GDPR (General Data Protection Regulation)
The GDPR (General Data Protection Regulation, Regulation (EU) 2016/679) is the EU's central data protection law. It can also bind a Swiss company with no EU establishment, as soon as that company targets people in the EU or monitors their behavior.
The GDPR (in German, DSGVO) governs how organizations handle the personal data of people in the EU. For companies in Switzerland it is the EU counterpart to the nFADP: many businesses fall under both regimes at once, because the revised Swiss law was deliberately aligned with the GDPR to preserve the free flow of data with the EU. Note: This article is a general overview, not legal advice.
When does the GDPR apply to a Swiss company?
A company based in Switzerland with no establishment in the EU still falls under the GDPR as soon as it deliberately targets people in the EU or monitors their behavior (Art. 3(2) GDPR). Typical triggers are an online shop that ships and prices in euros, marketing in an EU language, or tracking EU visitors for profiling. If you serve customers in Switzerland only, you are usually not affected. The widespread “we’re a Swiss business, so the GDPR doesn’t apply” is therefore only true as long as you have no connection to the EU.
Which rights and obligations are central?
The GDPR grants data subjects far-reaching rights and ties every processing activity to a legal basis.
- Legal basis: Every processing activity needs one of the six grounds in Art. 6, such as consent, a contract, or a legitimate interest.
- Right of access: Under Art. 15, data subjects can request a copy of their data and information on purposes, recipients, and retention periods.
- Breach notification: As a rule, you report a personal data breach to the competent supervisory authority within 72 hours (Art. 33 GDPR).
GDPR and the revised FADP: the key differences
The two laws are closely aligned but differ on points that matter in practice:
- Fines: The GDPR provides for fines up to EUR 20 million or 4% of worldwide annual turnover (Art. 83). The nFADP caps fines at CHF 250,000, levied against responsible individuals rather than the company.
- Data protection officer: Mandatory under the GDPR in certain cases, only recommended in Switzerland.
- Consent: The GDPR leans more heavily on consent, while the nFADP more often lets a legitimate interest suffice.