AnyLearn
All lessons
Law & Complianceintermediate

Data Protection Under the EU GDPR and the Revised Swiss FADP

Learn how the EU GDPR and the revised Swiss Federal Act on Data Protection actually work: who they bind, when they apply across borders, the lawful bases and rights they create, and how enforcement and sanctions differ between the two regimes.

Not signed in: your progress and quiz score won't be saved.
Progress1 / 11

Two regimes, one architecture

The EU General Data Protection Regulation (Regulation 2016/679, the GDPR) and the revised Swiss Federal Act on Data Protection (the FADP or nFADP, in force since 1 September 2023) govern how organizations handle information about people. They share a common architecture: define what counts as personal data, decide who is responsible, set principles for lawful handling, grant rights to individuals, and back it all with supervision and sanctions.

They are not identical. The GDPR applies as directly binding law across the EU and European Economic Area. The FADP is Swiss federal statute, deliberately revised to stay close to the GDPR so that data can keep flowing between the two. This lesson maps the shared mechanics and flags where Switzerland diverges, so you can reason about a processing activity under either regime.

Full lesson text

All 11 steps on one page, for reading, reference, and search.

Show

1. Two regimes, one architecture

The EU General Data Protection Regulation (Regulation 2016/679, the GDPR) and the revised Swiss Federal Act on Data Protection (the FADP or nFADP, in force since 1 September 2023) govern how organizations handle information about people. They share a common architecture: define what counts as personal data, decide who is responsible, set principles for lawful handling, grant rights to individuals, and back it all with supervision and sanctions.

They are not identical. The GDPR applies as directly binding law across the EU and European Economic Area. The FADP is Swiss federal statute, deliberately revised to stay close to the GDPR so that data can keep flowing between the two. This lesson maps the shared mechanics and flags where Switzerland diverges, so you can reason about a processing activity under either regime.

2. Who and where: material and territorial scope

Material scope is about what activity is covered: both laws apply to processing of personal data, whether automated or in structured manual filing systems.

Territorial scope decides which organizations are bound. The GDPR reaches beyond EU borders. Under Article 3 it applies to any controller or processor established in the EU, and also to those outside the EU when they either offer goods or services to people in the EU, or monitor the behavior of people in the EU. A shop in Zurich selling to French customers can fall under the GDPR through this extraterritorial reach.

The FADP applies to processing that has an effect in Switzerland, even by organizations based abroad. A key change in the revision: the FADP now protects only the data of natural persons. The previous act also covered legal persons (companies); that protection was dropped, moving the FADP closer to the GDPR, which has always covered natural persons only.

3. Personal data and special categories

Personal data is any information relating to an identified or identifiable natural person: a name, an ID number, an email address, a device identifier, or a combination of details that singles someone out. If a person can be identified, directly or indirectly, the data is personal.

A subset gets stricter treatment. The GDPR calls these special categories (Article 9): data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, plus genetic data, biometric data used for identification, health data, and data about sex life or sexual orientation. Processing them is prohibited unless a specific exception applies (for example explicit consent, or processing necessary for healthcare).

The FADP uses the parallel term sensitive personal data, covering a similar list and adding categories such as data on administrative or criminal proceedings and social-assistance measures. Sensitive data triggers heightened obligations under both regimes.

4. Roles: controller, processor, joint controllers

Responsibility is assigned by role, not job title.

  • Controller: the party that determines the purposes and means of processing (why and how). The controller carries the primary legal accountability.
  • Processor: a party that processes personal data on the controller's behalf and on its instructions, such as a cloud host or a payroll bureau.
  • Joint controllers: two or more parties that jointly decide purposes and means; they must arrange their respective responsibilities transparently.

Under GDPR Article 28, a controller may only use a processor under a binding contract (a Data Processing Agreement) that fixes the subject matter, duration, purpose, security measures, sub-processor rules, and deletion or return of data at the end. The FADP mirrors this: a controller may delegate processing to a processor only if the data is handled as the controller itself would be permitted to, and if no legal or contractual duty of confidentiality prohibits it. The contract is the control mechanism.

5. Lawful basis and the FADP's principles

Under the GDPR, every processing activity needs a lawful basis from Article 6. There are exactly six:

  1. Consent of the data subject
  2. Contract: necessary to perform a contract with the person
  3. Legal obligation on the controller
  4. Vital interests: to protect someone's life
  5. Public task: exercise of official authority
  6. Legitimate interests of the controller, balanced against the person's rights

Pick one before you process; consent is not always the right or easiest choice.

The FADP is structured differently. It does not require a private person to point to a statutory justification for every processing operation. Instead, lawful processing must respect core principles: lawfulness, good faith, proportionality, purpose limitation (data used only for the stated purpose), and transparency. A justification (such as consent or an overriding interest) is needed mainly when a principle is breached or sensitive data is disclosed to third parties.

6. Rights of the data subject

Both regimes give individuals a toolkit of rights they can exercise against a controller. The core GDPR rights (Articles 15 to 22):

RightWhat it lets a person do
AccessGet a copy of their data and how it is used
RectificationCorrect inaccurate data
ErasureHave data deleted ("right to be forgotten")
RestrictionFreeze processing while a dispute is resolved
PortabilityReceive their data in a machine-readable format
ObjectionStop certain processing, e.g. direct marketing

There is also a right not to be subject to a solely automated decision with legal or similarly significant effects, including profiling, unless a narrow exception applies. The FADP grants a comparable set, centered on the right to information (access) and to have data corrected or deleted, and it likewise addresses automated individual decisions. A controller must generally respond to a request within a defined period and cannot charge for it except in narrow cases.

7. Transparency, records, DPIA, and the DPO

Compliance has to be documented, not just intended.

  • Privacy notice: controllers must tell people, at collection, who is processing their data, why, on what basis, how long it is kept, and how to exercise rights. The FADP broadened this duty to inform, including on data disclosures abroad.
  • Records of processing: an internal inventory of processing activities. The GDPR (Article 30) requires it, with an exemption for some smaller organizations; the FADP requires a register of processing activities with an exemption for small companies under a headcount threshold whose processing is low-risk.
  • Data Protection Impact Assessment (DPIA): a documented risk analysis required before processing likely to result in a high risk to individuals (large-scale sensitive data, systematic monitoring, new technologies).
  • Data Protection Officer / adviser: the GDPR mandates a DPO in defined cases (e.g. large-scale monitoring or sensitive-data processing); the FADP makes a data protection adviser voluntary for private companies but useful.

8. When data breaches happen

A personal data breach is a security failure leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. It is not only hacking; a lost laptop or an email sent to the wrong list can qualify.

Under the GDPR, once a controller becomes aware of a breach it must notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware, unless the breach is unlikely to result in a risk to individuals. When the risk to individuals is high, the affected people must also be informed. A processor must notify its controller without undue delay.

The FADP also requires notifying the Swiss authority (the FDPIC) of a breach, but the trigger is calibrated to risk: notification is required when the breach is likely to result in a high risk to the affected persons, and it must be made as quickly as possible. The obligation to document breaches internally applies regardless of whether they are reported.

9. Moving data across borders

Personal data does not lose its protection when it leaves the country. Both regimes restrict cross-border transfers to places without adequate protection.

The primary route is an adequacy decision: the EU (or the Swiss Federal Council) formally recognizes that a third country offers protection comparable to its own, and transfers may then flow freely. The EU has recognized Switzerland as providing an adequate level of protection, and Switzerland reciprocally lists the EEA, so EU-Switzerland flows are straightforward.

When no adequacy decision covers the destination, the exporter must supply its own safeguard. The most common is a set of Standard Contractual Clauses (SCCs): pre-approved contract terms that bind the importer to protect the data. Depending on the destination, a transfer impact assessment and supplementary measures may be needed. A Swiss controller relies on FADP-recognized mechanisms (Swiss-adapted SCCs, an adequacy listing, or specific derogations) to achieve the same result.

10. Deciding a cross-border transfer

The decision path an exporter follows before sending personal data abroad.

flowchart TD
A["Planned transfer of personal data abroad"] --> B["Is the destination covered by an adequacy decision?"]
B --> C["Adequate: transfer may proceed"]
B --> D["Not adequate: appropriate safeguard needed"]
D --> E["Put Standard Contractual Clauses in place"]
E --> F["Assess destination risk and add supplementary measures"]
F --> G["Transfer may proceed under safeguards"]
D --> H["No safeguard available: rely on a specific derogation or do not transfer"]

11. Supervision, enforcement, and sanctions

Each regime is enforced by an independent authority, but the sanction models differ sharply.

In the EU, each member state has a national Data Protection Authority (supervisory authority). The European Data Protection Board (EDPB) coordinates them for consistent application across borders. The headline sanction is the administrative fine: up to 20 million euros or 4% of total worldwide annual turnover, whichever is higher, for the most serious infringements (a lower tier caps at 10 million euros or 2%). Fines land on the organization.

In Switzerland, the Federal Data Protection and Information Commissioner (FDPIC) supervises and can open investigations and order corrective measures. The revised FADP does not use turnover-based corporate fines. Instead it provides criminal fines of up to CHF 250,000, imposed by cantonal authorities on the responsible individual (for example a manager) for specific breaches such as failing to inform, breaching duties of care, or violating confidentiality. The contrast: EU sanctions scale with company revenue; Swiss sanctions are capped and target responsible persons.

Check your understanding

The lesson ends with a 5-question quiz. Take it in the player above to see your score.

  1. A company based in the United States, with no EU establishment, runs a website that lets people in Germany buy its products in euros. Under GDPR Article 3, is it bound by the GDPR?
    • No, because it has no establishment inside the EU
    • Yes, because it offers goods or services to people in the EU
    • Only if it also has employees living in the EU
    • No, because US law governs any US-based company exclusively
  2. Which statement correctly describes a change made by the revised Swiss FADP compared with the old act?
    • It extended protection to the data of legal persons for the first time
    • It removed protection for the data of legal persons, covering only natural persons
    • It abolished the requirement to notify data breaches entirely
    • It replaced criminal fines with turnover-based corporate fines
  3. Under the GDPR, a controller wants to process customer data to send marketing emails. Which of the following is NOT one of the six lawful bases in Article 6 it could consider?
    • Consent of the data subject
    • Legitimate interests of the controller
    • Performance of a contract with the data subject
    • Certification by an approved industry auditor
  4. A processor discovers a personal data breach affecting a controller's customers. Under the GDPR, what is the processor's primary notification duty?
    • Notify the supervisory authority directly within 72 hours
    • Notify the affected individuals immediately
    • Notify the controller without undue delay
    • Notify the European Data Protection Board and the controller jointly
  5. How do the maximum sanctions differ between the GDPR and the revised FADP for serious violations?
    • Both cap fines at 20 million euros regardless of turnover
    • The GDPR fines individuals; the FADP fines companies by turnover
    • The GDPR allows fines up to 20 million euros or 4% of worldwide turnover; the FADP imposes criminal fines up to CHF 250,000 on responsible individuals
    • The FADP allows higher fines than the GDPR because it is criminal law

Related lessons