Data Residency in Switzerland: FADP Compliance Guide

Introduction

Switzerland has a long tradition of privacy protection, and its revised Federal Act on Data Protection (FADP, or DSG in German / LPD in French) strengthens this tradition further. The revised FADP, which took effect on September 1, 2023, aligns more closely with the EU's GDPR while maintaining distinctly Swiss characteristics. For organizations processing personal data of Swiss residents, understanding the FADP is essential -- particularly because Switzerland is not an EU/EEA member and operates its own independent data protection framework.

Overview of the Revised FADP

The revised FADP modernizes Switzerland's data protection law to address technological developments and align with international standards, particularly the GDPR. The Federal Data Protection and Information Commissioner (FDPIC) oversees enforcement.

Key Changes from the Previous Law

Area	Previous FADP	Revised FADP
Scope	Protected data of both individuals and legal entities	Protects only data of natural persons
Sensitive Data	Narrower categories	Expanded to include genetic and biometric data
DPO	Not required	Voluntary but recommended
Breach Notification	Not mandatory	Mandatory for high-risk breaches
Data Protection Impact Assessment	Not required	Required for high-risk processing
Penalties	Fines up to CHF 10,000	Fines up to CHF 250,000 against individuals
Profiling	Not specifically addressed	Specific rules for profiling and automated decision-making
Cross-Border Transfers	Adequacy-based	Enhanced adequacy-based with additional safeguards

Key Definitions

Personal Data: All information relating to an identified or identifiable natural person
Sensitive Personal Data: Data on religious, philosophical, political, or trade union views; health data; genetic data; biometric data; data on race or ethnicity; social assistance data; data on administrative or criminal proceedings; data on sexual orientation
Controller: The entity that determines the purposes and means of processing
Processor: The entity that processes data on behalf of the controller
Profiling: Any automated processing of personal data to evaluate personal aspects (e.g., health, preferences, behavior, location)
High-Risk Profiling: Profiling that leads to a profile of a personality, evaluated under stricter rules

Switzerland's Adequacy Status

EU Adequacy for Switzerland

The European Commission has recognized Switzerland as providing adequate data protection under GDPR Article 45. This means personal data can flow freely from the EU/EEA to Switzerland without additional safeguards.

The revised FADP was designed in part to maintain this adequacy status. The EU periodically reviews its adequacy decisions, and Switzerland's alignment with GDPR standards helps ensure the continuation of this recognition.

Swiss Adequacy Assessments

Switzerland conducts its own adequacy assessments for countries receiving personal data from Switzerland. The FDPIC maintains a list of countries considered to have adequate data protection. The Swiss list largely aligns with the EU's adequacy determinations but is independently maintained.

Cross-Border Transfer Rules

Switzerland does not impose data localization requirements. Personal data may be transferred internationally under specific conditions.

Transfer Mechanisms

Mechanism	Description
Adequacy	Transfer to a country on the FDPIC's adequate protection list
Standard Contractual Clauses	Contractual safeguards providing equivalent protection
Binding Corporate Rules	Intra-group transfer rules approved by the FDPIC
Consent	Explicit consent after being informed of the risks
Contractual Necessity	Transfer necessary for contract performance with the data subject
Legal Claims	Transfer necessary for establishing or defending legal claims
Overriding Public Interest	Transfer in the public interest
Vital Interests	Transfer necessary to protect life or physical integrity

Standard Contractual Clauses

Switzerland has its own approach to standard contractual clauses:

The FDPIC recognizes the EU Standard Contractual Clauses as a basis for transfers from Switzerland, with certain adaptations
Swiss-specific references must be included (e.g., the FADP as the governing data protection law, Swiss courts as the competent jurisdiction)
Organizations using EU SCCs for Swiss transfers should ensure the Swiss adaptations are properly incorporated

Data Transfer Impact Assessments

When relying on contractual clauses or other safeguards (rather than adequacy), organizations should assess whether the legal framework of the destination country provides effective protection, similar to the GDPR's Schrems II requirements.

Rights of Data Subjects

The revised FADP grants comprehensive rights:

Right to Information: Obtain information about data processing, including the purpose, categories of data, recipients, and cross-border transfers
Right of Access: Receive a copy of personal data being processed
Right to Rectification: Request correction of inaccurate data
Right to Deletion: Request erasure of data (the right to be forgotten is implied but not explicitly named)
Right to Data Portability: Receive data in a commonly used electronic format
Right to Object: Object to processing, including automated decision-making

Exercising Rights

Requests must generally be responded to within 30 days
Access to personal data must be provided free of charge (with limited exceptions for excessive or unfounded requests)
If a request is refused, the data subject may refer the matter to the FDPIC or bring an action before the courts

Obligations for Controllers

Privacy by Design and Default

The revised FADP requires controllers to:

Implement appropriate technical and organizational measures from the design stage
Ensure that, by default, only the personal data necessary for each specific purpose is processed

Record of Processing Activities

Controllers (and processors) must maintain a record of processing activities. Exceptions exist for companies with fewer than 250 employees that do not process sensitive data on a large scale or engage in high-risk profiling.

Data Protection Impact Assessment

A DPIA is required when processing is likely to result in a high risk to the personality or fundamental rights of data subjects. If the risk cannot be mitigated, the FDPIC must be consulted.

Breach Notification

Controllers must notify the FDPIC as quickly as possible when a breach is likely to result in a high risk to the personality or fundamental rights of data subjects. Affected individuals must also be notified when necessary for their protection.

Data Protection Advisor

While not mandatory, the revised FADP allows controllers to voluntarily appoint a Data Protection Advisor. Organizations with an appointed advisor may benefit from certain procedural advantages, such as conducting internal DPIA reviews instead of consulting the FDPIC.

Penalties

The revised FADP introduces a distinctive penalty regime:

Fines up to CHF 250,000 are imposed on the responsible individual, not the organization (a significant departure from the GDPR's approach)
Criminal penalties require intentional violations
Violations subject to penalties include: failure to provide required information, failure to comply with data subject rights, failure to meet security requirements, unauthorized cross-border transfers, and failure to appoint a representative

Swiss Financial Data

Switzerland's financial sector has additional data protection considerations:

Banking secrecy: Swiss banking secrecy laws provide additional protection for client financial data
FINMA requirements: The Swiss Financial Market Supervisory Authority imposes requirements on outsourcing and data handling by financial institutions
Client identification data: Special protections apply to client identification and transaction data

Practical Compliance Steps

Step 1: Assess FADP Applicability

Determine whether the FADP applies to your organization:

Do you process personal data of individuals in Switzerland?
Are you established in Switzerland or do your processing activities have effects in Switzerland?

Step 2: Update Data Processing Records

Maintain records of processing activities that include:

Identity of the controller
Processing purposes
Categories of data subjects and data
Recipients and cross-border transfers
Retention periods
Security measures

Step 3: Review Cross-Border Transfers

Check the FDPIC's adequacy list for each destination country
Implement Swiss-adapted SCCs where needed
Conduct transfer impact assessments
Document the legal basis for each transfer

Step 4: Implement Breach Notification Procedures

Prepare for the obligation to notify the FDPIC of high-risk breaches as quickly as possible.

Step 5: Review Privacy Notices

Update privacy notices to comply with the revised FADP's transparency requirements, including cross-border transfer information.

How GlobalDataShield Supports Swiss Data Protection

Switzerland's unique position -- independent from the EU but closely aligned -- requires infrastructure that can handle both Swiss and EU requirements. GlobalDataShield enables organizations to enforce data residency at the document level, supporting compliance with the FADP's cross-border transfer rules while maintaining compatibility with GDPR requirements for organizations operating across both jurisdictions.

Conclusion

Switzerland's revised FADP brings the country's data protection framework closer to the GDPR while maintaining distinctive features, such as individual criminal liability and voluntary DPO appointment. Organizations processing personal data of Swiss residents must understand the differences between the FADP and GDPR, implement appropriate cross-border transfer safeguards, and prepare for a regime that holds individuals personally accountable for data protection compliance.