Switzerland is a federation comprising 26 federated states (cantons) as well as a federal government. This leads to a layered body of laws as well as, at times, a decentralised official approach to cybersecurity. Cybersecurity in Switzerland remains closely tied to the area of data protection. Cybersecurity is frequently perceived as an off-shoot – or even a synonym – of data security, which, as the name suggests, targets the security and resilience of data processing and storage activities.
On a federal level, the Swiss Constitution of 18 April 1999 protects the right to privacy, in particular the right to be protected against misuse of personal data (Article 13). The collection and use of personal data by private bodies are regulated on a federal level and are mainly governed by the Swiss Data Protection Act (the Federal Act on Data Protection; FADP) and its ordinances, including the Federal Data Protection Ordinance (DPO).
Data processing by public bodies is governed by the FADP for federal bodies, which includes private organisations performing public tasks such as health insurance providers, pension funds and many others, and by cantonal (for example, the Information and Data Protection Act of the Canton of Zurich) and communal laws for cantonal and communal bodies.
The FADP was revised in order to implement the revised Council of Europe’s Convention 108 and to more closely align with the EU General Data Protection Regulation (GDPR). The revised FADP and DPO entered into force on 1 September 2023.
While the FADP and the GDPR are similar in their approach and purpose, there are notable differences. For example, there is a data breach notification obligation under the FADP similar to that under the GDPR, but the trigger for notifying a personal data breach to the Swiss data protection authority, the Federal Data Protection and Information Commissioner (FDPIC), is “high risk”, whereas under the GDPR any relevant risk requires notification. Another key difference is the level of activity by the relevant authorities: while many supervisory authorities within the European Economic Area (EEA) are more active, providing guidance and/or enforcing the GDPR, the FDPIC is generally reluctant to take a decisive stance and rarely provides guidance for private actors. However, the FDPIC has initiated several investigations under the FADP.
The FADP and the DPO provide for a general requirement to ensure an appropriate level of data security in relation to personally identifiable information. The FADP calls for state-of-the-art data security measures without specifying technical standards. However, an additional specific security requirement is the obligation to keep logs to ensure that data operations are logged by federal authorities, and by private actors that process sensitive data on a large scale or carry out “high-risk profiling”, a form of profiling that leads to personality profiles. These logs must be relatively granular and must be kept for at least one year, separately from the productive environment. In addition, the FADP imposes certain conditions on controllers and processors, such as a duty to notify data security breaches to the FDPIC, and potentially to data subjects. Additional compliance and documentation measures, such as data protection impact assessments and keeping records of processing activities, as well as an obligation to maintain processing regulations, have also been introduced.
The Information Security Act (ISA) of 18 December 2020, which entered into force on 1 January 2024, governs information security practices within the federal government and its administrative bodies. Under the ISA, several ordinances further specify and implement information security requirements and also repeal (inter alia) the Ordinance on the Protection against Cyber Risks in the Federal Administration (CyRV). Importantly, a significant feature of the ISA is the introduction of a reporting obligation for cyber-attacks for public authorities such as universities, federal, cantonal and municipal agencies, as well as inter-cantonal, cantonal and intercommunal organisations, and for providers of critical infrastructures, for example in the energy, finance, healthcare, insurance, transport, communication and IT sectors. In-scope organisations must report cyber-attacks to the National Cyber Security Centre (NCSC) within 24 hours, where the relevant thresholds and definitions are met. It is currently expected that this obligation will come into force in the first half of 2025.
Apart from the ISA, cybersecurity remains mostly regulated by a patchwork of various acts and regulatory guidance, which deal explicitly or implicitly with cybersecurity in the private sector. These laws include:
However, the Swiss government has given cybersecurity increasing attention in the past few years, and the absence of an overarching ad hoc law on cybersecurity may appear misleading given the importance and national relevance of this topic. Nonetheless, this conclusion is unlikely to lead the Swiss legislator (Parliament) to issue any additional topical legislation on cybersecurity in the near future. On the contrary, the federal government has been following the National Strategy for the Protection of Switzerland Against Cyber Risks (NCS).
The NCS was last updated in April 2023. The strategy sets out the objectives and measures with which the federal government and the cantons, together with the business community and universities, intend to counter cyberthreats. A steering committee has been established to plan and co-ordinate the implementation of the strategy. The revised NCS builds on previous strategies, adding content and precision. It defines 17 measures, each contributing to five strategic objectives, namely:
However, the NCS does not foresee the implementation of a dedicated cybersecurity legislation, instead focusing on modernising various pre-existing laws. The updated NCS is testimony to the continued growth in relevance of cybersecurity in Switzerland, as well as perhaps the increased global threat posed by cyber-risks.
A further manifestation of the government’s interest in cybersecurity is another governmental venture, the Digital Switzerland Strategy. The Digital Switzerland Strategy sets guidelines for Switzerland’s digital transformation, and is updated annually by the Federal Council, each time with three focus topics. It is binding on the federal administration and provides guidance for other stakeholders involved in digitalisation. The first draft was published in 2016, and updates arrived in 2018, 2020 and 2023. On 13 December 2024, the Federal Council adopted the updated Digital Switzerland Strategy for 2025, with a focus on artificial intelligence (AI), strengthening cybersecurity and promoting open source in the federal administration.
In 2023, the Federal Council approved the new Digital Administration Switzerland Strategy 2024–27, which defines the fields of action to be prioritised in order for the confederation, cantons and cities and municipalities to jointly determine how the digital transformation of administrations is to be driven forward. A second strategy approved by the Federal Council is the digital federal administration strategy, which creates a framework for digital transformation projects in the federal administration.
The FDPIC is a body established on a federal level under the FADP. The FDPIC supervises compliance with the FADP and other federal data protection legislation by federal bodies and advises private bodies. On its own initiative, or at the request of a third party, the FDPIC may carry out investigations into data processing by private bodies. In addition, each canton has its own data protection authority, which is generally competent to supervise cantonal and communal bodies (but not private parties, which are subject to the FDPIC’s authority). Other regulators, such as FINMA, may play a role in the enforcement of data protection (see the following).
It is also worth mentioning here that the key official actor in the cybersecurity area in Switzerland is the NCSC, which is now integrated into the new Federal Office for Cyber Security (Bundesamt für Cybersicherheit; BACS) within the Federal Department of Defence, Civil Protection and Sports (DDPS). Indeed, in an effort to centralise the administrative activities in this area, other actors such as the Reporting and Analysis Centre for Information Assurance (MELANI), GovCert and the Cybercrime Coordination Unit (CYCO) became an integral part of the NCSC and now BACS. Tasks include raising public awareness, receiving reports on cyber-incidents and supporting operators of critical infrastructures in managing these incidents. Protection of the federal administration against cyber-attacks is now a key task of a new specialist unit within the new State Secretariat for Security Policy (Sepos), also within the DDPS.
The FDPIC has the right to carry out investigations and has direct enforcement powers, including the right to direct the controller to change, suspend or cease processing activities. In the course of an investigation, the FDPIC has the right to demand the production of documents, make inquiries and ask for a demonstration of a particular type of processing of personal data. Binding orders by the FDPIC may be published, stating the name of the investigated party (“naming and shaming”). Failure to comply with a binding order may, if referred to criminal prosecution, incur a criminal fine against the responsible individuals of up to CHF250,000. Such fines can also be levied by the criminal courts against the responsible individual(s) in cases of non-compliance with minimum legal data security requirements, though it is doubtful whether the legislator has indeed provided for such minimum requirements. Most data security regulations under the FADP and DPO are very general in nature or focus on accountability, rather than security, except maybe for the obligation to ensure that certain higher-risk data operations are logged, as noted in the foregoing.
The FDPIC’s increased (compared to the prior version of the FADP) powers and the more dissuasive criminal sanctions are seen as one of the most significant novel aspects of Swiss data protection legislation.
Any investigation by the FDPIC is subject to the Federal Act on Administrative Procedure (APA), which provides for due process rights for the investigated party and third parties – for example, rights to refuse to testify. The procedure before the Federal Supreme Court is regulated by the Federal Act on the Supreme Court.
In the banking and financial markets sector, the regulator, FINMA, supervises the relevant actors (namely banks, insurance companies, financial institutions, collective investment schemes and fund management companies) and plays a role in the cybersecurity realm. Indeed, given the importance of the financial industry in Switzerland, data security and cybersecurity are core concerns. FINMA publishes an annual risk monitor as an overview of risks seen as particularly significant, and the 2024 version highlights that cyber-risks remain one of the biggest operational risks and notes a growing number of cyber-attacks against service providers and the need for financial institutions to improve their responsibilities and control activities with regard to service providers.
FINMA has also updated its Circular 2023/1 Operational Risks and Resilience – Banks, with the updates coming into force on 1 January 2024. It requires banks and investment firms to report certain cyber-attacks within 24 hours of becoming aware of them and to submit a full report within 72 hours. FINMA has recently clarified in its Guidance 03/2024 that, where a third-party provider is affected by a reportable incident, the 24-hour deadline starts with the provider becoming aware of the incident, requiring banks to agree shorter notification periods with their providers.
In case of a breach of the sectoral rules, FINMA has a varied toolbox of enforcement means. These include the revocation of licences to practise, fines or even custodial sentences. FINMA also occasionally, and for preventative purposes, relies on a “name and shame” strategy, meaning that the author of any offence against the regulatory rules is publicly named.
As noted in the foregoing, the revised FADP introduces stricter enforcement mechanisms than its older version. Unlike the EU’s GDPR, the FADP focuses on holding individuals personally accountable. Criminal law fines for intentional violations can reach up to CHF250,000 and apply to individuals with decision-making authority. Key infractions include failing to provide required information to data subjects, noncooperation with investigations by the FDPIC, unauthorised cross-border data transfers and breaches of confidentiality obligations. However, negligence is not punishable, and some violations like failing to report data breaches do not attract fines. Enforcement typically requires a complaint from an affected individual.
However, the FDPIC has become more active in investigating potential violations of the FADP. For example, in May 2023, a ransomware attack on the company Xplain led to the publication of a significant volume of personal data, including sensitive information from the federal administration, on the darknet. Following this breach, the FDPIC initiated investigations into the Federal Office of Police (fedpol) and the Federal Office for Customs and Border Security (FOCBS), and into Xplain itself. Other prominent investigations under the old FADP included Digitec Galaxus, one of Switzerland’s largest online retailers, for customer accounts and personalised ads, and TX and Ricardo, a major Swiss media company and the Swiss equivalent of eBay, for tracking and personalised ads. These investigations resulted in non-binding recommendations under the then-current FADP.
Under the current FADP, several investigations have concluded or are ongoing, but – so far and to the extent known – without broader impact.
In Switzerland, there is currently no overarching regulation of the use of AI.
The FDPIC has published multiple statements and non-binding guidelines on how to address data protection matters in this area. In this context, the FDPIC pointed out that the Data Protection Act, in force since 1 September 2023, is directly applicable to AI-based data processing.
Further, sector-specific regulations address particular data protection issues. For example, the Swiss government has also created a general frame of reference for the use of AI within the federal administration, and FINMA issued binding guidelines on outsourcing and data security for the financial and insurance sector.
The following FADP safeguards can be applied to AI systems.
Finally, on 12 February 2025, the Federal Department of the Environment, Transport, Energy and Communications (DETEC) and the Federal Department of Foreign Affairs (FDFA) presented to the Swiss Federal Council an overview of possible regulatory approaches to AI. On the basis of this overview, the Swiss Federal Council has decided on a Swiss regulatory approach for AI based on three objectives: strengthening Switzerland as a location for innovation, safeguarding the protection of fundamental rights, including economic freedom, and increasing public trust in AI. To achieve these objectives, the Swiss Federal Council has set the following key steps for the future: incorporation of the Council of Europe’s AI Convention into Swiss law; sector-specific legislation as far as required (cross-sector regulation), to be limited to central areas relevant to fundamental rights; and non-binding measures.
As mentioned in the foregoing, there is no specific law in Switzerland governing the use of AI.
In this respect, general laws apply to the use of AI systems. These include, for example:
Industry-specific regulation may apply as well. A few supervisory authorities have already published their expectations in relation to the use of AI, in particular FINMA with its Guidance 08/2024 Governance and Risk Management when using Artificial Intelligence, published on 18 December 2024.
Private actors have also started to set non-binding rules. This applies to exposed actors, such as:
Numerous private companies have also issued or are in the process of issuing guidelines, codes and instructions, some of which are public and some of which are not.
In addition, in certain cases, the EU AI Act will be applicable to Swiss companies trading with the EU market or otherwise working with EU counterparties, who may be exposed to AI-generated output.
Switzerland has implemented the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) through the FADP.
In addition, although Switzerland is not a member of the EU or the EEA and is under no obligation to implement the EU GDPR, the EU is Switzerland’s most important partner, and ensuring a level playing field for Swiss and EU-based companies is an important policy objective. The FADP largely aligns with the GDPR, such that a company that complies with the GDPR should generally be in compliance with the FADP (with some exceptions and caveats). Moreover, revising the FADP has been a key factor in the European Commission’s confirmation on 15 January 2024 of its finding that Switzerland’s data protection legislation provides an adequate level of data protection under the GDPR.
For data processing in relation to criminal prosecution, and in the framework of police and judicial co-operation, Switzerland transposed, on 30 January 2019, EU Directive 2016/680 into domestic Swiss legislation through the FADP. It expedited the adoption of this piece of legislation, with the relevant changes entering into force on 1 March 2019.
The most important developments are the entry into force of the FADP on 1 September 2023 and the new ISA (see 1.1 Overview of Data and Privacy-Related Laws).
The Swiss government’s efforts to bolster and centralise cybersecurity and cyberdefence activities are also a promising and ongoing development. In that respect, many commentators have been sounding the alarm as it appears that Swiss companies as well as public bodies (often on the municipal level) have not been taking cyberthreats seriously enough – a concern only exacerbated by the Xplain and Concevis attacks (see the Swiss Trends & Developments chapter in this guide and 1.4 Data Protection Fines in Practice).
Public attention remains high. This stems from the stream of data breaches, locally and internationally, and the increased awareness of data protection worldwide, but also from some cybersecurity considerations affecting national security. In this latter category, the war in Ukraine and the international geopolitical situation, combined with the roll-out of next-generation technologies, especially 5G networks, have led to a heightened awareness of cyberthreats.
It is still too early to foresee the long-term consequences of cyberthreats for the Swiss legal and regulatory landscape, though they will likely lead to questioning of Switzerland’s international policy in regard to cybersecurity, cyber-espionage and international co-operation.
Another major topic is the issue of cyber-attacks in Switzerland. In recent years, the number of cyber-attacks on the infrastructure of Swiss companies in Switzerland have increased significantly. This worrisome trend has also shown the relative exposure of many Swiss companies, of all sizes, as well as public bodies, and is an alarming reminder of the ubiquity and damaging nature of cyberthreats.
In December 2022, the Federal Council submitted a draft bill to Swiss Parliament to amend the Federal ISA. This draft creates a legal basis for the obligation of operators of critical infrastructures to report cyber-attacks to which they have been subjected. The term “critical infrastructure” does not only include energy supply companies, hospitals, civil aviation and telecommunications providers – universities, authorities at all federal levels, banks, insurance companies and financial market infrastructure may also fall within the scope. It is expected that the revised regulation will enter into force in the first half of 2025.
As mentioned in 1.1 Overview of Data and Privacy-Related Laws, Switzerland is a member of neither the EU nor the EEA, and it therefore has no obligation to implement the GDPR. Switzerland is recognised by the EU as providing an adequate level of data protection. This was decided on 26 July 2000 by the Commission of the European Communities and was confirmed on 15 January 2024.
As a member state of the Council of Europe, Switzerland has ratified Convention ETS 108 and the Additional Protocol of 2001 and implemented them into its own law. Convention ETS 108 is the first and, to this day, the only binding international instrument in the field of data protection law. It is part of the case law of the European Court of Human Rights (ECtHR), as it is consulted by the Court when interpreting Article 8 of the European Convention on Human Rights (ECHR). This is reflected in Swiss jurisprudence; since Switzerland has incorporated the ECHR into its own law, the ECtHR is considered the highest instance with regard to the protection of human rights. The Federal Council also formally signed Convention 108+ in November 2020.
Data protection laws at cantonal level only apply to data processing by the respective cantons or cantonal authorities. In addition to the revisions at the federal level, corresponding revisions of the cantonal data protection laws must also take place. To date, only a proportion have completed the necessary revision of their data protection laws; others are still in the process of doing so.
Regarding the relationship between Switzerland and the UK, the UK government has the power to make its own adequacy regulations in relation to third countries such as Switzerland. At the moment, such UK adequacy regulations include Switzerland. As for the agreement on the mutual recognition of data protection levels between Switzerland and the United States, see 5.5 Recent Developments.
Concerning recent case law, see the Swiss Trends & Developments chapter in this guide and 1.4 Data Protection Fines in Practice.
Though some basic collective action schemes do exist (with no immediate possibility for the claimants to move for damages), class actions are not permitted in Switzerland. There is an ongoing discussion to provide for class actions in civil proceedings. Proponents of such class actions received a setback in 2020, with the Swiss government deciding against including class actions in the revision of the Swiss Civil Procedure Code. However, in December 2021, the Federal Council launched a new process towards the introduction of collective redress in the Swiss Civil Procedure Code, to allow for the assertion of claims for compensation and the possibility of collective settlements in a new representative action procedure. However, the National Council’s Legal Affairs Committee came to the conclusion, in July 2023, that measures to prevent misuse of class action instruments should be examined further. Debates are currently underway in the Federal Parliament, but the risk of “Americanisation” of the judicial system frightens many members of the National Council’s Legal Affairs Committee, which proposed on 18 October 2024 to abstain from going ahead with the project concerning the collective exercise of rights.
This goes to show that class actions remain a hotly debated topic, both as a matter of principle and regarding the specificities of such legal instrument, and it is uncertain whether, or in what form, they will make it into the law.
There has been little specific legislative effort directed at the internet of things (IoT) and supply chain actors. This mostly relates to Switzerland’s technologically neutral approach to legislative action. Therefore, the general requirements under the FADP in terms of data security play a predominant role, though sector-specific rules may come into play as well. That said, 1 January 2023 updates to telecommunications legislation brought about, in particular, increased network security requirements, especially in the form of reinforced anti-piracy and anti-tampering mechanisms to handle malicious activities; in addition, operators of 5G networks and services that operate on these networks have to implement an information security management system.
There are no specific cybersecurity and data breach notification rules pertaining to the IoT. However, various authorities serve as valuable contact points. In particular, the FDPIC and BACS play an important role – the former in matters pertaining to data protection and data security, the latter for any voluntary notification of a cyber-incident.
Security requirements around the IoT are also a priority for the government, which mentioned in its Digital Switzerland Strategy (see 1.1 Overview of Data and Privacy-Related Laws) the need for the industry to implement state-of-the-art cybersecurity measures to accompany the growth of the IoT on the Swiss market.
In the financial and banking sector, FINMA Circular 2008/21 Operational Risks at Banks, and its replacement Circular 2023/01, contain a notification duty in certain data breach cases. This Circular provides that banks must have a clear communication strategy in case of serious incidents pertaining to client-identifying data (CID); this communication strategy must specify when it is necessary to notify FINMA, criminal prosecution authorities, the clients concerned and the media.
Concerning the interplay between data regulation and data protection requirements in Switzerland, see 1.1 Overview of Data and Privacy-Related Laws.
Concerning the obligations set out in the laws regulating the use of IoT services and data processing services in Switzerland, see 1.1 Overview of Data and Privacy-Related Laws and 1.3 Enforcement Proceedings and Fines.
Concerning the bodies designed to enforce the data regulation in Switzerland, see 1.2 Regulators.
Since 2007, the use of cookies has been regulated in the Swiss TCA. Website operators must inform the user about the processing and its purpose, but it is not mandatory to use a cookie banner under Swiss law. They must also note that the user may refuse to allow processing and how cookies can be deactivated in the user’s browser. In Switzerland, the opt-out principle applies. If a cookie banner is used then, depending on how it works, the principle of privacy by default may apply.
On 22 January 2025, the FDPIC published non-binding guidance on the use of cookies and similar technologies, to the extent personal data is processed. The guidance expects website and app providers to use a consent management platform and ensure that users can opt out of cookies at any time. For more intrusive tracking, the FDPIC expects consent with an option to withdraw consent at any time.
The admissibility of advertising is regulated by the Federal Act of Unfair Competition (UCA). It imposes certain limitations on electronic mass advertising. The sender may only contact target customers via electronic mass advertising if it cumulatively:
Mass advertising may reach existing customers without their prior consent, if cumulatively:
Another option for the accomplishment of a marketing campaign could be the use of postal mail. As printed marketing is not in scope of Article 3(1) of the UCA, postal mass advertising is generally permitted. Data protection restrictions may, however, apply where individuals have expressly objected to the use of their address for marketing purposes.
Non-compliance with anti-spam legislation may result in a civil law claim by individuals, consumer protection organisations or (under certain limited conditions) the federal government. Further, deliberate non-observance of the dedicated provision of the UCA constitutes a criminal offence. It should be noted, however, that enforcement of anti-spam legislation is not particularly rigorous in Switzerland.
The Swiss Data Protection Act (FADP) covers the processing of data on employees by employers. The Swiss Code of Obligations (SCO) also contains specific provisions on data processing and the protection of the privacy of employees.
Most importantly, the employer must – within the employment relationship – acknowledge and safeguard the employee’s personality rights, have due regard for their health and ensure that proper moral standards are maintained. The employer must refrain from any interference with the personality of the employee that is not justified by the employment contract and, within the framework of the employment relationship, prevent any such interference by superiors, employees or third parties. Excessive employee surveillance, for example, may be unlawful under public labour regulations.
These provisions of the SCO and the FADP are closely intertwined, and the employer may only process data on employees in two cases and only to a rather limited extent.
However, recent Swiss Supreme Court case law adds some flexibility and leaves some room for employer private interest justifications. This approach is comparable to the GDPR in the sense that an overriding private interest could justify the processing of employee data that the employment law and the SCO would otherwise not cover.
In Switzerland, an assignment of claims is generally permissible without the consent of, or even without informing, the debtor. There is therefore a general understanding that a transfer of assets does not require consent, provided that the seller ceases its own business activities in relation to the sale (but information from the seller or the purchaser remains a requirement in most cases). Stricter rules may apply where the asset deal involves a transfer of sensitive data, and even more so in case of data processed under secrecy obligations (such as patient data or CID processed by a bank or financial institution).
The FADP aims to protect the personality rights and fundamental rights of natural persons whose personal data is processed. As a consequence, the FADP contains provisions on how this protection is to be guaranteed when data is transferred abroad, for instance to a state that does not offer the same level of data protection as Switzerland does.
Controllers or processors may transfer personal data abroad if the Federal Council has determined that the legislation of the relevant state or international body guarantees an adequate level of protection. Therefore, the Federal Council determines, in a binding manner, to which countries the export of data is permitted.
On the other hand, in the absence of such a decision by the Federal Council, personal data may be disclosed abroad only if appropriate protection is guaranteed. Thus, at least one of the following conditions must be fulfilled:
Mechanisms or Derogations That Apply to International Data Transfers
The FADP provides that personal data may not be disclosed abroad where the importing state does not have legislation that guarantees an adequate level of data protection (in accordance with an annex to the DPO). However, a transfer of data to such a state may be permitted if one of the foregoing conditions is fulfilled.
Regarding standard contractual clauses (SCCs), the FDPIC formally recognised SCCs as a basis for international transfers to non-whitelisted countries, but only on the condition that the SCCs are amended slightly to account for Swiss law (and the fact that Switzerland is not an EEA member state).
Due to the extraterritorial reach of the GDPR, some data transfers may additionally be subject to the GDPR, in particular if data pertaining to EU residents is (also) transferred. Therefore, two cases should be distinguished:
For data transfers subject to the GDPR, non-amended SCCs may be used.
The EU SCCs require a “transfer impact assessment” (TIA). This also applies to Swiss companies if they use the EU SCCs under the GDPR or under the FADP. As part of a TIA, the Swiss data exporter must check in each specific case whether the laws of the recipient country regarding official access in the recipient country (eg, for the purpose of national security or criminal prosecution) and the rights of the data subjects are compatible with Swiss data protection law and Swiss constitutional principles. According to the FDPIC, the Swiss data exporter must carry out the corresponding clarifications itself and must not rely solely on the statements of the data importer.
Switzerland has recently implemented the Swiss-US Data Protection Framework (DPF) (see 5.5 Recent Developments).
Finally, the FDPIC has pointed out that internal company data protection regulations, so-called BCRs, cannot be a substitute for the conclusion of SCCs if transfers are made outside of a group of companies subject to BCRs.
Personal data may be disclosed abroad if the Federal Council has determined that the legislation of the relevant state or international body guarantees an adequate level of protection. In this case, additional safeguards are not required.
In the absence of an adequacy decision by the Federal Council, personal data may be disclosed abroad only if appropriate protection is guaranteed by certain conditions (see 5.1 Restrictions on International Data Transfers). Also in this case, no notification or approval is required for the specific data transfer, but some conditions may apply.
If there is no adequacy decision and no appropriate protection is guaranteed through appropriate safeguards, personal data may nevertheless be disclosed abroad in certain cases. The controller or processor must inform the FDPIC of this disclosure, but only upon request. These cases are as follows:
There are no specific data localisation requirements under Swiss data protection law. However, some exceptions may apply to regulated activities. For example, the Ordinance on the Electronic Patient Dossier explicitly states that the data repositories (of health data) must be located in Switzerland and must be subject to Swiss law. In addition, various provisions require that certain data remain accessible at all times from Switzerland, such as some client data processed by banks and insurance companies, but this does not usually prevent cross-border transfers or storage abroad of that data.
Swiss law contains so-called blocking statutes that can prevent or hinder the collection of evidence in multijurisdictional proceedings. As soon as an internal investigation is carried out at the request of a foreign authority or the results of such an investigation are generated with the aim of making them available to a foreign authority, two provisions of the Swiss Criminal Code (SCC) must be taken into account: Article 271 of the SCC (unlawful activities on behalf of a foreign state) and Article 273 of the SCC (industrial espionage).
According to Article 271 of the SCC, anyone who carries out activities on behalf of a foreign state, foreign party or foreign organisation on Swiss territory without lawful authority, where such activities are the responsibility of a public authority or public official, and anyone who facilitates such activities, is liable to punishment. The taking of evidence constitutes a sovereign judicial function of the courts rather than of the parties. Therefore, the taking of evidence for a foreign state court or for foreign regulatory proceedings constitutes an act of a foreign state. If such acts take place in Switzerland, they violate Swiss sovereignty and are prohibited under Article 271 of the SCC, unless they are authorised by the competent Swiss authorities or take place within the framework of mutual legal assistance proceedings. A violation of Article 271 of the SCC is punishable by imprisonment of up to three years or a fine of up to CHF540,000, or both. It is important to be aware that the transmission of evidence abroad to comply with a foreign order requiring the production of evidence does not prevent the application of Article 271 of the SCC. Furthermore, evidence can only be handed over to foreign authorities lawfully by following mutual legal assistance proceedings or by obtaining authorisation from the competent Swiss authorities.
The blocking statute in Article 273 of the SCC additionally prohibits industrial espionage. According to this article, anyone who seeks to obtain a manufacturing or trade secret in order to make it available to an external official agency, a foreign organisation, a private enterprise or the agents of any of the foregoing; and anyone who makes a manufacturing or trade secret available to a foreign official agency, a foreign organisation, a private enterprise or the agents of any of the foregoing is criminally liable.
Therefore, manufacturing and business secrets with sufficient connection to Switzerland may only be released or communicated abroad when:
On 14 August 2024, the Federal Council decided to add the United States to the list of countries with an adequate level of data protection in accordance with Annex 1 of the DPO, provided that the recipient is certified under the Swiss-US Data Privacy Framework (Swiss-US DPF). The amendment came into force on 15 September 2024. Some uncertainty remains as to the long-term reliability of the Swiss-US DPF in light of President Trump’s recent weakening of the Privacy and Civil Liberties Oversight Board, an organisation that exercises oversight within the Swiss-US DPF.
The Swiss-US DPF has the following effects in particular.
Seefeldstrasse 123
8008 Zurich
Switzerland
+41 58 658 58 58
+41 58 658 59 59
reception@walderwyss.com www.walderwyss.comIntroduction
Three key topics currently in the Swiss data protection and privacy space are the impact of the revised Swiss Data Protection Act (the Federal Act on Data Protection; FADP), which entered into force on 1 September 2023, the renewal of the EU Commission’s adequacy decision for Switzerland and the future introduction of an obligation to report cyber-attacks on critical infrastructures.
The entry into force on 1 September 2023 of the revised FADP, in particular, is a crucial development for companies in Switzerland. Businesses that have not yet done so should finalise their assessment of their compliance with the revised FADP and, if necessary, implement all actions and measures to meet its requirements.
Hot Topic One: The Revised Federal Act on Data Protection
The advent of the EU’s new General Data Protection Regulation (GDPR) put additional pressure on the Swiss legislature. The GDPR applies to the entire European Economic Area (EEA) and has a potentially worldwide reach due to its extraterritorial scope. Many Swiss companies fall within the scope of the GDPR as well due to their orientation towards the EEA.
The revised FADP entered into force on 1 September 2023. It largely follows the GDPR’s approach. However, the FADP is less formalistic and has less specific regulatory content. There are only a few aspects where the new FADP is stricter than the GDPR. Examples are the material scope of application (Article 2 of the FADP), the obligation to provide information (Article 19 of the FADP), the right of access (Article 25 of the FADP) and the existence of criminal sanctions for individuals (Article 60 et seqq of the FADP). The definition of sensitive personal data also goes slightly further than it does under the GDPR.
Territorial scope of application of the revised FADP
Although the FADP applies primarily to the territory of Switzerland, it has an extraterritorial scope of application. In particular, it can extend to processing that occurs abroad but has an effect in Switzerland. Consequently, if personal data is processed outside of Switzerland but affects natural persons in Switzerland, the controller or processor abroad must comply with the revised Swiss law. In addition, private controllers with their domicile or residence abroad must designate a representative in Switzerland if they process personal data of persons in Switzerland and the data processing meets all of the following requirements:
The Swiss representative keeps the records of processing activities (ROPA) and serves as a point of contact for data subjects and the Federal Data Protection and Information Commissioner (FDPIC). The controller must publish the name and address of such representative.
Key changes in the revised FADP
Many of the changes in the revised FADP are inspired by the GDPR and will look familiar to data protection experts who have been working with the GDPR. The following changes with respect to the former FADP should be noted.
Sensitive personal data
The list of sensitive personal data (data that requires special protection) has been expanded. The FADP also includes data on ethnicity, genetic data and biometric data that identifies a natural person, but also data relating to the intimate sphere of the data subject and data on social security measures.
Profiling
The FADP includes a legal definition of profiling that is identical to that of the GDPR, but there is also “high-risk profiling”, a special category of profiling with slightly tighter restrictions.
Privacy by design and privacy by default
The principles of “privacy by design” and “privacy by default”, which can be found in the GDPR, are introduced in the FADP.
Data protection adviser
Data controllers may, but are not obliged to, appoint an independent data protection adviser as a point of contact for data subjects and authorities responsible for data protection in Switzerland. The tasks of the data protection adviser consist of educating and advising the data controller on data protection issues and assisting in the compliance with data protection legislation.
Records of processing activities
Like the GDPR, the FADP requires that data controllers and processors keep an inventory (ROPA). This inventory is intended to record the various processing activities and provide the controller and the processor with an overview of the data protection-relevant activities. If the FDPIC investigates a case, the first thing they will likely ask for is the inventory of processing activities. The FDPIC can therefore request this inventory at any time, even if they are not obliged to do so. The minimum content of the inventory is specified in the FADP and is largely identical to the content required for ROPA under the GDPR. The Data Protection Ordinance (DPO) provides for exceptions from the obligation to keep an inventory of processing activities. An inventory does not have to be kept if a company has fewer than 250 employees (as of January 1st of a given year). The number of employees is determined per head count, not full-time equivalent (FTE), and part-time employees as well as trainees, for example, are fully counted. However, there are “counter exceptions” in the DPO. This means that a company must keep an inventory even though it has fewer than 250 employees if it either:
Processing regulations
Although Swiss law does not recognise any general accountability as found in the GDPR, the obligation to have data processing regulations serves the same purpose. The DPO requires private data controllers and their processors to maintain data processing regulations for automated processing if they either process sensitive personal data on a large scale or carry out high-risk profiling.
Under the DPO, the processing regulations must include information on the internal organisation and the processing and control procedures, as well as the measures to ensure subject rights and data security. Processing regulations can be in the form of a summary document that references existing documents, directives and guidelines.
Working with data processors
Controllers must enter into a processing agreement with data processors. The FADP requires less for these agreements than the GDPR, but failure to enter into a processing agreement may potentially trigger criminal liability (see below).
Cross-border disclosure of personal data
Like the GDPR, the FADP restricts transfers abroad to countries without adequate protection. Transfers are permitted based on safeguards, which include the standard contractual clauses (SCCs) approved by the European Commission; however, these must be adapted slightly to account for Swiss law. In line with the GDPR, the exporter must carry out a transfer impact assessment before commencing a transfer to a recipient in an unsafe country.
Obligation to provide information
Under the FADP, and similar to the GDPR, the controller must inform the data subjects about its identity and contact details, the purpose of the processing, the recipients or categories of recipients of the data and transfers abroad. In this respect, it requires the listing of all countries, including countries with adequate protection, but in practice, privacy notices frequently refer to regions (such as “EEA”) instead of listing individual countries. The FADP does not provide a finite list of the required information and, depending on the circumstances, additional information may be required. Failure to provide the required information accurately can lead to criminal sanctions.
Automated individual decision-making
Controllers have an obligation to provide information in relation to decisions based solely on automated data processing that have legal consequences or otherwise significantly affect data subjects. In addition, the data subjects have a right to voice their view and ask an individual to review the decision. The required information can be included in a privacy notice or can be given when the decision is communicated to the data subject.
Data protection impact assessment
The data protection impact assessment (DPIA) is an important tool for companies to assess data protection risks early, during the implementation of new processes or applications, and to take appropriate countermeasures. If a planned data processing activity may involve a high risk to the privacy or fundamental rights of data subjects, data controllers must carry out a prior DPIA. This may be the case, for example, with systematic surveillance, processing of confidential or highly personal data, high-risk profiling, or automated decision-making. If a DPIA reveals that the planned processing activity still results in a high risk despite mitigating measures, the controller must consult with the FDPIC ahead of the processing (unless a data protection adviser is appointed and has been consulted). DPIAs must be kept for at least two years beyond the duration of the processing activity.
Notification obligation of data security breaches
The controller must notify the FDPIC of any data security breach that is likely to result in a high risk to the data subjects, with the threshold for the notification obligation being higher than under the GDPR. The notification must be made as soon as possible, but unlike the GDPR, there is no 72-hour maximum timeframe. In addition, where necessary for the protection of the data subjects or on instruction by the FDPIC, the controller must inform the data subjects of the breach. According to the DPO, the notification of a data breach to the FDPIC must contain certain information, in particular the type of breach, the time and duration of the breach, the categories and approximate number of personal data concerned, the categories and approximate number of data subjects concerned, the consequences for the data subjects (including any risks), measures taken or planned, and the name and contact details of a contact person. If it is not possible for the data controller to report all this information at the same time, the controller shall provide the missing information as soon as possible.
Logging obligations
A private controller and/or processor must at least log the storage, modification, reading, disclosure, deletion and destruction of the data (including the identity of the person who carried out the processing and the type, date and time of processing) if sensitive personal data is processed automatically on a broad scale, or if high-risk profiling is carried out and preventive measures cannot guarantee data protection. These logs must be accessible only to relevant functions and may be used for compliance and security purposes only.
Data subject rights
Under the FADP, data subjects have a range of rights, such as a right to access their data, to have incorrect data rectified, to have automated individual decisions reviewed by a human and to have their data provided to them or another controller in a common, machine-readable format. Data subjects can also withdraw consent and/or object to the processing of their data, resulting in an obligation on the controller to justify further processing, for example by overriding interests, or to archive or delete personal data. The procedure to follow in the event of a data subject request is similar but not identical to that under the GDPR, due to slightly different obligations for timing and more generous exemptions.
Administrative measures and sanctions
Under the FADP, the FDPIC can issue binding orders. These include orders to cease processing, or to destroy personal data or cease disclosure abroad, as well as orders to carry out a DPIA or give information to a data subject.
The revised FADP has also introduced criminal sanctions of up to CHF250,000 in the event of an intentional breach (including contingent intent) of certain provisions, for example in case of a breach of the information obligation; incomplete or inaccurate information in case of a data subject access request; or where a controller uses a processor without entering into a processing agreement. These sanctions are directed against the individual responsible for the breach (including but not limited to members of management).
Third countries with an adequate level of data protection
As under the GDPR, there are third countries that benefit from an adequacy decision and are therefore considered as guaranteeing an adequate level of personal data security. The Federal Council determines these countries, which are listed in Annex 1 of the DPO. This list is similar to the adequacy list kept by the European Commission, but there are differences (for example, Japan is not considered to provide adequate protection).
Recommendations
Companies that have not already done so should implement all measures and corrective actions that are required to comply with the FADP as soon as possible. While the level of enforcement in Switzerland continues to be lower than under the GDPR, risks have increased and will likely continue to do so.
Hot Topic Two: AI
As in the rest of the EU – or the world – the rise of AI, and in particular generative AI, is a hot topic in Switzerland. While Switzerland currently has no specific AI regulations (aside from lightweight regulations for federal authorities), it is closely monitoring the developments in the EU and globally.
For the time being, data protection remains the key regulation for AI, aside from intellectual property and the protection of business secrets and obligations of professional secrecy. There are no data protection regulations specifically aimed at AI, but the general principles remain applicable, as well as requirements for contracts with providers or customers and with cross-border data transfer restrictions. There is an emerging understanding of how these issues should be tackled in relation to the use of (generative) AI, as well as an understanding of how AI governance should be addressed by companies.
This being said, on 12 February 2025, the Federal Department of the Environment, Transport, Energy and Communications (DETEC) and the Federal Department of Foreign Affairs (FDFA) presented an overview of possible regulatory approaches to AI to the Swiss Federal Council. On the basis of this overview, the Swiss Federal Council has decided on a Swiss regulatory approach for AI based on three objectives: strengthening Switzerland’s location for innovation, safeguarding the protection of fundamental rights, including economic freedom, and increasing public trust in AI. To achieve these objectives, the Swiss Federal Council has set the following key steps for the future: incorporation of the Council of Europe’s AI Convention into Swiss law; sector-specific legislation as far as required (cross-sector regulation, to be limited to central areas relevant to fundamental rights); and non-binding measures.
Hot Topic Three: Introduction of a Cyber-Attack Reporting Obligation
Cyber-attacks on organisations in Switzerland continue to be on the rise. The manufacturing industry and financial service providers remain a particular focus for cybercriminals. In addition to ransomware, the National Cyber Security Centre of Switzerland (NCSC) records high potential damages to companies with respect to invoice manipulation fraud (business email compromise). The relevance of cyber-risk awareness is therefore increasing in all organisations. There is also a high level of awareness of cyber-risks in Switzerland’s management bodies.
Introducing a reporting obligation for cyber-attacks on critical infrastructure and anchoring the NCSC as the national reporting office are seen as additional important steps to improve Switzerland’s cybersecurity. Therefore, the new Information Security Act, which is aimed at federal authorities and entered into force on 1 January 2024, has been revised to include a reporting obligation on operators of critical infrastructures and will set out the tasks of the NCSC in this regard, which is intended to act as the central reporting office for cyber-attacks. The revision is expected to come into force in the first half of 2025.
The reporting obligation will apply to operators of critical infrastructures, including, for example, providers in the energy sector, financial services, healthcare, transportation, telecommunications, search engines and cloud services, among others. Reportable incidents include cyber-attacks that have the potential to cause significant damage. Specifically, these are attacks that endanger the proper functioning of critical infrastructures or are associated with extortion, threats or coercion.
Additional incident reporting obligations are set forth in the FADP (see above) and may apply, depending on the circumstances, to regulated companies such as financial institutions, telecommunications providers and providers of medical devices, and to listed entities.
Seefeldstrasse 123
8008 Zurich
Switzerland
+41 58 658 58 58
+41 58 658 59 59
reception@walderwyss.com www.walderwyss.com