nFADP (revised Federal Act on Data Protection)

The revised Swiss Federal Act on Data Protection (nFADP, in German nDSG), effective 1 September 2023, governs how personal data must be handled by businesses operating in or targeting Switzerland.

The nFADP (revised Federal Act on Data Protection) is Switzerland’s modernized data protection law, replacing the original 1992 FADP. It came into force on 1 September 2023. In German it is the nDSG (neues Datenschutzgesetz); Swiss-domestic writing uses that acronym, English-language and international writing usually uses nFADP or revised FADP.

Key Requirements for Businesses

• Transparency: Businesses must inform individuals about the collection and processing of their personal data.
• Data minimization: Only collect data that is necessary for the stated purpose.
• Privacy by design: Data protection must be considered from the design phase of any system.
• Breach notification: Data breaches must be reported to the FDPIC (Federal Data Protection and Information Commissioner) as quickly as possible.
• Data Protection Impact Assessments (DPIA): Required for high-risk processing activities.

Since April 2025, critical infrastructure operators must also report cyberattacks to the BACS (Federal Office for Cybersecurity) within 24 hours, with fines up to CHF 100,000 per day for non-compliance.

Who Does It Apply To?

The nFADP applies to any organization that processes personal data of individuals in Switzerland, regardless of where the organization is based. This means foreign companies targeting Swiss customers must also comply.

Penalties

Unlike the previous law, the nFADP introduces personal liability for responsible individuals, with fines up to CHF 250,000 for willful violations. The fines target individuals, not companies.

How It Differs from GDPR

While similar in spirit to the EU’s GDPR, the nFADP has notable differences:

• Fines are personal (against individuals), not against companies
• No requirement to appoint a Data Protection Officer (though recommended)
• Consent is not always required (legitimate interest can suffice)
• Smaller scope of “sensitive data” categories

Technical Measures the nFADP Expects

The law requires “appropriate technical and organizational measures” to protect personal data. In practice, this means:

• Encryption for data at rest and in transit
• Two-factor authentication for systems handling personal data
• A VPN for remote access to company systems
• A firewall to control network access
• Endpoint protection against malware and ransomware