Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Switzerland: FADP and FODP enter into force

The Federal Act on Data Protection 2020 (FADP) and the Ordinance on the Federal Act on Data Protection (FODP) entered into force on September 1, 2023.

Scope

The FADP applies to the processing of personal data of natural persons, private persons, and federal bodies. In addition, the FADP applies to circumstances that have an effect in Switzerland, even if they were initiated abroad. Furthermore, for rights under private law, the Federal Act of December 18, 1987 on Private International Law applies. In addition, the provisions on the territorial scope of application of the Criminal Code are reserved under the FADP.

Data Subject Rights

The FADP provides for data subject rights including the right to information, right to access, right to rectification, right to object, and right to data portability.

Obligations

The FADP, amongst other things, provides that the controller and processor shall each maintain a record of their processing activities, containing as a minimum the following:

  • the identity of the controller;
  • the purpose of processing;
  • a description of the categories of data subjects and the categories of processed personal data;
  • the categories of recipients;
  • if possible, the retention period for the personal data or the criteria for determining this period;
  • if possible, a general description of the measures taken to guarantee data security under Article 8; and
  • if the data is disclosed abroad, details of the State concerned and the guarantees under Article 16 paragraph 2.

Furthermore, the FODP under Article 4 stipulates that during large-scale automated processing of sensitive data or high-risk profiling and when preventive measures are not sufficient to guarantee data protection, the private data controller and their private processor must log at least the recording, modification, reading, communication, erasure and destruction of data.

Enforcement

The Federal Data Protection and Information Commissioner (FDPIC) will oversee the enforcement and application of the FADP and FODP.

OneTrust DataGuidance has released a number of resources to assist with your CDPA compliance:

For further information and resources on Switzerland, see our Switzerland homepage.