switzerland’s previous data protection act dated from an earlier technological age and had fallen behind both the realities of modern data processing and the European standard set by the GDPR. The revision had two motivations: to give individuals stronger, more modern protections, and to maintain Switzerland’s adequacy in the eyes of the EU — the recognition that allows personal data to flow freely between the EU and Switzerland. Alignment with the GDPR was therefore both a policy choice and a practical necessity.
Alignment with the GDPR
The revFADP mirrors many GDPR concepts: enhanced transparency obligations, expanded data-subject rights, the principles of privacy by design and by default, records of processing activities, and a duty to report certain data breaches. For an organisation already building to the GDPR, much of the revFADP will feel familiar. This deliberate convergence is what allows DACH-focused companies to operate to a single, GDPR-led standard that also satisfies most Swiss requirements.
Where it differs from the GDPR
Despite the alignment, the revFADP retains distinctly Swiss features. Its enforcement model and penalty structure differ — notably, fines under Swiss law can target responsible individuals rather than only the organisation, which changes the compliance calculus. Some definitions and thresholds vary, and the supervisory body, the Federal Data Protection and Information Commissioner, operates under its own framework. Treating the revFADP as merely “the GDPR in Switzerland” therefore risks missing these real differences.
Scope of the law
The revFADP applies to the processing of personal data by private persons and federal bodies, and it reaches conduct that has an effect in Switzerland even where the processing happens abroad. This extraterritorial dimension parallels the GDPR’s and means foreign companies serving Swiss users can fall within scope. As with the GDPR, the breadth of “personal data” means most organisations that handle customer or user information are affected.
Transparency and information duties
A central thrust of the revision is transparency. Organisations must inform individuals about the collection of their personal data and the purposes of processing, with clearer and more comprehensive information than the old law required. In practice this has driven Swiss companies to update privacy notices, consent flows, and internal documentation so that individuals genuinely understand what happens to their data — mirroring the GDPR’s transparency principle.
Data-subject rights
The revFADP strengthens the rights of individuals, including the right to access their data and the right to data portability, alongside rights to correction and, in defined circumstances, deletion. As with the GDPR, organisations must build the operational capacity to locate and act on an individual’s data within reasonable time. Systems designed for GDPR rights requests will generally serve revFADP requests too, which is a strong argument for a unified approach.
Records, impact assessments and breaches
The law introduces or formalises several accountability mechanisms familiar from the GDPR: maintaining records of processing activities, carrying out data protection impact assessments for high-risk processing, and reporting data breaches to the Commissioner where they are likely to result in high risk to the individuals concerned. These obligations push Swiss organisations toward the same documented, demonstrable compliance posture the GDPR demands.
Personal liability and enforcement
One of the most consequential differences from the GDPR is the enforcement model. Where the GDPR levies large fines on organisations, the revFADP can impose fines on responsible natural persons for certain wilful breaches. This shifts the incentive structure: individuals in positions of responsibility have a direct personal stake in compliance. It is a feature Swiss organisations should not overlook when assigning data-protection accountability internally.
Practical steps for Swiss companies
Compliance with the revFADP, for most companies, means updating privacy notices to the new transparency standard, reviewing the lawful basis and purposes for each processing activity, maintaining a record of processing, ensuring contracts with processors are in place, and having a breach-response process. Companies already aligned with the GDPR are well positioned and need mainly to address the Swiss-specific points rather than start from scratch.
The GDPR–revFADP relationship in practice
Many DACH organisations are subject to both laws simultaneously — the GDPR because they serve EU users, the revFADP because they operate in or affect Switzerland. The pragmatic response is a single data-protection programme built to the higher, GDPR-led standard, with a documented overlay addressing the revFADP’s distinct features. This avoids duplicated effort while ensuring neither regime is neglected.
Conclusion
The revFADP is Switzerland’s modern data protection law, closely aligned with the GDPR but retaining distinctive features — most notably an enforcement model that can reach responsible individuals. For Swiss and DACH companies, it is best handled as part of a unified, GDPR-led compliance programme that addresses the Swiss-specific points explicitly. Building to the higher standard satisfies most of both regimes and keeps data flowing freely between Switzerland and the EU.