The Federal Act on Data Protection (FADP) is Switzerland’s data privacy law designed to protect the personal data of individuals and regulate how businesses collect, process, and store that data. Is your website ready for consent management requirements?
The FADP is the federal data privacy law in Switzerland. The revised FADP, which came into effect on September 1, 2023, aligns more closely with the EU’s GDPR and strengthens the rights of individuals while increasing obligations for organizations.
The FADP is the federal data privacy law in Switzerland. The revised FADP, which came into effect on September 1, 2023, aligns more closely with the EU’s GDPR and strengthens the rights of individuals while increasing obligations for organizations.
The FADP is the federal data privacy law in Switzerland. The revised FADP, which came into effect on September 1, 2023, aligns more closely with the EU’s GDPR and strengthens the rights of individuals while increasing obligations for organizations.
If your company handles the personal data of individuals in Switzerland—whether you’re based in Switzerland or abroad—you must comply with the FADP. The revised law introduces stricter requirements around data security, transparency, and individual rights, including:
Purpose specification:
Clear communication about how data is used
Privacy by design:
Build with privacy as the default
Breach notification:
Data breach notification within a reasonable timeframe
Recordkeeping:
Maintaining a record of processing activities (RoPA)
Data protection and risk assessment:
Carrying out Data Protection Impact Assessments (DPIAs) where needed
The FADP applies to all businesses that process personal data of individuals located in Switzerland, regardless of where the company is based. This includes:
Swiss-based businesses
International companies offering goods/services in Switzerland
Third-party data processors handling Swiss data
If your website tracks users or processes customer data in any way, you are likely subject to FADP compliance.
The PIPL gives consumers in China various data privacy rights, including:
Request to be informed about how personal information is being collected, processed, used and shared; this also includes the right to access
Request that inaccurate, incomplete or out-of-date information be corrected or entirely deleted
Restrict or object to the processing of personal data
Request explanations regarding rules and logic behind automated decision-making
Request to receive and transfer data collected
Organizations must consider data protection principles when designing new products and services
The FADP does not include specific cookie requirements like the EU ePrivacy Directive, but transparency in data handling, including around cookies, is included. If cookies collect identifiable data, users must be informed about and consent to their use. Businesses should clearly disclose cookie usage in their privacy and cookie policies and offer users meaningful control over their preferences.
Under the revised FADP, businesses must obtain valid consent before processing personal data through tracking technologies, especially for purposes like analytics, advertising, and profiling. This means:
No implied consent – users must opt-in voluntarily
Separate consents for different data processing purposes
Ability to withdraw consent at any time
Detailed information about the types of cookies in use
To be compliant, companies must ensure that their cookie banners and consent mechanisms are transparent, user-friendly, and legally valid under the FADP.
The revised FADP introduces stricter penalties, including:
Fines of up to 250,000 CHF for individuals (e.g., company executives)
Possible criminal liability for intentional breaches
Reputational damage and loss of consumer trust
Non-compliance can have serious consequences, especially for businesses that process large volumes of data or rely heavily on user tracking.
Some best practices to bring your data privacy approach in line with FADP compliance include:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly, allow users to withdraw consent any time, and maintain consent logs
Check partner contracts:
Review third-party data-sharing practices
Train staff:
Ensure that employees have training to understand and comply with FADP
The FADP regulates the processing of personal data by private individuals, companies, and federal authorities in Switzerland. It aims to protect the privacy and fundamental rights of individuals when their data is collected, stored, used, or shared.
Personal data refers to any information relating to an identified or identifiable natural person. This includes data such as names, addresses, identification numbers, online identifiers, or any other information that can directly or indirectly reveal someone’s identity.
Sensitive data includes personal information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, health status, sexual orientation, or trade union membership. It also covers genetic data and biometric data used for identification.
The Swiss Federal Data Protection and Information Commissioner (FDPIC) is the supervisory authority responsible for overseeing compliance with the FADP.
The FADP does not apply to data processing by Swiss cantonal authorities and private persons or companies when processing data exclusively for personal use or household activities without a professional or commercial interest.
More detailed information, guidance, and resources are available on the official website of the Swiss Federal Data Protection and Information Commissioner (FDPIC).
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
