What Is the FADP?
The Federal Act on Data Protection (FADP) is Switzerland's core privacy law. Originally enacted in 1992, it underwent a full revision that took effect on 1 September 2023 - with no transition period. The revised FADP aligns Swiss data protection standards with the GDPR while preserving certain Swiss-specific rules around consent, enforcement, and penalties.
One of the primary motivations behind the revision was maintaining Switzerland's EU adequacy status, which allows personal data to flow freely between the EU and Switzerland. Without this alignment, Swiss businesses would face additional hurdles when exchanging data with EU partners and customers.
The law applies to any private person or federal body processing personal data with effects in Switzerland. That includes companies located outside the country.
Who Must Comply with the FADP?
The FADP has explicit extraterritorial reach. If your organisation processes the personal data of individuals in Switzerland - whether you have offices there or not - the law applies. This mirrors the GDPR's extraterritorial provisions.
Foreign controllers or processors must appoint a Swiss representative under Article 14 if they regularly process data on a large scale in connection with offering goods or services in Switzerland, or with monitoring behaviour of individuals there.
The revised FADP only protects natural persons. The original 1992 law also covered the data of legal entities - that is no longer the case.
Key Principles of the FADP
The revised FADP rests on familiar principles: lawfulness, proportionality, transparency, purpose limitation, data minimisation, accuracy, and storage limitation. Article 6 sets out the core requirements for processing, including the conditions under which consent is needed.
Where the FADP diverges from EU law is in its default position on consent. Processing personal data does not always require a specific legal basis. Consent becomes mandatory only in certain situations - primarily when processing sensitive personal data (which now includes genetic and biometric data), when engaging in high-risk profiling, or when another provision of law demands it. For routine processing, controllers may rely on overriding private interests or the performance of a contract.
FADP vs GDPR: What Is Different?
While the two frameworks share common ground, several differences have practical implications for website owners. The table below summarises the main points of divergence.
| Area | FADP (Switzerland) | GDPR (EU) |
|---|---|---|
| Scope of protection | Natural persons only | Natural persons only |
| Consent requirement | Required for sensitive data and high-risk profiling; otherwise, overriding interests may suffice | Required as one of six legal bases; opt-in needed for cookies under the ePrivacy Directive |
| Data Protection Officer | Recommended but not mandatory for private companies | Mandatory in certain circumstances |
| Fines | Up to CHF 250,000 on individuals; up to CHF 50,000 on companies | Up to EUR 20 million or 4% of global turnover |
| Enforcement | Criminal penalties via cantonal prosecutors; FDPIC issues orders but cannot fine directly | Administrative fines imposed by supervisory authorities |
| Breach notification | Required when breach poses high risk to personality or fundamental rights | Required when breach poses any risk to rights and freedoms |
| Data protection impact assessment | Required when processing poses high risk | Required when processing is likely to result in high risk |
The penalty model is perhaps the starkest contrast. Under the FADP, fines target individuals responsible for data protection within an organisation - not the company itself (unless identifying the responsible person would require disproportionate effort, in which case the company faces a maximum of CHF 50,000). Only intentional violations are punishable; negligence is not covered. In March 2025, the Zurich cantonal prosecution authority fined an in-house counsel at TX Group CHF 600 for a data protection violation - one of the first publicly reported penalties under the revised law.
Cookie Consent Under Swiss Law
Cookie compliance in Switzerland sits at the intersection of two laws: the FADP and the Telecommunications Act (TCA). Article 45c of the TCA requires website operators to inform users about any data processing via cookies and to provide an opt-out mechanism. This is different from the EU's ePrivacy Directive, which requires prior opt-in consent before setting non-essential cookies.
Strictly necessary cookies - session cookies, shopping basket cookies, language selection - may be used without separate consent. For non-essential cookies, the position is more nuanced.
The Federal Data Protection and Information Commissioner (FDPIC) published detailed cookie guidelines in January 2025, then issued a substantially updated version on 6 October 2025. These guidelines draw a clear line between standard profiling (where an opt-out mechanism suffices) and high-risk profiling (which requires explicit opt-in consent under Article 6(7) FADP). Cross-site tracking, real-time bidding involving sensitive data, and building comprehensive consumer profiles through third-party cookies all fall into the high-risk category.
The FDPIC also confirmed that continuing to browse a website does not constitute valid consent. Active user behaviour - such as clicking a button - is required.
Google's Consent Requirements for Switzerland
Since 31 July 2024, Google has extended its EU User Consent Policy to cover Swiss users. If your website uses Google Analytics, Google Ads, or any Google advertising products targeting Swiss visitors, you must obtain consent for cookies and personal data use for ad personalisation. Publishers must use a Google-certified consent management platform that integrates with the IAB Transparency and Consent Framework (TCF). Non-compliance may restrict your access to Google's advertising and measurement tools.
The FDPIC and Enforcement
The FDPIC (Federal Data Protection and Information Commissioner) oversees compliance with the FADP. Under the revised law, the Commissioner can now issue binding orders - requiring a company to stop or adapt a specific processing activity, or to delete unlawfully processed data.
The FDPIC cannot impose fines directly. Violations warranting criminal prosecution are referred to cantonal prosecutors. This creates a longer enforcement path compared to the GDPR's direct fining model.
Following the October 2025 cookie guidelines update, the FDPIC indicated that an awareness campaign would precede formal enforcement measures - suggesting that website operators still have a window to bring their cookie practices into line before investigations begin.
Data Subject Rights Under the FADP
The revised FADP grants individuals the right of access (Article 25), data portability, correction of inaccurate data, and objection to processing. Access requests must be fulfilled free of charge within 30 days, with no requirement for the individual to justify the request - aligning with the GDPR's approach to data subject access requests.
Practical Steps to Achieve FADP Compliance
For website owners already compliant with the GDPR, the additional burden of the FADP is relatively light. Where the FADP diverges, however, those adjustments matter.
1. Audit Your Cookie Usage
Run a thorough scan of your website to identify every cookie and tracking technology in use. Categorise each one as strictly necessary, functional, analytics, or marketing. A scheduled scanning routine catches new cookies introduced by third-party scripts or platform updates.
2. Implement a Consent Banner
Even though Swiss domestic law historically did not mandate a cookie banner, the FDPIC's 2025 guidelines and Google's consent requirements make one essential in practice. Your banner should offer granular controls - letting users accept or reject different cookie categories individually. Pre-ticked boxes and dark patterns are not acceptable.
3. Maintain Records of Processing Activities
Under the revised FADP, keeping a register of processing activities is mandatory for most organisations. Small and medium-sized enterprises whose processing poses limited risk may be exempt. This parallels the GDPR's Article 30 requirement.
4. Prepare for Data Breach Notification
If a data breach poses a high risk to the personality or fundamental rights of affected individuals, you must report it to the FDPIC as soon as possible. The threshold is higher than the GDPR's, but the obligation is real. Have an incident response plan ready.
5. Appoint a Representative (If Needed)
If your company has no physical presence in Switzerland but processes Swiss residents' data at scale, you need a designated Swiss representative under Article 14. This person serves as the contact point for the FDPIC and for data subjects.
6. Conduct Data Protection Impact Assessments
If your data processing poses a high risk to individuals' rights, the FADP requires a data protection impact assessment. The FDPIC's cookie guidelines specifically call for a DPIA when personal tracking leads to high-risk profiling under Article 5(g) FADP.
7. Review International Data Transfers
The FADP follows an adequacy-based model for cross-border data transfers. The Swiss Federal Council maintains a list of countries with adequate protection. Transfers to countries not on the list require Standard Contractual Clauses with Swiss-specific amendments (the "Swiss Finish").
Frequently Asked Questions
Does the FADP apply to my website if my company is outside Switzerland?
Yes. The revised FADP has extraterritorial scope. If your website processes personal data of individuals in Switzerland - for example, by using analytics cookies on visitors from Switzerland - the law applies to you, regardless of where your company is located.
Do I need a cookie banner under Swiss law?
Swiss law does not explicitly mandate a cookie banner in the same way the EU's ePrivacy Directive does. However, the FDPIC's 2025 cookie guidelines require transparency and an opt-out mechanism for non-essential cookies, and explicit consent for high-risk profiling. Since July 2024, Google also requires consent from Swiss users for its advertising products. In practice, a consent banner is the most reliable way to meet these obligations.
What is the maximum fine under the FADP?
Individuals responsible for intentional violations can be fined up to CHF 250,000. If identifying the responsible person would require disproportionate effort, the company itself can be fined up to CHF 50,000. Negligent violations are not subject to criminal penalties under the FADP.
How does the FADP define sensitive personal data?
The revised FADP defines sensitive data as information concerning religious, ideological, political, or trade union views or activities; health, genetic, or biometric data; the intimate sphere or racial origin of an individual; social security measures; and administrative or criminal proceedings and sanctions.
Is a Data Protection Officer required under the FADP?
No. Unlike the GDPR, the FADP does not require private companies to appoint a Data Protection Officer. Federal bodies must appoint a DPO, and the FDPIC recommends that private organisations designate one voluntarily - but it is not a legal requirement.
How quickly must data breaches be reported to the FDPIC?
The FADP requires notification "as soon as possible" when a breach poses a high risk to individuals' personality or fundamental rights. No specific hour deadline is set (unlike the GDPR's 72-hour rule), but the expectation is prompt reporting once the breach is confirmed.
Does the FADP require consent for analytics cookies like Google Analytics?
Under Swiss domestic law, analytics cookies that process personal data may be covered by an overriding interest justification rather than explicit consent. However, since Google extended its EU User Consent Policy to Switzerland in July 2024, you must obtain consent from Swiss users before loading Google Analytics if you use it alongside Google advertising products.
Bring Your Website into Compliance
If your website collects data from Swiss visitors - through analytics, advertising pixels, or even simple preference cookies - the FADP applies. Kukie.io detects and categorises cookies on your site, supports geo-targeted consent banners for Swiss visitors, and integrates with Google Consent Mode to keep your measurement tools running compliantly.
