A woman with long hair and a pen in her hand is gesturing to another person in an office.
Security and legal

Early retirement in Switzerland What do companies need to bear in mind?

Written by Simona Audia 18.09.2025

With the revised  Swiss Federal Act on Data Protection, which came into force in September 2023, important provisions on the processing of personal data have come into effect. Companies now have to comply with stricter rules.

The revised Swiss Federal Act on Data Protection (FADP)  presents companies with specific challenges. Since its introduction, stricter requirements for transparency, security, and legal compliance have been in place for the processing of personal data. In this article, you will not only find out what changes the law will entail, but also how you can successfully implement the requirements with practical tips and templates.

I want legal protection for my business

What is the Swiss Federal Act on Data Protection about?

The amendment involved adapting the Federal Act on Data Protection to changing technological and societal circumstances (cloud computing, big data, social networks, Internet of Things): The aim is to strengthen data subjects’ self-determination in relation to their data

This revision also brought the FADP into line with European data protection rules: The goal is to ensure that the EU continues to recognize Switzerland as a third country with an adequate level of data protection, and that uncomplicated data transfers between Switzerland and the EU remain possible in the future. Otherwise, Swiss companies could face a competitive disadvantage.

Who is affected by the Swiss Federal Act on Data Protection?

The Federal Act on Data Protection applies to all companies and organizations that process personal data in Switzerland, regardless of whether their registered office is in Switzerland or abroad. The law is particularly relevant for:

  • Swiss companies that process the personal data of their customers, employees, or partners.
  • Foreign companies whose data processing affects persons in Switzerland, e.g. through the sale of products or services or through monitoring measures.

Companies abroad are also required to appoint a representative in Switzerland if large volumes of personal data are regularly processed or if there is a high risk for the data subjects.

What are the most important changes?

  1. Scope of validity: Since the revision, the Swiss Federal Act on Data Protection – like the GDPR – has been limited to the data protection of natural persons rather than the data of legal entities, as in the past.
  2. Expanded scope: Genetic and biometric data are now also considered particularly worthy of protection.
  3. Improved transparency: More extensive information obligations apply to companies. They must provide data subjects with appropriate information about any data collection, even if the data is not collected from the data subject personally. The identity and contact details of the data controller must be disclosed, as must the purpose of the processing, the recipients or categories of recipients, and the recipient country if the data is exported abroad.
  4. List of processing activities: Companies are required to keep a list of processing activities with the required information, but are no longer obligated to keep a register of data collections. However, it is advisable to link the two directories intelligently, especially if the same application or database is used for several data processing activities. The Federal Council may provide for exceptions for companies with up to 250 employees.
  5. Data protection impact assessment: Companies are now required to carry out a data protection impact assessment if the data processing entails a high risk to the privacy or fundamental rights of the data subjects. This must be documented.
  6. Profiling: The Swiss Federal Act on Data Protection also governs profiling, i.e. automated data processing to evaluate certain personal aspects of a person, such as economic situation, health, interests, behavior, location, etc. Unlike the GDPR, the FADP does not provide for a general obligation to obtain consent. 
  7. Rapid notification to the FDPIC: Under the FADP, breaches of data security – i.e. accidental or unlawful loss, deletion, destruction, or alteration of personal data, or even granting access to unauthorized third parties – that are likely to result in a high risk to the privacy of the data subject must be reported to the FDPIC as quickly as possible or within 72 hours. As a rule, the controller must also inform the data subject if this is necessary for his or her protection or if required to do so by the FDPIC.
  8. Privacy-by-design and privacy-by-default: They require companies to take data processing principles into account when planning and designing applications and, for example, not to obtain consent from data subjects for processing that goes beyond what is absolutely necessary by means of corresponding default settings.    

What do the abbreviations mean?

  • FADP is Switzerland’s data protection law. 
  • DPO is the Federal Council’s ordinance on the FADP. It contains the implementing/detailed provisions. 
  • GDPR is the EU’s General Data Protection Regulation of April 27, 2016. It has been directly applicable to all EU countries since May 25, 2018. Although this is a European regulation, it is also applicable to Swiss companies under certain conditions.
  • FDPIC stands for the Federal Data Protection and Information Commissioner. It is the independent authority in Switzerland responsible for protecting personal rights and monitoring compliance with data protection laws.

What remains unchanged?

Unlike the GDPR, which requires a legal basis for all data processing, the way in which data is processed under the Federal Act on Data Protection in Switzerland has not changed fundamentally. As in the past, and in contrast with the GDPR, no consent or other justification is required for the processing of personal data by private companies, provided:

  • the processing principles of transparency – in particular the fulfillment of the duty to provide information – purpose limitation, proportionality, and data security are observed,
  • the data subject has not objected to the processing,
  • and no particularly sensitive personal data (i.e. personal data requiring particular protection) is disclosed to third parties.
  • A man in the office sitting in front of a computer and talking on the phone
    Cyber insurance from AXA

    Hacking, extortion, malware: More and more companies are falling victim to cyber criminals. Cyber insurance protects companies against financial losses.

    To cyber insurance
  • Legal tips for companies
    Legal tips for companies

    On MyRight, you will find up-to-date information on the Swiss Federal Act on Data Protection, in addition to tips and templates, as well as a reference generator.

    To MyRight

What data does the Swiss Federal Act on Data Protection protect?

The Swiss Federal Act on Data Protection protects all personal data relating to an identified or identifiable natural person. This includes, but is not limited to:

  • General data such as name, address, telephone number, or email address.
  • Particularly sensitive personal data requiring particular protection, including genetic and biometric data, health data, religious or political opinions, and data on ethnic origin.
  • Personal and behavioral data, such as interests, consumption habits, or location.
  • Data of legal entities, which was also protected before the revision, is no longer covered by the Swiss Federal Act on Data Protection.

Take special care when using AI

With the increasing use of artificial intelligence (AI), new challenges arise for data protection. While AI offers many benefits, companies and users must exercise particular caution to protect sensitive data and comply with legal requirements. Below are examples of potential risks and practical tips on how to avoid data breaches.

  • The use of artificial intelligence entails risks for data protection. Never enter sensitive or confidential data into AI systems such as ChatGPT . Such data could be stored on servers and used in future AI training data. As a result, there is a risk that this information could, albeit unintentionally, be released into public results or be accessed by third parties.
  • AI systems that make automated decisions, such as granting loans or evaluating applicants, need to be scrutinized with particular care. Companies are obliged to ensure that these systems do not make discriminatory decisions and that those concerned are informed about the use of AI. In addition, documentation is required to ensure the traceability of decisions.
  • When training AI models, enormous amounts of data can be processed. Companies need to ensure that the data used is anonymized before it is fed into AI systems. Failure to do so could result in a breach of data protection regulations, especially if it is possible to identify individuals.

What penalties are there for breaches of the Federal Act on Data Protection in Switzerland?

Private individuals can be fined up to CHF 250,000 for intentional breaches of the FADP, such as breaches of duties to provide information, cooperate, or exercise due diligence. 

In the event of violations in business operations, companies may be fined up to CHF 50,000 if identifying the persons responsible would involve disproportionate effort – and if a fine of up to CHF 50,000 would be considered for these persons.

This is a major difference to the GDPR, which does not penalize natural persons but companies with significantly higher fines.

What other consequences are there for breaches of the Swiss Federal Act on Data Protection?

To enforce the Federal Act on Data Protection Act in Switzerland, the FDPIC may initiate an investigation against a company either ex officio or on the basis of a complaint and order far-reaching measures, such as the adjustment or interruption of data processing or even the deletion of data. In addition, the parties concerned have civil legal remedies available to them to enforce their claims.

For companies, however, this means that they must increasingly adapt to legal disputes, especially in the event of data breaches or complaints. Commercial legal protection insurance can provide valuable support here by covering the costs of legal disputes and giving you access to specialized lawyers. 

Which companies are at particularly high risk of violating the Swiss Federal Act on Data Protection?

Companies that process large amounts of personal data or particularly sensitive personal data, carry out profiling, operate online shops, generate automated individual decisions, or transmit personal data abroad (outside the EU) are exposed to a particularly high risk.

Expert tips for companies: What you need to bear in mind!

  • Photo by Brigitte Imbach; DPO of AXA-ARAG
    Brigitte Imbach

    Brigitte Imbach, Legal & Data Privacy Officer at AXA-ARAG, answers the most important questions about the Swiss Federal Act on Data Protection and gives tips on how companies can implement data protection regulations.

Does every company now have to appoint or hire a data protection advisor?

No, the appointment of a data protection advisor is voluntary in contrast to the GDPR, but it entails certain advantages:

  • The role is the   contact point for employees, customers (when exercising their rights as data subjects), and authorities on data protection issues. 
  • If the contact details of the data protection advisor are published and communicated to the FDPIC, the mandatory consultation of the FDPIC in connection with data protection impact assessments, in which the planned processing still poses a high risk to the privacy of the data subjects despite the measures envisaged, is no longer required if the data protection advisor is consulted instead. 

Can SMEs develop a data protection concept on their own? Are there templates?

This depends on whether the company has the appropriate skills, such as a competent data protection specialist or a legal department. Otherwise, we strongly recommend seeking external support

What does a company need to do to comply with data protection provisions?

  • Review and adapt Privacy Statements on the Internet and data protection clauses on promotional and contractual documents.
  • Create or amend internal guidelines for data processing.
  • Create a data processing directory.
  • Implement a process that ensures the timely processing of data subject rights (e.g., requests for information or deletion)
  • Implement a process for data breach notification.
  • Implement a process for data protection impact assessment, in particular when extensive processing of particularly sensitive data takes place or new high-risk processing technologies are used.
  • Check the contracts with the processors (third parties). In particular, the inclusion of a notification obligation in the event of data protection breaches and in the event of disclosure to subcontractors is recommended. Furthermore, the responsible party must ensure that data security is guaranteed.  
  • Ensure that personal data is deleted or anonymized as soon as it is no longer required for the purpose of processing.
  • Clarify the countries in which personal data is disclosed and ensure that this is done only in those countries that provide adequate protection. This also applies to storage on systems abroad (cloud). The Federal Council publishes a corresponding list. If countries do not appear on this list, data may still be exported under certain conditions, such as with the express consent of the data subjects. 
  • Ensure data security through suitable technical and organizational measures. In other words: Data security breaches should be avoided. Since data transmission by email is insecure, email encryption should be available at least for particularly sensitive personal data. 
  • Ensure data portability, i.e. data output in a common electronic format (similar to the GDPR), if the data is processed electronically and, above all, in direct connection with the conclusion or performance of a contract.
  • Appoint a data protection advisor (recommended).  Under the GDPR, however, the appointment of a data protection officer is mandatory.

How can companies protect themselves against data breaches due to cyber attacks?

Data protection is very important in Switzerland, and cyber attacks can lead to serious breaches of data protection laws, for example through the misuse of sensitive customer data. In such cases, companies must not only comply with their statutory reporting obligations, but also expect high costs and legal claims.

Cyber insurance protects your company by covering justified claims, defending against unjustified claims, and minimizing financial losses due to business interruptions or data loss. Companies also benefit from immediate help from IT security experts who help with loss mitigation and recovery.

Conclusion

The revised data protection provisions prescribed by Swiss law present companies with new challenges, but also opportunities. Stricter requirements on transparency, security, and accountability require adjustments to processes and systems. At the same time, the law strengthens the trust of customers and partners, which increases competitiveness in the long term. 

Companies that deal with the requirements at an early stage and implement them consistently not only minimize legal risks, but also position themselves as trustworthy players in an increasingly digitized world.

Three construction workers wearing safety helmets discuss a construction plan on a steel mesh construction from a bird’s eye view.

Commercial legal protection insurance

If employees or customers make demands, this can quickly cost a great deal of time and money and result in considerable stress. We will stand by you and provide our expertise if you need legal assistance in your business matters.

More about commercial legal protection insurance

Written by:

Simona Audia

Simona Audia is a Content Manager at AXA and researches interesting content for you on the subjects of insurance and pensions.

Associated articles

Security and legal
What happens when a firm goes bankrupt?
23.07.2025 Simona Audia
Security and legal
Loss / damage during transport: liability, coverage and tips for SMEs
31.10.2023 Simona Audia
Security and legal
Cybercrime: Is your company legally protected?
15.09.2023 Heike Gross