Switzerland is a federation comprising 26 federated states (cantons) as well as a federal government. This leads to a layered body of laws as well as, at times, a decentralised official approach to cybersecurity. Cybersecurity in Switzerland remains closely tied to the area of data protection. Cybersecurity is frequently perceived as an off-shoot – or even a synonym – of data security, which, as the name suggests, targets the security and resilience of data processing and storage activities.

On a federal level, the Swiss Constitution of 18 April 1999 protects the right to privacy, in particular the right to be protected against misuse of personal data (Article 13). The collection and use of personal data by private bodies are regulated on a federal level and are mainly governed by the Swiss Data Protection Act (the Federal Act on Data Protection; FADP) and its ordinances, including the Federal Data Protection Ordinance (DPO).

Data processing by public bodies is governed by the FADP for federal bodies, which includes private organisations performing public tasks such as health insurance providers, pension funds and many others, and by cantonal (for example, the Information and Data Protection Act of the Canton of Zurich) and communal laws for cantonal and communal bodies.

The FADP was revised in order to implement the revised Council of Europe’s Convention 108 and to more closely align with the EU General Data Protection Regulation (GDPR). The revised FADP and DPO entered into force on 1 September 2023.

While the FADP and the GDPR are similar in their approach and purpose, there are notable differences. For example, there is a data breach notification obligation under the FADP similar to that under the GDPR, but the trigger for notifying a personal data breach to the Swiss data protection authority, the Federal Data Protection and Information Commissioner (FDPIC), is “high risk”, whereas under the GDPR any relevant risk requires notification. Another key difference is the level of activity by the relevant authorities: while many supervisory authorities within the European Economic Area (EEA) are more active, providing guidance and/or enforcing the GDPR, the FDPIC is generally reluctant to take a decisive stance and rarely provides guidance for private actors. However, the FDPIC has initiated several investigations under the FADP.

The FADP and the DPO provide for a general requirement to ensure an appropriate level of data security in relation to personally identifiable information. The FADP calls for state-of-the-art data security measures without specifying technical standards. However, an additional specific security requirement is the obligation to keep logs to ensure that data operations are logged by federal authorities, and by private actors that process sensitive data on a large scale or carry out “high-risk profiling”, a form of profiling that leads to personality profiles. These logs must be relatively granular and must be kept for at least one year, separately from the productive environment. In addition, the FADP imposes certain conditions on controllers and processors, such as a duty to notify data security breaches to the FDPIC, and potentially to data subjects. Additional compliance and documentation measures, such as data protection impact assessments and keeping records of processing activities, as well as an obligation to maintain processing regulations, have also been introduced.

The Information Security Act (ISA) of 18 December 2020, which entered into force on 1 January 2024, governs information security practices within the federal government and its administrative bodies. Under the ISA, several ordinances further specify and implement information security requirements and also repeal (inter alia) the Ordinance on the Protection against Cyber Risks in the Federal Administration (CyRV). Importantly, a significant feature of the ISA is the introduction of a reporting obligation for cyber-attacks for public authorities such as universities, federal, cantonal and municipal agencies, as well as inter-cantonal, cantonal and intercommunal organisations, and for providers of critical infrastructures, for example in the energy, finance, healthcare, insurance, transport, communication and IT sectors. In-scope organisations must report cyber-attacks to the National Cyber Security Centre (NCSC) within 24 hours, where the relevant thresholds and definitions are met. It is currently expected that this obligation will come into force in the first half of 2025.

Apart from the ISA, cybersecurity remains mostly regulated by a patchwork of various acts and regulatory guidance, which deal explicitly or implicitly with cybersecurity in the private sector. These laws include:

• the Budapest Convention on Cybercrime (CCC), which entered into force in Switzerland on 1 January 2012 and imposes a harmonisation of Switzerland’s criminal legislation with speedy international co-operation mechanisms;
• the FADP;
• the Federal Telecommunications Act (TCA) of 30 April 1997, including its ordinances, which – as of 1 January 2023 – contain specific information security and network threat resilience requirements; and

• the Federal Act on Financial Market Infrastructures and Market Conduct in Securities and Derivatives Trading (FinMia) of 19 June 2015 – the banking and financial markets legislation also led to the issuance of various circulars and regulatory notices by the regulator of the financial markets, the Swiss Financial Market Supervisory Authority (FINMA).

However, the Swiss government has given cybersecurity increasing attention in the past few years, and the absence of an overarching ad hoc law on cybersecurity may appear misleading given the importance and national relevance of this topic. Nonetheless, this conclusion is unlikely to lead the Swiss legislator (Parliament) to issue any additional topical legislation on cybersecurity in the near future. On the contrary, the federal government has been following the National Strategy for the Protection of Switzerland Against Cyber Risks (NCS).

The NCS was last updated in April 2023. The strategy sets out the objectives and measures with which the federal government and the cantons, together with the business community and universities, intend to counter cyberthreats. A steering committee has been established to plan and co-ordinate the implementation of the strategy. The revised NCS builds on previous strategies, adding content and precision. It defines 17 measures, each contributing to five strategic objectives, namely:

• self-empowerment (Switzerland is to expand its position as one of the world’s leading knowledge, education and innovation locations in relation to cybersecurity);
• securing digital services and infrastructures (Switzerland is to implement measures to strengthen cyber-resilience);
• ensuring effective detection, prevention, management and defence against cyber-incidents (Switzerland is to ensure the capacities and organisational structures necessary to quickly identify cyberthreats and incidents, and minimise damage, are in place);
• combatting and prosecuting cybercrime effectively (Switzerland is to expand its ability to identify threat actors and prosecute them); and
• maintaining a leading role in international co-operation (Switzerland is to foster an open, free and secure cyberspace and compliance with international law in the digital space).

However, the NCS does not foresee the implementation of a dedicated cybersecurity legislation, instead focusing on modernising various pre-existing laws. The updated NCS is testimony to the continued growth in relevance of cybersecurity in Switzerland, as well as perhaps the increased global threat posed by cyber-risks.

A further manifestation of the government’s interest in cybersecurity is another governmental venture, the Digital Switzerland Strategy. The Digital Switzerland Strategy sets guidelines for Switzerland’s digital transformation, and is updated annually by the Federal Council, each time with three focus topics. It is binding on the federal administration and provides guidance for other stakeholders involved in digitalisation. The first draft was published in 2016, and updates arrived in 2018, 2020 and 2023. On 13 December 2024, the Federal Council adopted the updated Digital Switzerland Strategy for 2025, with a focus on artificial intelligence (AI), strengthening cybersecurity and promoting open source in the federal administration.

In 2023, the Federal Council approved the new Digital Administration Switzerland Strategy 2024–27, which defines the fields of action to be prioritised in order for the confederation, cantons and cities and municipalities to jointly determine how the digital transformation of administrations is to be driven forward. A second strategy approved by the Federal Council is the digital federal administration strategy, which creates a framework for digital transformation projects in the federal administration.

The FDPIC is a body established on a federal level under the FADP. The FDPIC supervises compliance with the FADP and other federal data protection legislation by federal bodies and advises private bodies. On its own initiative, or at the request of a third party, the FDPIC may carry out investigations into data processing by private bodies. In addition, each canton has its own data protection authority, which is generally competent to supervise cantonal and communal bodies (but not private parties, which are subject to the FDPIC’s authority). Other regulators, such as FINMA, may play a role in the enforcement of data protection (see the following).

It is also worth mentioning here that the key official actor in the cybersecurity area in Switzerland is the NCSC, which is now integrated into the new Federal Office for Cyber Security (Bundesamt für Cybersicherheit; BACS) within the Federal Department of Defence, Civil Protection and Sports (DDPS). Indeed, in an effort to centralise the administrative activities in this area, other actors such as the Reporting and Analysis Centre for Information Assurance (MELANI), GovCert and the Cybercrime Coordination Unit (CYCO) became an integral part of the NCSC and now BACS. Tasks include raising public awareness, receiving reports on cyber-incidents and supporting operators of critical infrastructures in managing these incidents. Protection of the federal administration against cyber-attacks is now a key task of a new specialist unit within the new State Secretariat for Security Policy (Sepos), also within the DDPS.

The FDPIC has the right to carry out investigations and has direct enforcement powers, including the right to direct the controller to change, suspend or cease processing activities. In the course of an investigation, the FDPIC has the right to demand the production of documents, make inquiries and ask for a demonstration of a particular type of processing of personal data. Binding orders by the FDPIC may be published, stating the name of the investigated party (“naming and shaming”). Failure to comply with a binding order may, if referred to criminal prosecution, incur a criminal fine against the responsible individuals of up to CHF250,000. Such fines can also be levied by the criminal courts against the responsible individual(s) in cases of non-compliance with minimum legal data security requirements, though it is doubtful whether the legislator has indeed provided for such minimum requirements. Most data security regulations under the FADP and DPO are very general in nature or focus on accountability, rather than security, except maybe for the obligation to ensure that certain higher-risk data operations are logged, as noted in the foregoing.

The FDPIC’s increased (compared to the prior version of the FADP) powers and the more dissuasive criminal sanctions are seen as one of the most significant novel aspects of Swiss data protection legislation.

Any investigation by the FDPIC is subject to the Federal Act on Administrative Procedure (APA), which provides for due process rights for the investigated party and third parties – for example, rights to refuse to testify. The procedure before the Federal Supreme Court is regulated by the Federal Act on the Supreme Court.

In the banking and financial markets sector, the regulator, FINMA, supervises the relevant actors (namely banks, insurance companies, financial institutions, collective investment schemes and fund management companies) and plays a role in the cybersecurity realm. Indeed, given the importance of the financial industry in Switzerland, data security and cybersecurity are core concerns. FINMA publishes an annual risk monitor as an overview of risks seen as particularly significant, and the 2024 version highlights that cyber-risks remain one of the biggest operational risks and notes a growing number of cyber-attacks against service providers and the need for financial institutions to improve their responsibilities and control activities with regard to service providers.

FINMA has also updated its Circular 2023/1 Operational Risks and Resilience – Banks, with the updates coming into force on 1 January 2024. It requires banks and investment firms to report certain cyber-attacks within 24 hours of becoming aware of them and to submit a full report within 72 hours. FINMA has recently clarified in its Guidance 03/2024 that, where a third-party provider is affected by a reportable incident, the 24-hour deadline starts with the provider becoming aware of the incident, requiring banks to agree shorter notification periods with their providers.

In case of a breach of the sectoral rules, FINMA has a varied toolbox of enforcement means. These include the revocation of licences to practise, fines or even custodial sentences. FINMA also occasionally, and for preventative purposes, relies on a “name and shame” strategy, meaning that the author of any offence against the regulatory rules is publicly named.

As noted in the foregoing, the revised FADP introduces stricter enforcement mechanisms than its older version. Unlike the EU’s GDPR, the FADP focuses on holding individuals personally accountable. Criminal law fines for intentional violations can reach up to CHF250,000 and apply to individuals with decision-making authority. Key infractions include failing to provide required information to data subjects, noncooperation with investigations by the FDPIC, unauthorised cross-border data transfers and breaches of confidentiality obligations. However, negligence is not punishable, and some violations like failing to report data breaches do not attract fines. Enforcement typically requires a complaint from an affected individual.

However, the FDPIC has become more active in investigating potential violations of the FADP. For example, in May 2023, a ransomware attack on the company Xplain led to the publication of a significant volume of personal data, including sensitive information from the federal administration, on the darknet. Following this breach, the FDPIC initiated investigations into the Federal Office of Police (fedpol) and the Federal Office for Customs and Border Security (FOCBS), and into Xplain itself. Other prominent investigations under the old FADP included Digitec Galaxus, one of Switzerland’s largest online retailers, for customer accounts and personalised ads, and TX and Ricardo, a major Swiss media company and the Swiss equivalent of eBay, for tracking and personalised ads. These investigations resulted in non-binding recommendations under the then-current FADP.

Under the current FADP, several investigations have concluded or are ongoing, but – so far and to the extent known – without broader impact.

In Switzerland, there is currently no overarching regulation of the use of AI.

The FDPIC has published multiple statements and non-binding guidelines on how to address data protection matters in this area. In this context, the FDPIC pointed out that the Data Protection Act, in force since 1 September 2023, is directly applicable to AI-based data processing.

Further, sector-specific regulations address particular data protection issues. For example, the Swiss government has also created a general frame of reference for the use of AI within the federal administration, and FINMA issued binding guidelines on outsourcing and data security for the financial and insurance sector.

The following FADP safeguards can be applied to AI systems.

• Privacy by design/privacy by default: The data controller is obliged to implement technical and organisational measures to ensure that processing complies with data protection requirements, right from the outset.
• Obligation to carry out an impact assessment: Where the planned processing is likely to pose a high risk to individual or fundamental rights, the data controller must first carry out a data protection impact analysis. High risk exists in particular in the case of large-scale processing of sensitive data or systematic surveillance of large parts of the public domain.
• Transparency obligation for automated decisions: The data controller must inform the data subject of any decision taken exclusively on the basis of automated personal data processing that has legal effects on the data subject or significantly affects him or her. The data subject also has the right to express his or her point of view and to demand that the decision be reviewed by a natural person. These measures do not apply where the data subject has expressly consented to the decision being taken by automated means, or where the decision is directly related to the conclusion or performance of a contract and the data subject’s request is met. If the automated decision is made by a federal body, such body must qualify it as such. The right of the data subject to express his or her point of view and to demand that the decision be reviewed by a natural person does not apply when he or she does not have to be heard before the decision is made. When exercising his or her right of access, the data subject receives, in particular, information concerning the existence of an automated decision and the logic on which the decision is based.
• Requirement for a formal legal basis: Federal bodies are only entitled to process personal data if a legal basis is given. The legal basis must be laid down in a law in the formal sense in three cases, namely (i) the processing of sensitive data (for example biometric and genetic data); (ii) profiling (as defined by the FADP); and (iii) when the purpose or method of processing is likely to cause serious harm to the fundamental rights of the data subject. The use of AI may therefore require a formal legal basis, even in the absence of sensitive data or profiling, if the processing method (eg, automated decision) is likely to seriously affect the fundamental rights of the data subject.

Finally, on 12 February 2025, the Federal Department of the Environment, Transport, Energy and Communications (DETEC) and the Federal Department of Foreign Affairs (FDFA) presented to the Swiss Federal Council an overview of possible regulatory approaches to AI. On the basis of this overview, the Swiss Federal Council has decided on a Swiss regulatory approach for AI based on three objectives: strengthening Switzerland as a location for innovation, safeguarding the protection of fundamental rights, including economic freedom, and increasing public trust in AI. To achieve these objectives, the Swiss Federal Council has set the following key steps for the future: incorporation of the Council of Europe’s AI Convention into Swiss law; sector-specific legislation as far as required (cross-sector regulation), to be limited to central areas relevant to fundamental rights; and non-binding measures.

As mentioned in the foregoing, there is no specific law in Switzerland governing the use of AI.

In this respect, general laws apply to the use of AI systems. These include, for example:

• data protection law (if personal data is processed during training or use);
• secrecy protection law (if secret information is used for training or as input);
• employment contract law (if the personal data of applicants and employees is processed and if AI affects the employer’s duty of care);
• public labour law (eg, when duties to co-operate take effect or when monitoring behaviour is discussed);
• personality rights (eg, when conversations or team calls are recorded);
• unfair competition law (when AI-generated content can be misleading);
• copyright law (eg, if AI is trained with works or uses works as input, and if the protection of output is at issue);
• criminal law (if non-public conversations are recorded or if AI is used in general in relation to criminal behaviour); and
• product liability and other liability laws.

Industry-specific regulation may apply as well. A few supervisory authorities have already published their expectations in relation to the use of AI, in particular FINMA with its Guidance 08/2024 Governance and Risk Management when using Artificial Intelligence, published on 18 December 2024.

Private actors have also started to set non-binding rules. This applies to exposed actors, such as:

• the media (the Swiss Press Council’s journalistic guidelines);
• political parties (eg, KI-Kodex of the Greens, the Green Liberal Party (GLP), the Social Democratic Party of Switzerland (SP), the Middle and the Liberals (FDP)); and
• research and education institutions (eg, recommendations for dealing with generative AI at the University of Zurich).

Numerous private companies have also issued or are in the process of issuing guidelines, codes and instructions, some of which are public and some of which are not.

In addition, in certain cases, the EU AI Act will be applicable to Swiss companies trading with the EU market or otherwise working with EU counterparties, who may be exposed to AI-generated output.

Switzerland has implemented the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) through the FADP.

In addition, although Switzerland is not a member of the EU or the EEA and is under no obligation to implement the EU GDPR, the EU is Switzerland’s most important partner, and ensuring a level playing field for Swiss and EU-based companies is an important policy objective. The FADP largely aligns with the GDPR, such that a company that complies with the GDPR should generally be in compliance with the FADP (with some exceptions and caveats). Moreover, revising the FADP has been a key factor in the European Commission’s confirmation on 15 January 2024 of its finding that Switzerland’s data protection legislation provides an adequate level of data protection under the GDPR.

For data processing in relation to criminal prosecution, and in the framework of police and judicial co-operation, Switzerland transposed, on 30 January 2019, EU Directive 2016/680 into domestic Swiss legislation through the FADP. It expedited the adoption of this piece of legislation, with the relevant changes entering into force on 1 March 2019.

The most important developments are the entry into force of the FADP on 1 September 2023 and the new ISA (see 1.1 Overview of Data and Privacy-Related Laws).

The Swiss government’s efforts to bolster and centralise cybersecurity and cyberdefence activities are also a promising and ongoing development. In that respect, many commentators have been sounding the alarm as it appears that Swiss companies as well as public bodies (often on the municipal level) have not been taking cyberthreats seriously enough – a concern only exacerbated by the Xplain and Concevis attacks (see the Swiss Trends & Developments chapter in this guide and 1.4 Data Protection Fines in Practice).

Public attention remains high. This stems from the stream of data breaches, locally and internationally, and the increased awareness of data protection worldwide, but also from some cybersecurity considerations affecting national security. In this latter category, the war in Ukraine and the international geopolitical situation, combined with the roll-out of next-generation technologies, especially 5G networks, have led to a heightened awareness of cyberthreats.

It is still too early to foresee the long-term consequences of cyberthreats for the Swiss legal and regulatory landscape, though they will likely lead to questioning of Switzerland’s international policy in regard to cybersecurity, cyber-espionage and international co-operation.

Another major topic is the issue of cyber-attacks in Switzerland. In recent years, the number of cyber-attacks on the infrastructure of Swiss companies in Switzerland have increased significantly. This worrisome trend has also shown the relative exposure of many Swiss companies, of all sizes, as well as public bodies, and is an alarming reminder of the ubiquity and damaging nature of cyberthreats.

In December 2022, the Federal Council submitted a draft bill to Swiss Parliament to amend the Federal ISA. This draft creates a legal basis for the obligation of operators of critical infrastructures to report cyber-attacks to which they have been subjected. The term “critical infrastructure” does not only include energy supply companies, hospitals, civil aviation and telecommunications providers – universities, authorities at all federal levels, banks, insurance companies and financial market infrastructure may also fall within the scope. It is expected that the revised regulation will enter into force in the first half of 2025.

As mentioned in 1.1 Overview of Data and Privacy-Related Laws, Switzerland is a member of neither the EU nor the EEA, and it therefore has no obligation to implement the GDPR. Switzerland is recognised by the EU as providing an adequate level of data protection. This was decided on 26 July 2000 by the Commission of the European Communities and was confirmed on 15 January 2024.

As a member state of the Council of Europe, Switzerland has ratified Convention ETS 108 and the Additional Protocol of 2001 and implemented them into its own law. Convention ETS 108 is the first and, to this day, the only binding international instrument in the field of data protection law. It is part of the case law of the European Court of Human Rights (ECtHR), as it is consulted by the Court when interpreting Article 8 of the European Convention on Human Rights (ECHR). This is reflected in Swiss jurisprudence; since Switzerland has incorporated the ECHR into its own law, the ECtHR is considered the highest instance with regard to the protection of human rights. The Federal Council also formally signed Convention 108+ in November 2020.

Data protection laws at cantonal level only apply to data processing by the respective cantons or cantonal authorities. In addition to the revisions at the federal level, corresponding revisions of the cantonal data protection laws must also take place. To date, only a proportion have completed the necessary revision of their data protection laws; others are still in the process of doing so.

Regarding the relationship between Switzerland and the UK, the UK government has the power to make its own adequacy regulations in relation to third countries such as Switzerland. At the moment, such UK adequacy regulations include Switzerland. As for the agreement on the mutual recognition of data protection levels between Switzerland and the United States, see 5.5 Recent Developments.

Concerning recent case law, see the Swiss Trends & Developments chapter in this guide and 1.4 Data Protection Fines in Practice.

Though some basic collective action schemes do exist (with no immediate possibility for the claimants to move for damages), class actions are not permitted in Switzerland. There is an ongoing discussion to provide for class actions in civil proceedings. Proponents of such class actions received a setback in 2020, with the Swiss government deciding against including class actions in the revision of the Swiss Civil Procedure Code. However, in December 2021, the Federal Council launched a new process towards the introduction of collective redress in the Swiss Civil Procedure Code, to allow for the assertion of claims for compensation and the possibility of collective settlements in a new representative action procedure. However, the National Council’s Legal Affairs Committee came to the conclusion, in July 2023, that measures to prevent misuse of class action instruments should be examined further. Debates are currently underway in the Federal Parliament, but the risk of “Americanisation” of the judicial system frightens many members of the National Council’s Legal Affairs Committee, which proposed on 18 October 2024 to abstain from going ahead with the project concerning the collective exercise of rights.

This goes to show that class actions remain a hotly debated topic, both as a matter of principle and regarding the specificities of such legal instrument, and it is uncertain whether, or in what form, they will make it into the law.

There has been little specific legislative effort directed at the internet of things (IoT) and supply chain actors. This mostly relates to Switzerland’s technologically neutral approach to legislative action. Therefore, the general requirements under the FADP in terms of data security play a predominant role, though sector-specific rules may come into play as well. That said, 1 January 2023 updates to telecommunications legislation brought about, in particular, increased network security requirements, especially in the form of reinforced anti-piracy and anti-tampering mechanisms to handle malicious activities; in addition, operators of 5G networks and services that operate on these networks have to implement an information security management system.

There are no specific cybersecurity and data breach notification rules pertaining to the IoT. However, various authorities serve as valuable contact points. In particular, the FDPIC and BACS play an important role – the former in matters pertaining to data protection and data security, the latter for any voluntary notification of a cyber-incident.

Security requirements around the IoT are also a priority for the government, which mentioned in its Digital Switzerland Strategy (see 1.1 Overview of Data and Privacy-Related Laws) the need for the industry to implement state-of-the-art cybersecurity measures to accompany the growth of the IoT on the Swiss market.

In the financial and banking sector, FINMA Circular 2008/21 Operational Risks at Banks, and its replacement Circular 2023/01, contain a notification duty in certain data breach cases. This Circular provides that banks must have a clear communication strategy in case of serious incidents pertaining to client-identifying data (CID); this communication strategy must specify when it is necessary to notify FINMA, criminal prosecution authorities, the clients concerned and the media.

Concerning the interplay between data regulation and data protection requirements in Switzerland, see 1.1 Overview of Data and Privacy-Related Laws.

Concerning the obligations set out in the laws regulating the use of IoT services and data processing services in Switzerland, see 1.1 Overview of Data and Privacy-Related Laws and 1.3 Enforcement Proceedings and Fines.

Concerning the bodies designed to enforce the data regulation in Switzerland, see 1.2 Regulators.

Since 2007, the use of cookies has been regulated in the Swiss TCA. Website operators must inform the user about the processing and its purpose, but it is not mandatory to use a cookie banner under Swiss law. They must also note that the user may refuse to allow processing and how cookies can be deactivated in the user’s browser. In Switzerland, the opt-out principle applies. If a cookie banner is used then, depending on how it works, the principle of privacy by default may apply.

On 22 January 2025, the FDPIC published non-binding guidance on the use of cookies and similar technologies, to the extent personal data is processed. The guidance expects website and app providers to use a consent management platform and ensure that users can opt out of cookies at any time. For more intrusive tracking, the FDPIC expects consent with an option to withdraw consent at any time.

The admissibility of advertising is regulated by the Federal Act of Unfair Competition (UCA). It imposes certain limitations on electronic mass advertising. The sender may only contact target customers via electronic mass advertising if it cumulatively:

• obtains the target customer’s affirmative consent (opt-in-system) in advance (in this context, it is recommended that the customer consents in text form, for example through the activation of a tick-box upon completion of an online form);
• provides the sender’s correct and complete contact information; and
• displays a reference to an easy option to refuse future marketing materials – this reference must be evident and clearly visible each time the sender contacts the customer, and the customer must have the possibility to promptly refuse to receive any further marketing materials on the same channel of communication, with no extra effort and costs.

Mass advertising may reach existing customers without their prior consent, if cumulatively:

• the sender obtained the customer’s contact information at the occasion of the purchase of a product or service;
• the sender had informed the customer, when obtaining their personal information, about the possibility of opt-out from direct marketing;
• the direct marketing refers to own and similar products, services or works in which the customer has shown interest – marketing for other (own) products/services from the sender or third-party products/services is not permitted (similarity is given where the purchased product or service is interchangeable);
• the sender provides its correct and complete contact information; and
• the sender provides a reference to an easy, free-of-charge option to refuse future marketing materials.

Another option for the accomplishment of a marketing campaign could be the use of postal mail. As printed marketing is not in scope of Article 3(1) of the UCA, postal mass advertising is generally permitted. Data protection restrictions may, however, apply where individuals have expressly objected to the use of their address for marketing purposes.

Non-compliance with anti-spam legislation may result in a civil law claim by individuals, consumer protection organisations or (under certain limited conditions) the federal government. Further, deliberate non-observance of the dedicated provision of the UCA constitutes a criminal offence. It should be noted, however, that enforcement of anti-spam legislation is not particularly rigorous in Switzerland.

The Swiss Data Protection Act (FADP) covers the processing of data on employees by employers. The Swiss Code of Obligations (SCO) also contains specific provisions on data processing and the protection of the privacy of employees.

Most importantly, the employer must – within the employment relationship – acknowledge and safeguard the employee’s personality rights, have due regard for their health and ensure that proper moral standards are maintained. The employer must refrain from any interference with the personality of the employee that is not justified by the employment contract and, within the framework of the employment relationship, prevent any such interference by superiors, employees or third parties. Excessive employee surveillance, for example, may be unlawful under public labour regulations.

These provisions of the SCO and the FADP are closely intertwined, and the employer may only process data on employees in two cases and only to a rather limited extent.

• Before the conclusion of an employment contract and during its implementation, data on job applicants may be processed in order to clarify whether they are suitable for the job in question.
• During the employment period, data on employees that is necessary for the performance of the employment relationship may be processed.

However, recent Swiss Supreme Court case law adds some flexibility and leaves some room for employer private interest justifications. This approach is comparable to the GDPR in the sense that an overriding private interest could justify the processing of employee data that the employment law and the SCO would otherwise not cover.

In Switzerland, an assignment of claims is generally permissible without the consent of, or even without informing, the debtor. There is therefore a general understanding that a transfer of assets does not require consent, provided that the seller ceases its own business activities in relation to the sale (but information from the seller or the purchaser remains a requirement in most cases). Stricter rules may apply where the asset deal involves a transfer of sensitive data, and even more so in case of data processed under secrecy obligations (such as patient data or CID processed by a bank or financial institution).

The FADP aims to protect the personality rights and fundamental rights of natural persons whose personal data is processed. As a consequence, the FADP contains provisions on how this protection is to be guaranteed when data is transferred abroad, for instance to a state that does not offer the same level of data protection as Switzerland does.

Controllers or processors may transfer personal data abroad if the Federal Council has determined that the legislation of the relevant state or international body guarantees an adequate level of protection. Therefore, the Federal Council determines, in a binding manner, to which countries the export of data is permitted.

On the other hand, in the absence of such a decision by the Federal Council, personal data may be disclosed abroad only if appropriate protection is guaranteed. Thus, at least one of the following conditions must be fulfilled:

• an international treaty;
• data protection provisions of a contract between the controller or the processor and its contracting partner, which were communicated beforehand to the FDPIC;
• specific safeguards prepared by the competent federal body and communicated beforehand to the FDPIC;
• standard data protection clauses previously approved, established or recognised by the FDPIC; and
• binding corporate rules (BCRs) on data protection that were previously approved by the FDPIC, or by a foreign authority that is responsible for data protection and belongs to a state that guarantees adequate protection.

Mechanisms or Derogations That Apply to International Data Transfers

The FADP provides that personal data may not be disclosed abroad where the importing state does not have legislation that guarantees an adequate level of data protection (in accordance with an annex to the DPO). However, a transfer of data to such a state may be permitted if one of the foregoing conditions is fulfilled.

Regarding standard contractual clauses (SCCs), the FDPIC formally recognised SCCs as a basis for international transfers to non-whitelisted countries, but only on the condition that the SCCs are amended slightly to account for Swiss law (and the fact that Switzerland is not an EEA member state).

Due to the extraterritorial reach of the GDPR, some data transfers may additionally be subject to the GDPR, in particular if data pertaining to EU residents is (also) transferred. Therefore, two cases should be distinguished:

• in the first case, there is no link to the GDPR, and the data transfer is subject solely to the FADP; and
• in the second case, the GDPR applies to certain data transfers based on its extraterritorial reach, but the data exporter is a controller or a processor that falls within the scope of the FADP (eg, because it is located in Switzerland).

For data transfers subject to the GDPR, non-amended SCCs may be used.

The EU SCCs require a “transfer impact assessment” (TIA). This also applies to Swiss companies if they use the EU SCCs under the GDPR or under the FADP. As part of a TIA, the Swiss data exporter must check in each specific case whether the laws of the recipient country regarding official access in the recipient country (eg, for the purpose of national security or criminal prosecution) and the rights of the data subjects are compatible with Swiss data protection law and Swiss constitutional principles. According to the FDPIC, the Swiss data exporter must carry out the corresponding clarifications itself and must not rely solely on the statements of the data importer.

Switzerland has recently implemented the Swiss-US Data Protection Framework (DPF) (see 5.5 Recent Developments).

Finally, the FDPIC has pointed out that internal company data protection regulations, so-called BCRs, cannot be a substitute for the conclusion of SCCs if transfers are made outside of a group of companies subject to BCRs.

Personal data may be disclosed abroad if the Federal Council has determined that the legislation of the relevant state or international body guarantees an adequate level of protection. In this case, additional safeguards are not required.

In the absence of an adequacy decision by the Federal Council, personal data may be disclosed abroad only if appropriate protection is guaranteed by certain conditions (see 5.1 Restrictions on International Data Transfers). Also in this case, no notification or approval is required for the specific data transfer, but some conditions may apply.

If there is no adequacy decision and no appropriate protection is guaranteed through appropriate safeguards, personal data may nevertheless be disclosed abroad in certain cases. The controller or processor must inform the FDPIC of this disclosure, but only upon request. These cases are as follows:

• the disclosure is directly connected to the conclusion or the performance of a contract with the data subject, or with another party but in the interest of the data subject;
• the disclosure is necessary in order to safeguard an overriding public interest, or for the establishment, exercise or enforcement of legal claims before a court or another competent foreign authority;
• the disclosure is necessary to protect the life or the physical integrity of the data subject or a third party and it is not possible to obtain the consent of the data subject within a reasonable period of time.

There are no specific data localisation requirements under Swiss data protection law. However, some exceptions may apply to regulated activities. For example, the Ordinance on the Electronic Patient Dossier explicitly states that the data repositories (of health data) must be located in Switzerland and must be subject to Swiss law. In addition, various provisions require that certain data remain accessible at all times from Switzerland, such as some client data processed by banks and insurance companies, but this does not usually prevent cross-border transfers or storage abroad of that data.

Swiss law contains so-called blocking statutes that can prevent or hinder the collection of evidence in multijurisdictional proceedings. As soon as an internal investigation is carried out at the request of a foreign authority or the results of such an investigation are generated with the aim of making them available to a foreign authority, two provisions of the Swiss Criminal Code (SCC) must be taken into account: Article 271 of the SCC (unlawful activities on behalf of a foreign state) and Article 273 of the SCC (industrial espionage).

According to Article 271 of the SCC, anyone who carries out activities on behalf of a foreign state, foreign party or foreign organisation on Swiss territory without lawful authority, where such activities are the responsibility of a public authority or public official, and anyone who facilitates such activities, is liable to punishment. The taking of evidence constitutes a sovereign judicial function of the courts rather than of the parties. Therefore, the taking of evidence for a foreign state court or for foreign regulatory proceedings constitutes an act of a foreign state. If such acts take place in Switzerland, they violate Swiss sovereignty and are prohibited under Article 271 of the SCC, unless they are authorised by the competent Swiss authorities or take place within the framework of mutual legal assistance proceedings. A violation of Article 271 of the SCC is punishable by imprisonment of up to three years or a fine of up to CHF540,000, or both. It is important to be aware that the transmission of evidence abroad to comply with a foreign order requiring the production of evidence does not prevent the application of Article 271 of the SCC. Furthermore, evidence can only be handed over to foreign authorities lawfully by following mutual legal assistance proceedings or by obtaining authorisation from the competent Swiss authorities.

The blocking statute in Article 273 of the SCC additionally prohibits industrial espionage. According to this article, anyone who seeks to obtain a manufacturing or trade secret in order to make it available to an external official agency, a foreign organisation, a private enterprise or the agents of any of the foregoing; and anyone who makes a manufacturing or trade secret available to a foreign official agency, a foreign organisation, a private enterprise or the agents of any of the foregoing is criminally liable.

Therefore, manufacturing and business secrets with sufficient connection to Switzerland may only be released or communicated abroad when:

• the owner of the secret relinquishes its intent to keep the information secret;
• the owner of the secret agrees to disclose this information;
• all third parties (who have a justifiable interest in keeping the information secret) consent to such a disclosure;
• Switzerland has no immediate sovereign interest in keeping the information secret; and
• all requirements set forth by the FADP (in particular, as regards cross-border transfers) are complied with.

On 14 August 2024, the Federal Council decided to add the United States to the list of countries with an adequate level of data protection in accordance with Annex 1 of the DPO, provided that the recipient is certified under the Swiss-US Data Privacy Framework (Swiss-US DPF). The amendment came into force on 15 September 2024. Some uncertainty remains as to the long-term reliability of the Swiss-US DPF in light of President Trump’s recent weakening of the Privacy and Civil Liberties Oversight Board, an organisation that exercises oversight within the Swiss-US DPF.

The Swiss-US DPF has the following effects in particular.

• Various importers such as Microsoft, Google, Amazon and Salesforce have already certified according to the Swiss–US DPF. An exporter whose export is subject to the FADP can invoke the Swiss–US DPF.
• Transfers under this framework are permissible without the SCCs having to be concluded.
• Intra-group transfers can also be based on the Swiss-US DPF, provided that the US recipient is certified (and can comply with the corresponding obligations and conditions, including the requirements for intra-group onward transfers).
• No TIA is required if a transfer is based on the Swiss or EU-US DPF, and a simpler TIA may be carried out for other transfers to US recipients.
• If an exporter relies on the certification of an importer, it should ensure that the maintenance of the certification is contractually guaranteed.
• There is no reason not to base a transfer on the SCCs in addition to the Swiss or EU-US DPF, and many companies will take this approach. In this case, a TIA is not required if the SCCs are only a safety net (unless one takes the view that a TIA remains necessary as an independent contractual obligation under the SCCs). In Switzerland, at least, the FDPIC will not expect a TIA if the Swiss-US DPF provides a basis for the transfer. If a TIA is indeed carried out, it can be simpler, because the EU adequacy decision for the EU-US DPF covers part of the relevant US law, regardless of the Swiss-US DPF. However, an exporter should consider whether the primary basis is the Swiss-US DPF, EU-US DPF or SCCs. Although there is no clear obligation to make and document this decision, the consequences are not the same. For example, the requirements under the SCCs and the Swiss-US DPF differ with regard to the information to be provided to the data subjects.
• In the case of a transfer from Switzerland to a country with an adequate level of data protection and an onward transfer therefrom to a US recipient certified under the EU-US DPF, the EU-US DPF covers the onward transfer. The FADP does not apply to this onward transfer.