FADP 6 min read

FADP Compliance Checklist for 2025–2026

Switzerland's revised DSG has been in force since September 2023. Companies still working through implementation will find this practical checklist a useful starting point for gap assessment.

David Scott Turner Founder & CEO, Qala
FADP compliance checklist and Swiss data protection requirements 2025-2026

The revised Federal Act on Data Protection (nDSG / FADP) entered into force on 1 September 2023. There was a transitional period, but it ended on the same date — unlike some EU regulations that provide staggered grace periods, the nDSG applied in full from day one. Companies that were expecting further regulatory clarity before completing their implementation have been operating with open gaps for some time.

This checklist is structured as a gap assessment framework rather than a sequential project plan. Its purpose is to identify where your current compliance posture is strongest, where the gaps are, and what the relative remediation priorities should be. It is not a substitute for a full legal and technical assessment — the nDSG interacts with your specific business model, data flows, and cross-border processing in ways that require tailored analysis.

Baseline: What Does the nDSG Require That You May Have Missed?

Before the checklist items, it is worth naming the two most commonly incomplete areas we observe in organisations that have not fully implemented the nDSG.

The first is the register of processing activities. Art. 12 nDSG requires controllers to maintain a processing register functionally equivalent to the Art. 30 GDPR ROPA. Companies that are already GDPR-compliant should have this in place, but the nDSG introduces some specific framing around the circumstances under which a Privacy Impact Assessment (PIA) is required that may not be captured in GDPR-era DPIAs. The second is the enhanced transparency obligations under Art. 19 nDSG, which require disclosure of automated individual decision-making in terms that are specifically articulated in the nDSG and are not identical to the GDPR's Art. 22 framing.

Checklist Area 1: Processing Register and Documentation

  • Processing register exists and is current. Does your register reflect all current processing activities, including those introduced or changed since September 2023? A ROPA that was completed before the nDSG came into force has likely not been updated for nDSG-specific requirements.
  • Controller vs. processor roles are correctly identified. The nDSG uses the same controller / processor / joint controller framework as the GDPR. If your organisation processes personal data on behalf of other companies, your processor obligations under Art. 9 nDSG need to be documented.
  • Processors are under contract. Art. 9 nDSG requires that processing by processors be governed by a written contract specifying the subject matter, duration, nature and purpose of the processing, and the type of personal data involved. If your Data Processing Agreements were drafted for GDPR and have not been reviewed for nDSG alignment, a gap assessment is warranted — the required content overlaps but is not identical.
  • Sub-processor notification obligations are met. If your processors engage sub-processors, your DPAs should address this and your organisation should be notified of sub-processor changes.

Checklist Area 2: Privacy Notices and Transparency

  • Privacy notice covers nDSG Art. 19 disclosure requirements. Art. 19 nDSG requires disclosure of the identity and contact details of the controller, the processing purposes, and the recipients or categories of recipients of personal data. It also requires disclosure of international transfers and, where applicable, automated individual decisions. The required information broadly aligns with GDPR but includes some Switzerland-specific elements — notably, the reference to the FDPIC as the supervisory authority for Swiss data subjects.
  • Automated decision-making is disclosed. If your organisation uses automated processing to make decisions about individuals that have legal or significant practical effects on them, Art. 21 nDSG requires that you disclose this and provide individuals the right to request human review. Check whether your privacy notice and product terms address this.
  • Privacy notice is accessible and in appropriate languages. For Swiss companies, privacy notices accessible to Swiss residents should ideally be available in at least German (the predominant official language). Companies operating in multiple cantons may need French or Italian accessibility as well.

Checklist Area 3: Data Subject Rights and Request Handling

  • Access request process is in place. Under Art. 25 nDSG, data subjects have the right to know whether their personal data is being processed and, if so, to receive a copy. The process for handling these requests — intake, identity verification, response compilation, deadline tracking — should be documented and tested.
  • 30-day response timeline is achievable. The nDSG does not specify a response deadline for access requests in exactly the same terms as the GDPR's Art. 12(3), but the FDPIC guidance is consistent with the GDPR's one-month period as a benchmark for timely response. If your process would consistently take longer than 30 days, this is a gap.
  • Rectification, erasure, and restriction processes exist. These rights parallel the GDPR. The processes do not need to be identical to your GDPR processes, but they need to exist and be operational.

Checklist Area 4: International Data Transfers

  • Transfer mechanisms are in place for transfers out of Switzerland. The Federal Council maintains an adequacy list of countries and international bodies to which personal data may be transferred without additional safeguards. Transfers to countries not on that list require appropriate measures — Standard Contractual Clauses (SCCs) under the FADP, binding corporate rules, or other recognised safeguards. Note: the EU SCCs are not automatically valid under Swiss law; the FDPIC has published guidance on adapting them for nDSG purposes.
  • Your transfer inventory is current. International transfer inventories are frequently incomplete because data transfers occur through procurement decisions (SaaS tools, cloud services) that are not systematically assessed for data residency implications. A sweep of active vendor contracts for data residency terms is a useful starting point.

Checklist Area 5: Privacy Impact Assessments

  • PIA triggers have been reviewed under nDSG criteria. Art. 22 nDSG requires a PIA when processing is likely to result in a high risk to the personality or fundamental rights of data subjects. The FDPIC has issued guidance on what constitutes high-risk processing — it includes profiling with high risk, large-scale processing of sensitive personal data, and systematic monitoring of publicly accessible areas. If your DPIAs were scoped under GDPR Art. 35 criteria alone, confirm that the nDSG triggers do not expand the scope.
  • PIA outcomes are documented and up to date. A PIA that was completed before a significant change to the relevant processing activity is out of date. The same maintenance discipline applies as for the ROPA.

Checklist Area 6: Data Breach Response

  • Breach notification process addresses the FDPIC. Art. 24 nDSG requires notification to the FDPIC of security incidents that are likely to result in a high risk to data subjects. If your breach response procedure was written for GDPR and references only EU supervisory authorities, it needs to be updated to include the FDPIC as a notification recipient for incidents affecting Swiss personal data.
  • Notification timelines and thresholds are understood. The nDSG's "as soon as possible" framing is less prescriptive than the GDPR's 72-hour deadline. Your internal process should specify a target timeline — 72 hours is a reasonable internal benchmark — and the threshold assessment for what constitutes a notifiable incident under Art. 24.

Prioritising Remediation

If you are using this checklist to scope a gap assessment, prioritise in this order: first, anything that affects your ability to respond to supervisory authority or data subject requests (processing register, rights-handling processes, breach response); second, international transfer mechanisms (these are among the most frequently and seriously enforced areas); third, privacy notice accuracy; fourth, PIA coverage for high-risk processing.

The nDSG has been in force for well over a year. The FDPIC has been actively developing its enforcement posture and has signalled that it expects organisations to have moved beyond initial implementation. Gaps that were understandable in Q4 2023 are harder to justify in 2026.