FADP
Switzerland’s Federal Act on Data Protection underwent major revision in 2023 to align with GDPR and maintain the EU adequacy decision enabling free data flows. Unlike GDPR, FADP applies primarily to private sector processing and federal agencies (cantonal authorities have separate rules). Key changes include: expanded scope covering all processing affecting Swiss residents, mandatory breach notification within 72 hours, privacy-by-design and privacy-by-default requirements, data protection impact assessments for high-risk processing, and stronger penalties (up to CHF 250,000 for individuals). The law maintains Swiss-specific features like the definition of ‘sensitive personal data’ including trade union membership and social assistance data. Cross-border transfers require adequacy assessments or safeguards similar to GDPR. The FDPIC (Federal Data Protection and Information Commissioner) supervises compliance.