Switzerland's revised Federal Act on Data Protection — the nDSG, or FADP in the English-language acronym — entered into force on 1 September 2023. The revision was decades overdue: the original DSG dated from 1992, a period when the data landscape was unrecognisable by today's standards. The revised law is unambiguously closer to the GDPR than its predecessor, but treating FADP compliance as equivalent to GDPR compliance is an error that creates real gaps.
This matters particularly for Swiss-based companies that process data about EU data subjects, and for EU-based companies that process data in Switzerland or about Swiss residents. Both groups need to understand not just where the two regimes overlap, but precisely where they diverge — because the divergences tend to be where compliance failures occur.
What the Two Regimes Have in Common
The structural similarities are substantial enough to make parallel compliance tractable. Both regimes require a lawful basis for processing personal data. Both establish data subject rights: access, rectification, erasure, and objection. Both require transparency toward data subjects about how their data is processed. Both mandate that international data transfers occur only to countries providing adequate protection or under appropriate safeguards. Both require Data Protection Impact Assessments (DPIAs under the GDPR; Privacy Impact Assessments under the FADP) for high-risk processing.
For organisations that are already GDPR-compliant, the FADP does not require rebuilding from scratch. Much of the documentation infrastructure — privacy notices, DPA agreements with processors, internal processing records — maps across. The question is where to focus the incremental effort.
Where the FADP Differs: Points of Practical Divergence
No ROPA obligation for small organisations
Under the GDPR (Art. 30), organisations with fewer than 250 employees are partially exempt from the ROPA obligation — though the exception is narrower than it appears, since it does not apply to organisations that process data likely to result in a risk to data subjects. The FADP takes a different approach: Art. 12 nDSG requires a register of processing activities but provides a proportionality carve-out for companies for which maintaining such a register would entail disproportionate effort, particularly small businesses processing data for non-professional purposes. In practice, this is a narrower exemption than it sounds for commercial entities, but it represents a textual difference that matters when assessing obligations.
Mandatory breach notification timelines differ
Under the GDPR, Art. 33 requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach. The FADP (Art. 24 nDSG) requires notification "as soon as possible" — the Swiss Federal Data Protection and Information Commissioner (FDPIC) guidance suggests this aligns broadly with the 72-hour spirit, but the framing is less prescriptive. For organisations that have built GDPR breach response procedures around the 72-hour hard deadline, this distinction is mostly academic. But it affects how you draft your internal incident response playbook when handling a breach that may affect both Swiss and EU data subjects simultaneously.
The concept of "sensitive personal data" is not identical
The GDPR's special categories of data (Art. 9) include genetic and biometric data used for unique identification. The FADP's definition of sensitive personal data (Art. 5(c) nDSG) includes data on administrative and criminal proceedings and sanctions — a category that does not map cleanly to GDPR special categories. Conversely, the FADP does not treat all biometric data as inherently sensitive in the same way. For healthcare, legal-tech, or insurance companies operating in Switzerland, the practical classification of what constitutes high-sensitivity data can differ between the two regimes.
Right to explanation in automated decision-making
The GDPR (Art. 22) provides data subjects with rights in relation to solely automated decisions that have significant effects, including the right to obtain human intervention. The FADP (Art. 21 nDSG) similarly addresses automated individual decision-making but frames the right somewhat differently — individuals may request that an automated decision be reviewed by a natural person. For organisations deploying credit scoring, insurance underwriting, or profiling-based marketing in the Swiss market, verifying that your ADM disclosure and review process satisfies both regimes is a distinct compliance step.
The Supervisory Authority Question
One of the more consequential practical differences is that Switzerland is not a member of the EU and its supervisory authority — the FDPIC — operates independently of the European Data Protection Board. This has a direct consequence for the "one-stop-shop" mechanism available under the GDPR. An EU company processing data about Swiss residents cannot rely on its lead supervisory authority in, say, Ireland or Luxembourg to cover its Swiss FADP obligations. The FDPIC is a separate regulator with separate enforcement powers and a developing body of guidance that does not always align with EDPB positions.
We are not saying that GDPR compliance is insufficient — it is an excellent foundation. But it is exactly that: a foundation. The FADP requires a supplementary layer of analysis that is Switzerland-specific.
The Adequacy Decision and Data Transfers
Switzerland is not on the EU's adequacy list under Art. 45 GDPR, despite the two regimes' alignment. The EU treats Switzerland as an adequate destination under a separate adequacy determination from 2000 (updated periodically), but this determination is not automatic and its continuity cannot be assumed indefinitely. Swiss companies exporting data to EU countries need to understand that the transfer mechanism runs in both directions: SCCs or BCRs are typically required for EU-to-third-country transfers, and Switzerland — despite its alignment — sits in the third-country category for this purpose.
A mid-size Zurich-based financial services company operating with an EU payment processor subsidiary discovered in late 2024 that its data transfer arrangements relied on a legacy adequacy assumption that had not been reviewed against the post-Schrems II framework. The remediation required both updated SCCs covering the EU-side transfers and a review of the FADP's own requirements for transfers to EU countries — which the FADP handles through a separate adequacy list maintained by the Federal Council.
Building a Dual-Compliance Programme
The practical approach for most companies in scope of both regimes is to build on GDPR as the more prescriptive framework and layer FADP-specific requirements on top, rather than maintaining two entirely separate compliance programmes. That means a ROPA that covers all processing activities regardless of which regime governs, privacy notices that include both GDPR and FADP disclosure requirements (the FADP's Art. 19 transparency requirements are broadly similar to Art. 13-14 GDPR but not identical in the information required), and DPIAs / PIAs that address the threshold tests of both frameworks.
Where the programmes diverge most consequentially is in incident response — specifically, breach notification to both the FDPIC and the relevant EU supervisory authority if both data subject populations are affected — and in the handling of automated decision-making disclosures, where the specific language of the data subject's rights differs between the regimes.
For Swiss companies with a serious EU customer base, and for EU companies with Swiss operations, maintaining that dual-compliance lens is not optional. The FDPIC has been building its enforcement capacity since the nDSG entered into force, and early signals suggest it intends to use it.