Service — Switzerland

FADP / revDSG Compliance

Switzerland's revised Federal Act on Data Protection (nDSG) has been in force since 1 September 2023. Most EU-based compliance consultancies advise on it by analogy with GDPR. Qala advises on it from direct, current experience of both regimes — from Zurich.

1 Sep 2023 nDSG in force — transitional period ended
FDPIC Federal Data Protection and Information Commissioner — supervisory authority
Both CH-domiciled companies often face GDPR exposure through EU clients or data flows

Swiss Data Protection — What Has Changed

The revised Federal Act on Data Protection (nDSG, or FADP in English) substantially modernises Switzerland's privacy framework, aligning it more closely with the GDPR while preserving Swiss-specific requirements. For companies operating under both, the overlap is real but incomplete.

Key areas where FADP (nDSG) diverges from GDPR include: specific notification thresholds to the FDPIC, a distinct list of sensitive data categories that includes financial data (not separately listed in GDPR Art. 9), Swiss adequacy determinations for international data transfers, and privacy impact assessment obligations that apply at different thresholds. Qala advises on both regimes simultaneously — so your programme does not satisfy GDPR at the cost of nDSG exposure, or the reverse.

  • FADP gap assessment against your existing GDPR programme
  • GDPR/nDSG alignment mapping — convergences and divergences
  • Swiss ROPA requirements and nDSG documentation obligations
  • FDPIC notification obligations and supervisory engagement guidance
  • Cross-border data transfer assessment under FADP adequacy framework
  • Sensitive data category analysis under Swiss law (diverges from GDPR Art. 9)
  • Privacy notice updates for dual-regime compliance

Regime Comparison

GDPR

EU Regulation 2016/679. Applies to processing of EU residents' data regardless of processor location.

FADP / nDSG

Swiss Federal law. In force Sep 2023. Applies to CH-domiciled controllers and cross-border effects on CH residents.

Qala Intersection

Dual-regime programme design — one set of processes, compliant with both.

Why Swiss Companies Need Both

FADP and GDPR share principles but diverge on implementation details. Treating them as identical creates exposure under both.

Adequacy Status

Switzerland holds EU adequacy for data transfers — but this is not reciprocal in all directions. CH companies transferring to non-adequate countries must apply FADP-specific mechanisms, not just GDPR SCCs.

FDPIC vs. DPA

The Federal Data Protection and Information Commissioner (FDPIC) is Switzerland's supervisory authority. Engagement requirements, timelines, and enforcement powers differ from EU member state DPAs.

Sensitive Data Categories

nDSG defines sensitive data categories that partially differ from GDPR Art. 9. Financial data is explicitly listed as sensitive under Swiss law — a distinction that affects processing basis requirements.

Assess your FADP readiness

We assess your current compliance programme against nDSG requirements — identifying gaps specific to Swiss law that a GDPR-only programme will not catch, and the obligations most likely to attract FDPIC attention.

Schedule Consultation Read our FADP/GDPR guide →