{"id":139490,"date":"2026-05-12T10:14:47","date_gmt":"2026-05-12T10:14:47","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=139490"},"modified":"2026-05-12T10:14:47","modified_gmt":"2026-05-12T10:14:47","slug":"switzerland-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/switzerland-data-protection-cybersecurity\/","title":{"rendered":"Switzerland: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-139490","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-switzerland"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">B\u00e4r &amp; Karrer Ltd.<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2019\/03\/bk_logo_108U.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">B\u00e4r &amp; Karrer Ltd.<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2019\/03\/bk_logo_108U.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in Switzerland<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In Switzerland, data protection is primarily governed by the Swiss Federal Act on Data Protection of 25 September 2020 (Data Protection Act, FADP), together with the Swiss Federal Ordinance on Data Protection of 31 August 2022 (Data Protection Ordinance, FODP), both effective since 1 September 2023. Although the FADP is aligned with the EU GDPR in many respects, it has not simply adopted its provisions on a one-to-one basis. Organisations operating in both the EU and Switzerland must therefore remain mindful of the specific features of Swiss data protection law.<\/p>\n<p>The FADP applies to the processing of personal data of natural persons by private persons and federal bodies. Cantonal and communal authorities are governed by their own cantonal data protection laws, which extend to private companies only where they perform a public service mandate. The FADP may also have extraterritorial effect on controllers and processors established outside Switzerland if their processing activities have an effect in Switzerland (e.g., if they process personal data of a significant number of individuals located in Switzerland).<\/p>\n<p>Additional sectoral rules apply to areas such as banking, insurance, healthcare, and telecommunications (see Q38 and Q42).<\/p>\n<p>The Federal Data Protection and Information Commissioner (FDPIC) is responsible for enforcing the FADP. Its powers include conducting investigations, issuing binding decisions and administrative measures, and recommending corrective actions. In serious cases, criminal sanctions may be imposed by the competent criminal prosecution authorities on individuals (particularly those who, for example, intentionally obstruct investigations or unlawfully disclose personal data). At the cantonal level, cantonal data protection authorities may hold competence over public bodies in their respective cantons.<\/p>\n<p>Switzerland does not have a single comprehensive cybersecurity act but instead relies on various laws and regulations. Criminal offences involving unauthorised access to IT systems, hacking, and malware are primarily addressed by the Swiss Federal Criminal Code (SCC), which criminalises computer misuse, data theft, and related offences. The Swiss National Cyber Strategy, first adopted in 2012 and updated periodically, sets strategic objectives and encourages public-private cooperation to enhance cybersecurity. The National Cyber Security Centre (NCSC) monitors cyberthreats and works closely with industry to improve cyber resilience. Operators of critical infrastructure \u2013 including those in the energy, telecommunications, defence, and related sectors \u2013 are subject to additional obligations regarding risk assessments and the reporting of cyberattacks to the NCSC. In finance, FINMA Circulars impose duties to maintain adequate IT security systems and to notify FINMA of cyber incidents. See Q38 and Q42.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Switzerland&#8217;s revised FADP took effect in September 2023. Further, since January 2024, the new Information Security Act (ISA) is in force, which consolidates the key legal foundations for the security of the federal government&#8217;s information and IT resources into a single law. A key provision, which came into effect on 1 April 2025, is the mandatory reporting of cyberattacks on critical infrastructure. Operators of critical infrastructure are required to report cyberattacks to the National Cyber Security Centre (NCSC) within 24 hours of discovery (see Q42). Since 1 October 2025, sanctions apply for non-compliance with the reporting obligation, with fines of up to CHF 100,000.<\/p>\n<p>On 6 May 2026, the Federal Council instructed the Federal Department of Defence, Civil Protection and Sport (DDPS) to prepare a draft for a further revision of the ISA. The revision will address implementation difficulties identified since the Act&#8217;s entry into force, including clarification of its scope, simplification of personnel security check procedures, a review of classification levels for international compatibility, and possible harmonization of criminal-law provisions on classified information. A public consultation is expected by mid-2027.<\/p>\n<p>Separately, the Federal Council has tasked the NCSC and other Federal Departments with preparing a standalone legislative proposal on cyber resilience for digital products, with a draft expected by autumn 2026.<\/p>\n<p>Further regulatory guidance may also be anticipated at EU and international levels, for instance in connection with cross-border data transfer frameworks and the EU&#8217;s NIS2 Directive, which may indirectly affect Swiss companies operating in or with the EU.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in privacy, data protection and\/or cybersecurity-related enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Data protection enforcement in Switzerland has intensified since the revised FADP entered into force on 1 September 2023. The FDPIC has increased enforcement staff by approximately 30 percent and concluded its first formal supervisory proceedings under the new law, several of which have been contested and are now pending before the Federal Administrative Court.<\/p>\n<p>An enforcement priority has been compliance with data subject rights, particularly the handling of access requests under Article 25 FADP.<\/p>\n<p>In January 2025, the FDPIC reprimanded Cembra Money Bank AG for responding to access requests with standardized letters listing only data categories rather than actual personal data, and for repeatedly exceeding the statutory 30-day deadline by up to nine months. In May 2025, the FDPIC found that PostFinance AG\u2019s creation of voiceprints for customer authentication without explicit consent violated data protection law and ordered the deletion of voiceprints for which no consent had been obtained. PostFinance has appealed the ruling.<\/p>\n<p>In the area of AI and data protection, the FDPIC has emphasized transparency and user control regarding AI models trained on publicly available personal data, concluding a preliminary investigation into the AI model Grok after its operator introduced an opt-out mechanism for users. The FDPIC has also reviewed AI-supported video surveillance at Coop Group\u2019s automatic checkouts, finding the processing compliant with the FADP.<\/p>\n<p>Further enforcement actions have addressed data security, most notably investigations into the Federal Office of Police, the Federal Office for Customs and Border Security, and their IT service provider Xplain following the 2023 ransomware attack, all of which were found to have fallen short of minimum data security standards. In the consumer space, the FDPIC\u2019s investigation into Digitec Galaxus\u2019 advertisement personalization practices led the retailer to implement a one-click opt-out for customers.<\/p>\n<p>Given limited resources, the FDPIC continues to follow the principle of expediency, focusing enforcement on cases presenting significant risks to data subjects\u2019 personality or fundamental rights, such as high-risk data breaches, non-compliance with core data subject rights, and novel technologies like AI and biometric identification.<\/p>\n<p>In 2026, Switzerland faces an increasingly complex cybersecurity landscape, marked by a sharp rise in sophisticated cyberattacks. The National Cyber Security Centre (NCSC) recorded approximately 65,000 incidents in 2025, driven primarily by persistent threats such as ransomware and phishing. Malicious actors are increasingly leveraging artificial intelligence (AI) to automate attacks and enhance targeting precision. In response, many Swiss companies are adopting or are projected to adopt AI-enabled cybersecurity solutions in 2026. These technologies are expected to enhance threat detection capabilities, reduce reliance on manual input, and thereby minimise human error and response times.<\/p>\n<p>While the financial sector remains a key area of regulatory oversight, other critical infrastructure sectors \u2013 including healthcare, energy, telecommunications, and transport \u2013 are now subject to heightened scrutiny. The revised Information Security Act (ISA), in force since 1 January 2024, enhances compliance and monitoring obligations across both public and private sectors. Of particular importance are the mandatory reporting obligations for operators of critical infrastructure, effective since 1 April 2025 (see Q38 and Q42). Since the introduction of this obligation, the NCSC recorded 222 cyber incident reports for 2025, predominantly from organisations in public administration, information and communications, and finance and insurance. Complementing these legislative efforts, the Swiss government\u2019s \u201cDigital Switzerland Strategy 2025\u201d identifies cybersecurity resilience and the promotion of open-source technologies as key pillars for strengthening digital sovereignty. Given this heightened emphasis on critical infrastructure protection and rapid incident response, Swiss companies are encouraged to invest in advanced cybersecurity solutions, prioritise regulatory compliance, and maintain organisational agility to respond to evolving threats and legal requirements.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In Switzerland, there is no general registration or licensing requirement under the FADP. Private companies that process personal data are not required to formally register with, or obtain a licence from, the Federal Data Protection and Information Commissioner (FDPIC) simply on account of processing personal data.<\/p>\n<p>In contrast to the EU GDPR, the FADP requires only federal bodies to appoint a data protection officer (DPO). For private companies, appointing a DPO is voluntary. However, if a private company wishes to avoid the obligation to notify the FDPIC of its data protection impact assessment outcomes, it must appoint and register a DPO with the FDPIC. See Q17.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What does \u201cpersonal data,\u201d \u201cpersonal information\u201d or other equivalent terms (hereafter \u201cpersonal data\u201d) mean under data protection laws in your jurisdiction? Does the definition broadly include information about all individuals? For example, would this include individuals acting in a personal or household capacity, as well as those acting in a business or commercial capacity (such as on behalf of a business or corporate entity or employer) or otherwise?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Similar to the definition set out in the EU GDPR, the FADP defines \u201cpersonal data\u201d as any information relating to any identified or identifiable natural person regardless of the capacity in which such person acts (e.g., as an employee). Further, the FADP contains a personal use exception, excluding from its scope any personal data processed by a natural person exclusively for personal use \u2013 meaning individuals processing personal data for purely private purposes fall outside the FADP&#8217;s application.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are certain types of personal data considered more sensitive or highly regulated under data protection laws in your jurisdiction?  Please include the relevant defined terms for such data (e.g., special categories of personal data,\u201d \u201csensitive data\u201d or \u201csensitive personal information\u201d?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>\u201cSensitive personal data\u201d is defined slightly more broadly than under the EU GDPR, encompassing information relating to religious, philosophical, political, or trade union-related views or activities, health, the intimate sphere or racial or ethnic origin, genetic data, biometric data that uniquely identifies a natural person, details about administrative or criminal proceedings or sanctions, and data relating to social assistance measures.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The FADP encompasses several core principles relating to the processing of personal data. First, the law requires that personal data be processed lawfully (principle of legality), in good faith (principle of good faith), and in accordance with the principle of proportionality \u2013 meaning that data may only be processed in a manner that is suitable, required, and necessary to achieve the intended purpose. Processing must therefore be limited to the minimal amount of data and the shortest duration necessary. While not explicitly mentioned, the principle of good faith is understood to encompass transparency. Data controllers must ensure that data subjects know how, why, and by whom their personal data is processed, including any disclosures to third parties. Under the FADP \u2013 and in contrast to the EU GDPR \u2013 data subjects must also be informed about the recipient countries to which their data is transferred, together with any safeguards or statutory exceptions relied upon.<\/p>\n<p>Additionally, personal data may only be collected for a specific purpose that is evident to the data subject (principle of purpose limitation), and the data must not be processed in a way that is incompatible with that purpose. Every appropriate measure must also be taken to ensure personal data is accurate (principle of data accuracy). Any data found to be inaccurate or incomplete in light of its processing purpose must be corrected, deleted, or destroyed.<\/p>\n<p>In a conceptually different approach from the EU GDPR, which requires a specific legal basis for any processing activity (\u201cprohibition principle subject to permission\u201d; Verbotsprinzip mit Erlaubnisvorbehalt), the FADP generally permits the processing of personal data without such basis, provided that the controller complies with the core data protection principles (\u201cpermission principle subject to prohibition\u201d; Erlaubnisprinzip mit Verbotsvorbehalt). A legal justification becomes necessary only where these principles are breached. In such cases, the controller must demonstrate an appropriate justification, such as the data subject\u2019s valid consent, an overriding private or public interest, or a statutory basis. Unlike Article 6 GDPR, however, Swiss law does not provide an exhaustive catalogue of permissible justifications.<\/p>\n<p>Although the FADP does not impose a strict maximum data retention period, personal data must be deleted or rendered anonymous once it is no longer needed for the purpose for which it was originally collected. Retaining data beyond what is necessary risks infringing the principle of proportionality. Consequently, controllers should adopt clear internal data retention policies detailing how long data is kept and establishing procedures for the secure deletion or anonymisation of personal data.<\/p>\n<p>Finally, although not expressly framed as a data processing principle under the FADP, controllers and processors must at all times preserve data security (that is, the confidentiality, integrity, and availability of the data) by implementing appropriate technical and organisational measures (TOMs).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the FADP, consent is generally not required for processing personal data. However, if a controller breaches any of the data processing principles (i.e., lawfulness, proportionality, good faith, purpose limitation, and data accuracy; see Q7), the controller must be able to justify its processing activity \u2013 for example, by the affected data subject\u2019s consent, an overriding private or public interest, or a statutory basis. If a controller elects to rely on consent as the legal basis for processing, the following applies:<\/p>\n<p><strong>&#8211; Freely given, specific, informed:<\/strong> Consent must be given voluntarily and based on clear, comprehensible information regarding the nature, scope and purpose of processing: Data subjects should know what data is processed, why it is processed, how it is used, and whether any transfers occur (including safeguards or statutory exceptions relied upon).<\/p>\n<p><strong>&#8211; Form requirements:<\/strong> No strict rule mandates written or signed consent, though verifiable consent is advisable. If a controller relies on consent to process sensitive personal data or conducts high-risk profiling, or if a federal body conducts profiling, such consent must be explicitly given. The same applies where a controller intends to rely on consent as a statutory exception to transfer personal data to a third country or international body that does not guarantee an adequate level of protection.<\/p>\n<p><strong>&#8211; Implied Consent:<\/strong> Permissible if the data subject\u2019s intent is clear and the privacy intrusion minimal. The controller must demonstrate that consent was informed.<\/p>\n<p><strong>&#8211; Bundled Consent:<\/strong> Incorporating consent into broader documents (e.g., terms of service) is permissible, provided that data subjects are clearly informed of the specific processing activities to which they are consenting. Multiple separate processing activities should be clearly distinguished.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Because the FADP follows a \u201crisk-based\u201d approach, the processing of sensitive personal data must meet higher standards than the processing of personal data involving lower risks. Article 5 lit. c FADP defines \u201csensitive personal data\u201d (see Q6).<\/p>\n<p>Under the FADP, the disclosure of sensitive personal data to third parties is in itself considered a violation of personality rights unless justified by the data subject\u2019s explicit consent, by law, or by an overriding private or public interest. In practice, such overriding interests rarely exist; explicit consent is therefore the primary legal basis for disclosure in the absence of a specific statutory provision. Notably, Article 6 para. 7 FADP does not introduce a general obligation to obtain consent for processing sensitive personal data. Rather, it specifies that where controllers rely on consent as their justification for processing such data, the consent must be given explicitly.<\/p>\n<p>Additionally, under the FADP, controllers must conduct a data protection impact assessment (DPIA) where the intended data processing is likely to result in a high risk to the personality or fundamental rights of the data subject. The FADP explicitly recognises the large-scale processing of sensitive personal data as a high-risk activity that triggers the obligation to conduct a DPIA. Furthermore, federal authorities must generally only process sensitive personal data where there is a statutory basis in a formal law. A statutory basis in a substantive law is only sufficient as the basis for processing sensitive personal data if the processing is essential for a task required by a formal law and the purpose of processing poses no particular risks to the data subject\u2019s fundamental rights.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction have special or particular requirements, restriction, or rules regarding the collection, use, disclosure or processing of personal information from or about children or minors?  If so, what is the age threshold and key requirements\/restrictions that go beyond those applicable, generally?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Although the FADP does not specifically categorize children\u2019s data as sensitive, the Federal Data Protection and Information Commissioner (FDPIC) acknowledges the heightened level of protection that must be afforded to children\u2019s data. Enhanced protective measures typically include (i) ensuring informed consent is provided by a legal guardian, and (ii) presenting privacy information in clear, age-appropriate language and supplemented by visual aids \u2013 such as pictograms or symbols \u2013 to facilitate understanding by children.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The FADP does not apply in the following situations:<\/p>\n<p><strong>&#8211; Personal use \/ Household exemption:<\/strong> When personal data is processed by a natural person exclusively for personal use.<\/p>\n<p><strong>&#8211; Parliamentary activities:<\/strong> When personal data is processed by the Federal Assembly and parliamentary committees as part of their deliberations.<\/p>\n<p><strong>&#8211; Entities with immunity:<\/strong> When personal data is processed by institutional beneficiaries under Article 2 para. 1 of the Host State Act of 22 June 2007, which enjoy immunity from jurisdiction in Switzerland.<\/p>\n<p>Additionally, data processing and data subject rights in court proceedings and other proceedings governed by federal procedural law are subject to the applicable procedural laws. However, in administrative proceedings of first instance, the FADP applies.<\/p>\n<p>Finally, the FADP does not apply to public registers concerning private law transactions, in particular with respect to access to these registers and data subject rights, where such matters are regulated by specific provisions under applicable federal law. In the absence of such special provisions, the FADP remains applicable.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend privacy risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The FADP requires data controllers to carry out a data protection impact assessment (DPIA) when the intended processing of personal data is likely to result in a high risk to the personality or fundamental rights of the data subjects.<\/p>\n<p>A DPIA is mandatory particularly in situations where sensitive personal data is processed on a large scale, where systematic monitoring of publicly accessible areas takes place, or where new technologies are used in ways that significantly increase risks to individuals. The assessment must evaluate whether the data processing is necessary and proportionate in light of its intended purpose and identify any risks that may arise for the data subjects.<\/p>\n<p>If high risks are identified, the controller must also outline the measures planned to mitigate those risks. In cases where the identified risks cannot be adequately mitigated, the controller is required to consult with the Federal Data Protection and Information Commissioner (FDPIC) before commencing processing, unless the controller previously consulted with its data protection officer (DPO).<\/p>\n<p>Although the FADP does not prescribe a specific format for DPIAs, best practice involves documenting the nature and purpose of the processing, evaluating the necessity and proportionality of the data collection, assessing potential risks, and defining appropriate measures to mitigate those risks. DPIAs should be conducted at an early stage \u2013 ideally during the planning and design phase of the processing activity \u2013 and must be reviewed and updated where there is a substantial change in the nature, scope, or context of the processing. The FDPIC has issued a factsheet to assist controllers in complying with Articles 22 and 23 FADP including a flowchart for the preliminary assessment of whether a DPIA must be carried out as well as a template for structuring a DPIA.<\/p>\n<p>Further, the FDPIC provides detailed information on the DPIA (in English, German, French, and Italian) on its website.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice, or self-regulatory codes applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The FADP establishes a formal mechanism for codes of conduct (Article 11). Under this framework, professional, industry, and trade associations, as well as federal bodies, may develop their own codes of conduct and submit them to the Federal Data Protection and Information Commissioner (FDPIC) for an opinion. A favourable FDPIC opinion gives rise to a presumption that the code complies with data protection law and may exempt private controllers from certain obligations, such as conducting a data protection impact assessment (Article 22 para. 5 FADP) or may serve as a valid guarantee for cross-border data transfers (the latter requiring prior FDPIC approval rather than merely an opinion).<\/p>\n<p>Notwithstanding this statutory framework, no sector-specific codes of conduct appear to have been formally submitted to the FDPIC and received a published opinion to date. The FDPIC has, however, issued various non-binding guidelines and guidance documents on specific topics \u2013 such as cookies, data security breaches, and cross-border transfers \u2013 that serve a similar practical function in guiding compliance, although they do not carry the formal legal status of an approved code of conduct under Article 11.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, under the FADP, organisations are required to maintain records of their data processing activities and establish internal documentation and processes to ensure compliance with data protection obligations.<\/p>\n<p>Specifically, Article 12 FADP mandates both controllers and processors to maintain a register of their processing activities (ROPA) and, if requested, make it available to the Federal Data Protection and Information Commissioner (FDPIC).<\/p>\n<p>Controllers, as a minimum, are obliged to record (i) the identity of the controller, (ii) the purpose of processing, (iii) a description of the categories of data subjects and the categories of processed personal data, (iv) the categories of recipients, (v) if possible, the retention period for the personal data or the criteria for determining this period, (vi) if possible, a general description of the measures taken to guarantee data security, and (vii) if data is disclosed abroad, details of the recipient state and the guarantees applied.<\/p>\n<p>The processor\u2019s record shall contain (i) information on the identity of the processor and of the controller, (ii) the categories of processing carried out on behalf of the controller, (iii) if possible, a general description of the measures taken to guarantee data security, and (iv) if data is disclosed abroad, details of the recipient state and the guarantees applied.<\/p>\n<p>There is an exemption from the obligation to maintain such records for companies with fewer than 250 employees on 1 January of any year, provided they are not processing sensitive personal data on a large scale, conducting high-risk profiling, or engaging in processing activities that present a high risk to the data subjects\u2019 rights.<\/p>\n<p>While the FADP does not specify a particular format, Swiss organisations typically meet these requirements in practice by adopting templates (e.g., an Excel spreadsheet or Word document) or specialized IT tools \u2013 often aligned with the EU GDPR \u2013 to maintain their ROPAs.<\/p>\n<p>In addition to maintaining a ROPA, organisations are also expected to document other key compliance processes. These include conducting and retaining records of data protection impact assessments (DPIAs) where required, documenting consent when it is used as a legal basis for processing, establishing written contracts with processors, and implementing internal policies and procedures for handling data subject requests and ensuring data security.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically impose data retention limitations? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the FADP, there is no explicit obligation to adopt formal data retention or data disposal policies. However, the principles embedded in the FADP \u2013 in particular, the principles of proportionality (data minimization), purpose limitation, and storage limitation \u2013 effectively require organisations to implement appropriate practices for retaining and deleting personal data.<\/p>\n<p>The FADP mandates that personal data must only be processed for as long as it is necessary to achieve the purpose for which it was originally collected. Once that purpose has been fulfilled, the data must be either anonymised or deleted, unless a valid legal basis (such as a statutory retention obligation) justifies continued storage. In practice, this implies that organisations must implement internal mechanisms to monitor applicable retention periods and ensure timely and secure disposal of data.<\/p>\n<p>Although the law does not require written data retention or deletion policies, organisations are strongly recommended to implement documented policies and procedures to support compliance with these principles. This includes defining specific retention periods for various categories of personal data, regularly reviewing stored data to assess its necessity, and securely deleting or anonymising data that is no longer required.<\/p>\n<p>In practice, Swiss businesses often integrate these policies into broader data lifecycle or information governance frameworks, supported by technical controls.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Similar to the EU GDPR, Swiss data protection law obliges controllers to seek the Federal Data Protection and Information Commissioner\u2019s (FDPIC) opinion if a data protection impact assessment (DPIA; see Q12) indicates that the planned processing will pose a high risk to the personality or fundamental rights of the data subject, despite any measures envisaged by the controller (Article 23 FADP).<\/p>\n<p>The FDPIC will then take a position on the planned data processing. For instance, the FDPIC may raise objections to the planned processing and communicate them to the data controller. In this case, the FDPIC proposes suitable measures. If the FDPIC has general objections to the data protection impact assessment (e.g., if it finds the assessment too general, or if risks or measures are not described with sufficient detail), it advises the data controller to specify or supplement it.<\/p>\n<p>While the FDPIC issues only an opinion \u2013 and ultimately no \u201capproval\u201d or \u201cauthorization\u201d is required \u2013, there is a significant risk in ignoring its objections and proposed measures. Failure to address these is likely to result in the FDPIC opening an investigation.<\/p>\n<p>However, there are two exceptions to the obligation to consult with the FDPIC under Swiss data protection laws. First, if a DPIA was not required for a processing operation due to an exception according to Article 22 para. 4 or 5 FADP, consultation with the FDPIC is also not required. Further, a private controller may dispense with consulting the FDPIC if it has consulted with the data protection officer appointed by such controller.<\/p>\n<p>In practice, businesses may also opt for voluntary consultation with the FDPIC to clarify the interpretation of the FADP, e.g., in contexts involving new technologies or cross-border data processing.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In contrast to the EU GDPR, the FADP does not impose a mandatory requirement on private organisations to appoint a data protection officer (DPO), Chief Information Security Officer (CISO), or any other specifically named person responsible for data protection. It is only mandatory for federal bodies. Instead, the FADP provides for a voluntary appointment mechanism that allows data controllers to designate a DPO (referred to in the official versions of the FADP in German and French as Datenschutzberater or conseiller \u00e0 la protection des donn\u00e9es).<\/p>\n<p>While optional, this designation brings tangible benefits. If a data controller appoints a DPO in accordance with Article 10 FADP, that person must be both qualified and independent in their function. Their role includes advising the organisation on its data protection obligations, monitoring internal compliance, and supporting the execution of data protection impact assessments (DPIAs). Importantly, where a DPO has been duly appointed and is involved in the execution of DPIAs, the organisation may be exempt from the requirement to consult the Federal Data Protection and Information Commissioner (FDPIC) prior to initiating high-risk data processing.<\/p>\n<p>The FADP does also not require the appointment of a CISO, nor does it set out specific responsibilities for such a role. However, Article 8 FADP mandates that data controllers implement appropriate technical and organisational measures (TOMs) to ensure data security. In practice, especially for larger organisations or those processing sensitive or high volumes of personal data, appointing a CISO or similar role is considered a best practice for meeting these obligations, even though it is not a legal requirement.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the FADP, there is no explicit legal obligation to conduct employee training on data protection. However, training is strongly recommended in practice as a core component of the duty to implement appropriate technical and organisational measures (TOMs) under Article 8 FADP. The rationale is straightforward: Human error is one of the leading causes of data breaches, and well-trained staff are essential to meaningful compliance.<\/p>\n<p>While the FADP does not prescribe specific training content or frequency, the Federal Data Protection and Information Commissioner (FDPIC) encourages organisations to conduct regular training, with a particular focus on staff who handle personal data or sensitive personal data on a routine basis. In practice, training programmes typically cover (i) the lawful bases for processing personal data and the core data processing principles under the FADP, (ii) data security requirements and the organisation&#8217;s technical and organisational measures, (iii) the obligation to report data breaches internally and, where applicable, to the FDPIC, and (iv) the handling of data subject rights requests, including access requests under Article 25 FADP.<\/p>\n<p>For organisations subject to sector-specific regulation \u2014 for instance, financial institutions supervised by FINMA \u2014 additional training requirements may apply in the context of ICT risk management and operational resilience frameworks.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the FADP, data controllers are legally required to inform data subjects about their data processing activities. This duty is grounded in the principle of transparency and enshrined in Article 19 FADP. Controllers must inform data subjects at the time of collection \u2013 whether the data is collected directly from the individual or obtained from third-party sources.<\/p>\n<p>The notice must include key information enabling individuals to understand how their personal data will be used and to exercise their rights. Specifically, the law requires disclosure of at least (i) the controller\u2019s identity and contact details, (ii) the purpose of processing, (iii) the recipients or categories of recipients to which personal data is disclosed (e.g., sub-processors), if applicable, and (iv) the destination country and any safeguards in place or exceptions relied upon, if data is transferred abroad (which goes beyond the EU GDPR requirements). If the data is not collected directly from the data subject, the controller must also disclose the categories of personal data processed.<\/p>\n<p>While the FADP does not prescribe a specific form for providing notice, Article 13 FODP specifies that controllers must provide information in a precise, transparent, comprehensible, and easily accessible manner.<\/p>\n<p>In practice, many organisations fulfil this obligation by publishing a privacy notice online, typically on their website, and supplementing it with additional disclosures in contracts, forms or apps. For employees, many organisations provide the information in separate employee privacy notices or the employee handbook.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction distinguish between the responsibilities of \u201ccontrollers\u201d and those of \u201cprocessors\u201d (or equivalent terms) of personal data? If so, how are such terms defined and what are the key distinctions between the obligations of controllers and processors (or equivalent terms)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the FADP, the law makes a clear distinction between the roles of data controllers and data processors, each carrying distinct responsibilities. A controller is the party that, alone or jointly with others, determines the purpose and means of processing personal data (Article 5 lit. j FADP), while a processor handles personal data on behalf of the controller (Article 5 lit. k FADP).<\/p>\n<p>The FADP places the primary legal responsibility for compliance on the controller. Controllers are obligated to ensure that all data processing activities adhere to the data processing principles (i.e., lawfulness, proportionality, good faith, purpose limitation, and data accuracy; see Q7). They must establish appropriate technical and organisational measures (TOMs) to ensure data security, maintain records of processing activities, inform data subjects of the processing and assess data protection risks through data protection impact assessments (DPIAs) where necessary. In the event of a data breach, it is the controller who must notify, where applicable, the Federal Data Protection and Information Commissioner (FDPIC) and the affected individuals. And private controllers with their domicile or residence abroad must designate a representative in Switzerland, where necessary.<\/p>\n<p>Processors, by contrast, have a more limited role. They must process personal data only in accordance with the controller\u2019s instructions. They must seek approval before engaging sub-processors, establish appropriate TOMs to ensure data security and maintain records of processing activities.<\/p>\n<p>To formalise this relationship, the FADP requires controllers to enter into a data processing agreement (DPA) with their processors (Article 9 para. 1). The DPA outlines the scope of processing and the processor\u2019s duties, including the obligation to act solely on the controller\u2019s instructions, to implement appropriate TOMs for data security, and to notify the controller of data breaches. It typically also addresses sub-processing arrangements, the return or deletion of personal data, the handling of data subject rights, and the controller\u2019s audit rights.<\/p>\n<p>The practical implication is that controllers remain primarily responsible for compliance with data protection obligations, regardless of any delegation of processing activities to processors. Controllers must exercise appropriate due diligence in selecting, instructing, and supervising their processors. Conversely, processors are obliged to adhere strictly to the controller\u2019s instructions and fulfil their contractual and statutory duties with care, as failure to do so may result in liability exposure \u2013 particularly where the processor acts beyond or contrary to its authorised mandate.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>Monitoring<\/strong><\/p>\n<p>Swiss data protection laws do not explicitly address monitoring and therefore do not define the term \u201cmonitoring\u201d. However, the FADP, along with the FODP, nevertheless applies if a monitoring system processes personal data. In particular, the data processing principles of good faith (including transparency) and proportionality (Article 6 paras. 2 and 3 FADP) must be complied with.<\/p>\n<p>In practice, monitoring becomes relevant within the context of employment relationships. According to Article 328b of the Swiss Code of Obligations (CO), processing employee personal data is permitted only to assess the employee\u2019s suitability for the job or if it is necessary for the performance of the employment contract. Employee consent to data processing that exceeds the scope of Article 328b CO is only permissible if it is in the employee\u2019s favour (Article 362 CO). According to the Swiss Federal Supreme Court, Article 328b CO is not a prohibitive norm, but rather a principle of data processing. As such, a breach of Article 328b CO may be justified by an overriding private interest of the employer or another justification as provided in Article 31 FADP. Article 26 of the Ordinance 3 to the Swiss Employment Act prohibits the use of monitoring systems to monitor the behaviour of employees in the workplace.<\/p>\n<p><strong>Profiling \/ High-Risk Profiling<\/strong><\/p>\n<p>Under the FADP (as under the EU GDPR), profiling is defined as any form of automated processing of personal data consisting of the use of such data to evaluate certain personal aspects relating to a natural person \u2013 in particular to analyse or predict aspects concerning that natural person&#8217;s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements (Article 5 lit. f FADP). Profiling may serve various purposes, including risk assessment, behavioural analysis, or targeted marketing. It is common in practice and carries no specific legal consequences for private controllers under the FADP, provided the core data processing principles are observed. Controllers must nevertheless ensure that profiling is sufficiently transparent and that data subjects are informed about the categories of data created through it (e.g., preference data).<\/p>\n<p>A qualified form of profiling \u2013 and a distinctive feature of the FADP \u2013 is high-risk profiling, defined as profiling that poses a high risk to the personality or fundamental rights of the data subject by linking data that allows for an assessment of essential aspects of a natural person&#8217;s personality (Article 5 lit. g FADP). In this respect, the FADP deviates from the EU GDPR, which only recognises qualified profiling in connection with automated individual decisions. The classification as high-risk profiling is highly fact-specific and triggers the controller&#8217;s obligation to carry out a data protection impact assessment (DPIA), but does not give rise to a general consent requirement. However, where the controller relies on consent to justify high-risk profiling in circumstances where a processing principle has been violated and no other justification is available, such consent must be given explicitly (Article 6 para. 7 lit. b FADP). In addition, the overriding interest exception is not available to justify creditworthiness checks that are based on high-risk profiling (Article 31 para. 2 lit. c no. 1 FADP).<\/p>\n<p><strong>Automated Decision-Making<\/strong><\/p>\n<p>If a decision is taken exclusively on the basis of automated processing and has legal effects on the data subject or affects them significantly, the FADP obliges the controller to inform the data subject of such automated individual decision and to give the data subject the opportunity, upon request, to state their position. The EU GDPR (Articles 13 para. 2 lit. f and 14 para. 2 lit. g) requires controllers to proactively provide meaningful information about the underlying logic of automated decision-making as part of their transparency obligations. The FADP, by contrast, imposes no equivalent proactive disclosure requirement regarding the logic of the automated decision. The data subject can request that the decision be reviewed by a natural person.<\/p>\n<p>No right to state their position or to request review by a natural person needs to be granted if (i) the automated decision is directly related to the conclusion or performance of a contract between the controller and the data subject and the data subject&#8217;s request is fulfilled, or (ii) the data subject has explicitly consented to the automated decision-making (Article 21 para. 3 FADP).<\/p>\n<p>Profiling and automated individual decision-making are distinct concepts: Profiling may occur without any automated decision being taken, and an automated decision may be taken without any profiling. The Article 21 FADP notification and review obligations are only triggered where the final decision itself is made solely by automated means. For instance, if a retail company employee uses a computer to analyse customer behaviour (such as purchase history, browsing patterns, and demographic data) and the system suggests segmenting customers into marketing groups like \u201cfrequent buyers\u201d, \u201cdiscount seekers\u201d, or \u201cluxury shoppers\u201d for targeted promotional emails, this constitutes profiling. However, if the employee reviews and approves the segmentation before any emails are sent, the decision is not made solely by automated means. In this scenario, there is profiling, but no automated individual decision-making within the meaning of the FADP.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the laws in your jurisdiction include specific rules, requirement or regulator guidance regarding the use of cookies, pixels, online tracking and\/or targeted advertising? Please describe any restrictions on targeted advertising and\/or cross context behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Although the FADP does not specifically name cookies or browser tracking technologies, their use falls within the scope of personal data processing if they collect identifiable user information. In addition to the FADP, the Swiss Federal Telecommunications Act (TCA) obliges website operators to inform users about their use of cookies (or similar techniques such as web-beacons) and the purpose of such use (Article 45c lit. b TCA). Swiss companies typically comply with this obligation by publishing a privacy and cookies policy on their website.<\/p>\n<p>Beyond this disclosure obligation, the Federal Data Protection and Information Commissioner (FDPIC) has published &#8220;Guidelines on Data Processing Using Cookies and Similar Technologies&#8221; (first issued January 2025; updated version October 2025), which apply in a technology-neutral manner to cookies, browser fingerprinting, pixels, and ID graphs. The guidelines distinguish between &#8220;necessary cookies&#8221; (e.g., login authentication, shopping baskets, language selection), which may be used without consent, and &#8220;non-essential cookies&#8221; (tracking, analytics, and marketing cookies), which are subject to stricter requirements.<\/p>\n<p>The FDPIC clarifies that explicit prior consent is required where cookies process sensitive personal data (Article 6 para. 7 FADP), where cookies are used for high-risk profiling (Article 6 para. 7 FADP), or where third-party cookies enable behavioural advertising or cross-site tracking. &#8220;High-risk profiling&#8221; arises when data are collected and combined across multiple sites or platforms (e.g., cross-site tracking, data enrichment, or systematic location tracking), and requires opt-in consent and, where appropriate, a data protection impact assessment (Article 22 FADP). For non-high-risk profiling within a single website, an opt-out mechanism suffices.<\/p>\n<p>Consent must be informed, specific, voluntary, and revocable. Merely continuing to surf does not constitute valid consent. Consent mechanisms must not employ dark patterns, and &#8220;Accept&#8221; and &#8220;Reject&#8221; options must be displayed with equal prominence. The guidelines also address &#8220;cookie paywalls&#8221; (pay-or-consent models), which are only lawful if the fee is proportionate to the potential revenue loss and does not undermine the fundamental right to data protection.<\/p>\n<p>For purely functional cookies strictly necessary to operate a website, consent is not required and an opt-out mechanism suffices, though disclosure remains advisable.<\/p>\n<p>In practice, Switzerland largely aligns with European standards. The FDPIC has itself acknowledged that its guidelines represent the closest possible approximation to European cookie law and the GDPR that remains compatible with the FADP. Websites accessible from the EU commonly implement cookie banners or consent management platforms that comply with both Swiss and EU rules.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically restrict or regulate  the \u201csale\u201d of personal data and\/or \u201cdata brokers\u201d? How is \u201csale\u201d and\/or \u201cdata broker\u201d or (similar\/related terms) defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the FADP, there is no explicit prohibition or specific regulation of the \u201csale\u201d of personal data, nor any statutory definition of \u201csale\u201d or \u201cdata broker\u201d (or equivalent terms). Rather than treating the commercial transfer of personal data as a distinct category, the FADP subjects any disclosure of personal data to a third party \u2013 whether for payment, in exchange for other benefits, or free of charge \u2013 to its general data processing framework. A \u201csale\u201d of personal data is therefore not singled out for stricter treatment. It must simply comply with the same principles and requirements as any other form of data disclosure.<\/p>\n<p>Entities that would commonly be described as data brokers are assessed under the FADP&#8217;s general role concepts \u2013 controller or processor \u2013 depending on the nature of their activities. A data broker that independently determines the purposes and means of collecting and trading personal data will typically qualify as a controller, bearing the full range of controller obligations under the FADP, including transparency duties towards data subjects and com.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically regulate or restrict marketing and electronic communications, including telemarketing\/telephone solicitations and \u2018robocalls\u2019, email marketing, SMS\/text messaging or other direct marketing? Please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While the FADP and its general data protection principles apply to the processing of personal data within electronic advertising practices, the Swiss Federal Act on Unfair Competition (UCA) sets forth specific regulations that must be observed.<\/p>\n<p><strong>Direct Email or Text Messaging (SMS) Marketing<\/strong><\/p>\n<p>Mass mailing of advertising messages via telecommunications is primarily governed by Article 3 para. 1 lit. o UCA. In principle, mass advertising by email or SMS is only permissible with the recipients\u2019 prior voluntary and express consent (i.e., opt-in). For consent to be valid, recipients must have been adequately informed \u2013 in particular about the use of their email address for marketing purposes and their right to withdraw consent at any time. Each mass marketing email must also contain the sender\u2019s correct name, address, and email contact, and provide an easy, cost-free opt-out option (e.g., an unsubscribe link).<\/p>\n<p>As an exception, a recipient\u2019s consent is not required (i.e., opt-out) if (i) the recipient is a customer of the sender, (ii) the advertising concerns similar products or services of the sender, and (iii) upon the first collection of the recipient\u2019s contact information, the recipient was given the opportunity to object to its use for marketing purposes. Violation of the UCA\u2019s requirements constitutes unfair competition, which may lead to civil liability and criminal penalties. Affected recipients may also file a complaint with the Swiss State Secretariat for Economic Affairs (SECO).<\/p>\n<p><strong>Direct Marketing by Telephone<\/strong><\/p>\n<p>Under Swiss law, direct telephone marketing is generally permitted if the person has made their address and telephone number publicly accessible and the calls are not conducted aggressively (e.g., by repeatedly calling the same person). Article 3 para. 1 lit. u UCA prohibits advertising calls to recipients not listed in the Swiss telephone directory or marked with an asterisk (*) in the directory (i.e., opt-out). Furthermore, making advertising calls without displaying a telephone number that is listed in the directory and for which the caller has a right of use constitutes an act of unfair competition (Article 3 para. 1 lit. v UCA).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction regulate, restrict or impose specific obligations on the processing of biometric data, such as facial recognition. If so, how are the relevant terms defined?  Are these obligations focused on the collection, use and processing of unique biometric \u2018identifiers\u2019 (rather than any sort of biometric measurements) ?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The FADP classifies \u201cbiometric data that uniquely identifies a natural person\u201d \u2013 facial recognition systems that extract and analyse facial features for identification or authentication fall into this category \u2013 as sensitive personal data (Article 5 lit. c FADP). This classification imposes additional restrictions, which are explained in more detail in the section regarding sensitive personal data under Q9.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data protection laws in your jurisdiction that specifically address or apply to artificial intelligence or machine learning (\u201cAI\u201d).  If so, do these laws specifically apply to the processing of personal information related to AI, or more broadly?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While artificial intelligence (AI) and machine learning are not explicitly addressed by the FADP, the FADP follows a technology-neutral approach, rendering it directly applicable to all AI-supported data processing. The Federal Data Protection and Information Commissioner (FDPIC) confirmed this position in a statement issued in November 2023, reaffirming its position in May 2025. One of the most significant legal mechanisms impacting AI under the FADP is Article 21, which obliges data controllers to inform data subjects about decisions based solely on automated processing that produce legal effects or otherwise significantly affect them, and grants data subjects the right to express their views and to request that such decisions be reviewed by a natural person (see Q21). This provision is relevant to a wide range of AI-driven decision-making, including credit scoring, automated hiring systems, and algorithmic pricing.<\/p>\n<p>As regards dedicated AI legislation, the Swiss Federal Council decided on 12 February 2025 against introducing a Swiss equivalent of the EU AI Act, opting instead to ratify the Council of Europe&#8217;s Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law \u2013 which Switzerland signed on 27 March 2025 \u2013 and to amend Swiss law only where necessary and on a sector-specific basis. The Federal Council explicitly ruled out both a wholesale adoption of the EU AI Act and any broad \u201cSwiss finish\u201d, favouring instead targeted legislative adjustments in regulated sectors, with cross-sector rules limited to critical areas such as data protection. The Federal Department of Justice and Police (FDJP), together with other Federal Departments, has been mandated to prepare a public consultation proposal by the end of 2026 setting out the necessary sector-specific legislative adjustments, most notably in financial market regulation and areas currently under active discussion such as copyright law. The subsequent parliamentary process means that any resulting legislative amendments are unlikely to enter into force before 2029.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data localization requirements in your jurisdiction?  In other words, are there any circumstances where some or all personal data is required to be stored locally, or prohibited from being transferred to or stored in certain jurisdictions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Swiss law does not impose a general \u201cdata localisation\u201d requirement for personal data (i.e., personal data does not generally have to be stored in Switzerland). However, cross-border disclosure \u2013 which includes granting remote access from abroad \u2013 is restricted under the FADP and must satisfy the conditions for disclosure abroad as described in Q28 (i.e., disclosure to a jurisdiction recognised by the Federal Council as providing an adequate level of protection (as listed in Annex 1 to the FODP), or, failing that, reliance on safeguards such as recognised standard contractual clauses (SCC) or a statutory exception).<\/p>\n<p>In certain regulated sectors, separate legal\/regulatory regimes may have a de facto localizing or \u201crestricted-jurisdiction\u201d effect even where an FADP-compliant transfer mechanism exists. In particular, for regulated financial institutions, FINMA Circular 2018\/3 (\u201cOutsourcing \u2013 banks and insurers\u201d) is relevant to any outsourcing arrangement and (among other things) is designed to ensure that audit\/supervisory rights and oversight remain effective even for outsourcing abroad. In addition, FINMA Circular 2023\/1 (\u201cOperational risks and resilience \u2013 banks\u201d) strengthens governance and risk-management expectations around operational risks (including ICT\/cyber risks and handling of \u201ccritical data\u201d), which may in practice constrain where and how certain data sets and related services can be provided cross-border.<\/p>\n<p>Finally, depending on the data and context (e.g., information subject to professional secrecy or other sector-specific confidentiality regimes), organisations may choose Swiss-based hosting\/processing to manage confidentiality, access, and enforcement risk \u2013 even though this is not a general statutory data localisation rule under the FADP.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted, under certain circumstances? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Swiss data protection law places specific restrictions on cross-border transfers of personal data. Under the FADP, a cross-border transfer occurs when personal data is either transmitted to, or made accessible by, a recipient located outside Switzerland. Personal data may be transferred abroad only if the destination country ensures an adequate level of data protection based on its legislation (Article 16 para. 1 FADP). The Swiss Federal Council maintains a list of such countries in Annex 1 FODP. This list largely aligns with the European Commission\u2019s adequacy decisions; however, notable exceptions exist \u2013 Japan and South Korea have been granted adequacy status by the EU, but not yet by Switzerland.<\/p>\n<p>If the destination country does not offer an adequate level of data protection, transfers are only permitted where appropriate safeguards are in place pursuant to Article 16 para. 2 FADP, or where a statutory exception applies under Article 17 FADP. Appropriate safeguards include standard contractual clauses (SCCs) approved by the Federal Data Protection and Information Commissioner (FDPIC) \u2013 such as the post-Schrems II EU SCCs with Swiss-specific adaptations \u2013 and binding corporate rules (BCRs). In practice, Swiss companies frequently rely on SCCs as the primary mechanism for securing cross-border transfers.<\/p>\n<p>In line with the CJEU\u2019s Schrems II decision (Case C-311\/18, July 2020), Swiss data exporters are also expected to conduct a data transfer impact assessment (DTIA) to evaluate whether the legal framework of the recipient country undermines the protections provided by the SCCs. Where risks are identified, supplementary measures may be required to ensure an equivalent level of data protection.<\/p>\n<p>Specifically with respect to data transfers to the United States, the Swiss Federal Council has recognised the Swiss-U.S. Data Privacy Framework (DPF) as providing an adequate level of protection for Swiss personal data, but only for U.S. organisations self-certified under the Swiss\u2013U.S. DPF. This adequacy determination facilitates transfers to certified U.S. entities without additional safeguards.<\/p>\n<p>However, the continued viability of the DPF is subject to considerable uncertainty. Developments at the US federal level since early 2025 \u2013 including changes to the composition and functioning of the Privacy and Civil Liberties Oversight Board (PCLOB), a key redress mechanism underpinning the adequacy finding \u2013 have raised significant questions about whether the safeguards on which the Swiss-US DPF relies remain effective. Both the European Commission (in respect of the EU-US DPF) and the FDPIC (in respect of the Swiss-US DPF) are monitoring the situation closely. Against this backdrop, organisations are strongly recommended not to rely on the DPF as a sole transfer mechanism and to implement backup solutions \u2013 such as SCCs with the necessary Swiss-specific adaptations \u2013 to ensure continuity of lawful data transfers in the event that the DPF is suspended or invalidated with immediate effect.<\/p>\n<p>For transfers to U.S. entities that are not certified under the Swiss-U.S. DPF, organisations must rely on alternative safeguards (such as SCCs with the necessary Swiss-specific adaptations) and conduct a DTIA.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the FADP, data controllers and processors are required to implement appropriate personal data security measures. Article 8 FADP establishes a general obligation to ensure the confidentiality, availability and integrity of personal data by adopting suitable technical and organisational measures (TOMs). These measures must be proportionate to the risks associated with the data processing activities. Minimum security requirements are further specified in Article 3 FODP.<\/p>\n<p>While the FADP does not prescribe specific technologies or controls, it adopts a principles-based, risk-oriented approach. In practice, organisations are expected to implement access controls, encryption, secure data storage and transmission protocols, regular data integrity checks, backup and recovery procedures, and other industry-standard practices.<\/p>\n<p>When a data controller engages a data processor, the data processing agreement (DPA) must obligate the processor to implement appropriate TOMs and to promptly notify the controller in the event of a personal data breach (see Q20). In January 2024, the FDPIC published an updated \u201cGuide to Technical and Organisational Data Protection Measures (TOM)\u201d, aimed at supporting companies in assessing and implementing appropriate TOMs under the FADP.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there more specific security obligations for certain types of personal data (e.g., sensitive data or special categories of personal data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Swiss law does not establish a separate, prescriptive \u201cenhanced security\u201d regime solely on the basis that data qualifies as sensitive. Instead, the FADP and the FODP follow a risk-based approach, under which the qualification of the data (including whether it constitutes \u201cparticularly sensitive\u201d) is a key factor in determining the appropriate level of protection and the corresponding technical and organisational measures (TOM).<\/p>\n<p>Consistent with that approach, the FODP contains specific additional minimum measures in higher-risk scenarios, notably mandatory logging where particularly sensitive personal data is processed automatically on a large scale (or when high-risk profiling is carried out) as well as an obligation to maintain a processing regulation for automated processing in those scenarios. In regulated sectors (e.g., banking), supervisory expectations around the handling of client data and operational risk management may, in practice, require more stringent controls than the baseline FADP requirements.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances and within what timeframe must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In the FADP, the term &#8220;data security breach&#8221; is defined as any breach of security resulting in the accidental or unlawful loss, deletion, destruction or alteration of personal data or the disclosure of or access to personal data by unauthorised persons (Article 5 lit. h).<\/p>\n<p>In the event of a data breach that is likely to result in a high risk to the personality or fundamental rights of affected individuals, Article 24 FADP requires data controllers to notify the Federal Data Protection and Information Commissioner (FDPIC) as soon as possible \u2013 though the FADP does not impose a fixed 72-hour deadline as under the EU GDPR. Where necessary for their protection, or upon request by the FDPIC, the controller must also inform the affected data subjects (Article 24 para. 4 FADP). Processors are separately required to notify the relevant controller of any data security breach as quickly as possible, which in turn triggers the controller&#8217;s own assessment and reporting obligations (Article 24 para. 3 FADP).<br \/>\nArticle 15 of the Data Protection Ordinance (DPO) specifies the content of the notification to the FDPIC, which must include the nature of the breach, its timing, duration and extent, its effects on data subjects, and the measures taken or planned. Where not all information is immediately available, details may be reported subsequently.<\/p>\n<p>The FDPIC has also published &#8220;Guidelines on reporting data security breaches and informing data subjects in accordance with Article 24 FADP&#8221; (February 2025), which provide guidance on assessing the &#8220;likely high risk&#8221; threshold. Relevant factors include the sensitivity of the data concerned, the nature and circumstances of the breach, and the number of affected individuals.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The FADP establishes several specific rights for individuals regarding their personal data (while largely aligned with the EU GDPR in substance, the FADP tends to be less prescriptive and more flexible in its implementation), such as:<\/p>\n<p><strong>&#8211; Right to access:<\/strong> Under Article 25 para. 1 FADP, data subjects may request confirmation from a controller as to whether their personal data is being processed. If so, the controller must provide, at minimum: (i) the identity and contact details of the controller, (ii) the personal data being processed, (iii) the purposes of the processing, (iv) the retention period or, if not available, the criteria used to determine it, (v) the source of the data if not obtained directly from the data subject, (vi) the existence of any automated individual decision-making and the logic involved, and (vii) the recipients or categories of recipients to whom personal data is disclosed, if applicable, including, if abroad, their countries of residence or domicile and safeguards applied or exceptions relied upon. As a rule, requests are made in writing, and controllers are generally required to respond within 30 days, although this may be extended. Controllers may refuse, restrict, or delay access under Article 26 FADP in cases where disclosure is restricted by Swiss law (e.g., professional secrecy), would affect overriding third-party interests, or the request is clearly unjustified (e.g., abusive or frivolous). Private controllers may also limit access based on their own overriding interests, provided the data is not disclosed to third parties.<\/p>\n<p><strong>&#8211; Right to rectification:<\/strong> Data subjects may request the correction of inaccurate personal data under Article 32 para. 1 FADP, unless such rectification is prohibited by law, or the data is processed solely for archiving purposes in the public interest.<\/p>\n<p><strong>&#8211; Right to erasure \/ \u201cto be forgotten\u201d:<\/strong> The right to erasure is incorporated into the right to object under Article 30 para. 2 lit. b FADP (in conjunction with Article 32 para. 4 FADP). A controller may refuse deletion of data where legal retention obligations or overriding public or private interests apply, in accordance with Article 31 FADP.<\/p>\n<p><strong>&#8211; Right to object:<\/strong> Data subjects have the right to object to the processing of their personal data (opt-out) under Article 30 para. 2 lit. b FADP. Controllers may however continue processing where necessary to fulfil legal obligations, contractual duties, or to protect overriding public or private interests as defined in Article 31 FADP.<\/p>\n<p><strong>&#8211; Right to data portability:<\/strong> According to Article 28 FADP, data subjects may request a copy of their personal data in a commonly used electronic format (one that permits transmission and reuse by the data subject or another controller), provided the data is processed automatically and based on either the data subject\u2019s consent or a contractual relationship between the controller and the data subject. Where these conditions are met and the request does not entail a disproportionate effort, the data subject may also request the direct transfer of their personal data to another controller. According to the FODP, such a copy must generally be provided within 30 days of receipt of the request, although this may be extended.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction allow or provide for a private right of action for violations?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action applies and\/or a class action may be brought, and whether types of claims\/violations present a higher risk of a private right of action or class action (e.g., are there statutory damages or presumed harm for certain violations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, Swiss data protection law provides individuals with a private right of action to seek judicial redress through a combination of injunctive, corrective, and compensatory remedies in cases where their rights under the FADP have been infringed. Under Article 32 para. 2 FADP, data subjects may bring civil claims before the competent courts if their personality rights have been violated due to unlawful processing of their personal data.<\/p>\n<p>The relevant provisions of the Swiss Civil Code (specifically Articles 28, 28a, and 28g to 28l) establish the general legal framework for protecting personality rights, which includes the right to privacy. The remedies available through civil action are broad. Affected individuals may request a court to (i) prohibit or suspend certain data processing activities, (ii) mandate the deletion or destruction of unlawfully processed personal data or order the correction of inaccurate data, (iii) seek compensatory damages for financial loss, (iv) claim compensation for pain and suffering, such as emotional distress or reputational damage, although Swiss courts grant such compensation only with considerable restraint, and (v) in some cases, seek the disgorgement of profits unlawfully obtained through misuse of personal data.<\/p>\n<p>Legal proceedings must be initiated before the competent civil court, and the burden of proof generally lies with the claimant.<\/p>\n<p>Swiss law does not currently provide for class actions in data protection cases, so each individual must bring their own claim, though coordinated proceedings are possible when multiple individuals are affected by the same issue. While the Federal Data Protection and Information Commissioner (FDPIC) can investigate data protection violations and issue corrective orders, it does not have the authority to award damages. Therefore, the private right of action serves as the principal legal avenue for individuals seeking financial or injunctive relief for harm caused by violations of their data protection rights.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The FADP allows affected individuals to pursue claims through the civil courts for both material damage and non-material injury resulting from unlawful processing of their personal data, as well as disgorgement of profits obtained through such processing.<\/p>\n<p>The legal basis for such claims is found in Article 32 para. 2 FADP, which refers to the general protection of personality rights under the Swiss Civil Code, specifically Articles 28, 28a, and 28g\u201328l. These provisions allow individuals to seek redress when a violation of their personality rights (as manifested in the right to privacy) has caused them harm.<\/p>\n<p>Swiss law recognises two types of compensation:<\/p>\n<p><strong>&#8211; Compensatory damages for material (economic) loss:<\/strong> Individuals may claim compensation for financial loss resulting from a breach of data protection obligations.<\/p>\n<p><strong>&#8211; Compensation for pain and suffering:<\/strong> Swiss courts may also award compensation for non-economic harm, including emotional distress, reputational damage, anxiety, or infringement of personal dignity.<\/p>\n<p>In practice, however, Swiss courts take a restrictive approach to awarding compensation for pain and suffering. Such compensation is typically granted only in cases where the non-material harm is serious, specific, and clearly substantiated. This cautious application reflects broader trends in Swiss tort law, which sets a relatively high threshold for awarding compensation for emotional or reputational injury.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The principal body responsible for overseeing compliance is the Federal Data Protection and Information Commissioner (FDPIC). Specifically, the FDPIC is authorized to:<\/p>\n<p><strong>&#8211; Conduct investigations and audits:<\/strong> The FDPIC may initiate inspections or inquiries, either proactively or in response to complaints from data subjects or data breach notifications. Investigations involve assessing whether entities or federal bodies comply with their obligations related to processing personal data.<\/p>\n<p><strong>&#8211; Issue binding decisions and administrative measures:<\/strong> Following an investigation, the FDPIC can issue binding rulings, prohibitions, or instructions to stop specific data-processing activities that violate the law, to delete data in whole or in part or to notify individuals about data breaches reported to the FDPIC (Article 49 para. 1 and Article 51 paras. 1 and 3 FADP). Such measures are enforceable, and entities and federal bodies are required to comply.<\/p>\n<p><strong>&#8211; Recommend corrective actions:<\/strong> In addition to enforcement actions, the FDPIC often provides guidance to organisations on how to rectify identified violations and comply with data protection standards.<\/p>\n<p>However, unlike under the EU GDPR, where data protection authorities have the power to directly impose administrative fines, the FDPIC does not have this sanctioning authority under the FADP. Instead, if an investigation conducted by the FDPIC reveals indications of a criminal offence, the FDPIC may refer the matter to the competent criminal prosecution authorities for further action (see Q36).<\/p>\n<p>The supervision of personal data processing by municipal and cantonal bodies falls within the responsibility of the cantonal data protection supervisory authorities.<\/p>\n<p>Furthermore, data subjects who suffer harm due to breaches of their data protection rights have the option to enforce their rights directly through civil courts (see Q34 and Q36). Such civil remedies can run parallel to enforcement actions taken by the FDPIC.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The most serious violations \u2013 such as failure to provide adequate information to data subjects, breaches of access rights, non-compliance with cross-border data transfer rules or failing to comply with minimum data security standards \u2013 can result in criminal fines of up to CHF 250,000 for the individual responsible (Articles 60 et seqq. FADP). These sanctions apply only in cases of intentional breaches. Negligent acts are not punishable.<\/p>\n<p>In contrast to the EU GDPR, where administrative fines are imposed on the organisation itself, the FADP places criminal liability primarily on natural persons who intentionally breach specific data protection obligations. Only in cases where the identity of the responsible individual cannot be determined without disproportionate investigative effort, the law allows for a fine of up to CHF 50,000 to be levied against the company (Article 64 para. 1 FADP).<\/p>\n<p>Civil courts may award damages to affected data subjects and grant injunctive relief to stop unlawful processing (see Q34). Additionally, individuals can seek restitution of profits derived from breaches and request the publication of judgments.<\/p>\n<p>At present, Switzerland does not have an equivalent to the EU GDPR\u2019s fine guidance from the European Data Protection Board (EDPB) or any other rules or guidelines specific to the FADP regarding how fines or thresholds for sanctions are to be determined. Enforcement relies on general criminal law principles and case-by-case judicial discretion.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Binding decisions of the FDPIC can be appealed to the Federal Administrative Court. The appeal must generally be filed within 30 days of notification of the decision. The Federal Administrative Court will assess whether the decision complies with federal law and can either uphold, amend, or annul the decision. Appeals against decisions of the Federal Administrative Court may be lodged with the Federal Supreme Court by the appellant and the FDPIC (Article 52 para. 3 FADP).<\/p>\n<p>Binding decisions of cantonal data protection supervisory authorities can typically be appealed to the cantonal administrative courts in accordance with local cantonal laws.<\/p>\n<p>Criminal convictions and fines imposed by cantonal criminal courts can be appealed to a higher cantonal court. Further appeals from the higher cantonal court to the Federal Supreme Court may be brought within a deadline of usually 30 (and in exceptional cases only 10) days of notification of the decision, but only on matters of federal law or constitutional rights.<\/p>\n<p>Judgments from cantonal civil courts can generally be appealed to a higher cantonal court. If the amount in dispute exceeds CHF 30,000, or the case involves legal questions of fundamental importance, further appeals may be submitted to the Federal Supreme Court.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide an overview of these obligations and explain their scope\/applicability.  For example, are all organizations subject to the requirement or only to certain organizations (e.g., based on size, sector, critical infrastructure designation, public company)?  Are there specific and\/or additional regulations for different industries (e.g., finance, healthcare, government)?.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Switzerland mandates specific risk management measures, particularly in regulated sectors and for operators of critical infrastructure.<\/p>\n<p>Under the FADP, any private organisation and federal body processing personal data is obliged to take appropriate, risk based data security measures (see Q29). These include safeguards against unauthorised access and data loss, and typically involve access controls, encryption, system updates, staff training, and contingency planning.<\/p>\n<p>The Information Security Act (ISA) establishes information security obligations primarily for federal authorities and certain organisations entrusted with federal tasks or connected to the Confederation. Separately, a 2025 amendment introduced a mandatory cyber incident reporting regime for operators of designated critical infrastructures: Since 1 April 2025, operators of critical infrastructure \u2013 spanning sectors like finance, energy, healthcare, and telecommunications \u2013 are legally required to report cyberattacks to the National Cyber Security Centre (NCSC). Initial reports must be filed within 24 hours of discovery. In parallel, authorities and organisations directly subject to the ISA must establish and maintain an information security management system (ISMS) proportionate to their risks. The ISMS must cover governance, risk assessment, technical and organizational measures, and incident management. (See Q42 for reporting mechanics.)<\/p>\n<p>The Swiss Financial Market Supervisory Authority (FINMA) imposes detailed cybersecurity requirements on financial institutions, including obligations to implement information and communications technology (ICT) risk management and operational resilience frameworks, conduct testing, use strong authentication, maintain incident response capabilities, and report serious incidents. These are set out in FINMA Circulars such as 2023\/1 (Operational risks and resilience) and 2018\/3 (Outsourcing). FINMA has clarified that supervised institutions must submit an initial notification of cyberattacks of substantial importance within 24 hours of discovery (FINMA Guidance 03\/2024, building on Guidance 05\/2020) (see Q42).<\/p>\n<p>The healthcare sector is another focus area. The NCSC has published sector guidance and minimum good practice recommendations (e.g., hardening and patch management, log monitoring, and email security controls). In addition, specific regulatory requirements apply in healthcare, including mandatory certification for electronic patient record (EPR) providers under the Federal Act on the Electronic Patient Record (EPRA), cybersecurity obligations for medical devices under the Medical Devices Ordinance (MedDO), and technical safeguards for health-related data under the Human Research Act (HRA) and Human Research Ordinance (HRO). Healthcare entities must report certain incidents to the Federal Office of Public Health (FOPH) or, in the case of medical devices, to Swissmedic (see Q42).<\/p>\n<p>In the telecommunications sector, providers are subject to cybersecurity related obligations under the Telecommunications Act (TCA), including duties to ensure the security and availability of networks and services. The Ordinance on Telecommunications Installations (TIO) and the Ordinance on Internet Domains (OID) impose additional cybersecurity requirements, including the obligation for registries to block malicious domains. Telecommunications service providers must immediately report faults or incidents affecting at least 10,000 customers to the National Emergency Operations Centre (NEOC) (see Q42).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose formal cybersecurity audit or certification requirements? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Swiss law does not impose a cross-sector obligation to undergo a formal, periodic external cybersecurity audit or to obtain a cybersecurity certification as a general condition for lawful processing or operation. Rather, the baseline approach is risk-based: Organizations must implement appropriate technical and organisational measures (TOMs) and must review and adapt them over time, but Swiss law does not generally prescribe a specific audit cadence or mandate a particular certification scheme.<\/p>\n<p>That said, sector-specific regimes can create de facto audit and testing obligations:<\/p>\n<p>In the financial sector, FINMA supervision is built around a regulatory audit model involving external audit firms, and cyber and ICT risk are an explicit supervisory focus, which in practice can result in structured audit coverage and supervisory reviews of ICT and cyber controls even if not framed as a general \u201ccybersecurity certification\u201d obligation.<\/p>\n<p>In the electricity sector, operators of generation, transmission, or distribution installations above defined thresholds must comply with a mandatory ICT minimum standard and implement measures corresponding to their protection category (commonly described by reference to Annex 1a StromVV). Compliance is monitored through a graduated framework that typically includes annual self-assessments using an assessment tool, regulatory engagement measures (including awareness meetings and, where warranted, on-site visits), and technical audits where irregularities are identified, with obligated undertakings expected to be able to demonstrate attainment of the applicable protection level upon request.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding vendor and supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the FADP, organisations that delegate data processing to third-party processors must ensure that the processor provides sufficient guarantees of data security (see Q20 and Q29). This means that processors must be selected and monitored based on their ability to guarantee appropriate security standards. While the law does not spell out exact cybersecurity requirements for suppliers, it effectively imposes a duty of diligence in supply chain management.<\/p>\n<p>Further cybersecurity-related supply chain requirements primarily arise from sector-specific regulations and strategic policies that emphasize risk-based governance and third-party oversight.<\/p>\n<p>For financial institutions, the Swiss Financial Market Supervisory Authority (FINMA) imposes binding obligations to manage risks associated with outsourcing and third-party providers. FINMA Circular 2018\/3, which governs outsourcing arrangements, mandates that regulated entities must ensure full control over outsourced functions and maintain comprehensive oversight of third-party service providers. This includes obligations to assess the cybersecurity posture of vendors, define clear responsibilities in contracts, ensure access and audit rights, and implement contingency planning to mitigate service interruptions. Moreover, FINMA Circular 2023\/1 on operational risks further stresses the need to monitor third-party risk as an integral component of information and communications technology (ICT) governance. It requires institutions to integrate suppliers into their risk assessments, ensure their participation in incident response planning, and assess their adherence to security standards throughout the lifecycle of the relationship.<\/p>\n<p>More broadly, the National Cyberstrategy (NCS) emphasizes the resilience of national infrastructure, including the dependency on secure and reliable supply chains. Although this strategy is non-binding for private companies outside regulated sectors, it sets the tone for expected best practices. Since 1 April 2025, operators of critical infrastructure have been legally required to report cyber incidents to the National Cyber Security Centre (NCSC) \u2013 this implies a growing emphasis on managing supplier-related risks as part of national security interests. Further, when cooperating with third parties not subject to the ISG, federal authorities and organisations subject to the ISG must ensure that legal requirements are met during both the commissioning and execution of tasks. Security measures must be specified contractually (Article 9 ISG).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, please provide an overview of the requirement, including whether there are any formalities that must be observed regarding such appointment (e.g., board-approval, reporting line structure, notification to regulatory body).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While Swiss law does not universally require companies to appoint a Chief Information Security Officer (CISO), certain regulated sectors are expected to designate a person or function responsible for cybersecurity governance and oversight.<\/p>\n<p>In the financial sector, the Swiss Financial Market Supervisory Authority (FINMA) mandates that supervised entities implement a structured information and communications technology (ICT) risk management framework. Under FINMA Circular 2023\/1, this includes clearly assigning responsibilities for information security, typically fulfilled by a CISO or equivalent role. Responsibilities include overseeing the development of security policies, coordinating incident response, managing ICT risks, and reporting significant security issues to executive management and FINMA.<\/p>\n<p>Similarly, operators of critical infrastructure under the Information Security Act (ISA) must have internal structures and competencies in place to detect, manage, and communicate cyber incidents. While the law does not explicitly require appointing a CISO or point of contact, compliance with these obligations typically necessitates assigning such responsibilities to a designated individual or team capable of interacting with the NCSC and ensuring internal readiness.<\/p>\n<p>More specifically, Article 81 ISA requires certain public authorities and organisations \u2013 such as the Federal Council and the Swiss National Bank \u2013 to appoint a CISO. Their responsibilities include advising and supporting the responsible entities within their area in fulfilling their duties and obligations under the ISA. They are also tasked with managing the information security function and the associated risk management on behalf of their authority or organisation. Additionally, they monitor compliance with information security requirements, report their findings, propose necessary measures, and may report security-related incidents to the NCSC.<\/p>\n<p>For companies outside these sectors, there is no statutory requirement to appoint a specific individual responsible for cybersecurity. However, in practice, many Swiss companies \u2013 especially medium to large enterprises \u2013 appoint a CISO or equivalent to meet both compliance and operational expectations. This individual is often responsible for developing internal security policies, ensuring staff training, conducting risk assessments, and serving as a liaison with regulators or authorities in the event of a cyber incident.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific reporting or notice obligations in the context of cybersecurity incidents?  If so, how do such laws define a cybersecurity incident and what are the reporting and notification requirements (please also note whether these laws require reporting of certain cyber security incidents, regardless of whether there has been a \u2018breach of personal data\u2019)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the Information Security Act (ISA), whose mandatory reporting provisions came into force on 1 April 2025, operators of critical infrastructure are required to report cyberattacks on their information systems to the National Cyber Security Centre (NCSC) within 24 hours of discovery, provided such cyberattack has serious consequences (Article 74d-e ISA).<\/p>\n<p>The ISA defines a cyberattack as a cyber incident which was intentionally triggered. A cyber incident, in turn, is an event in the use of information systems that compromises the confidentiality, availability, or integrity of information, or the traceability of its processing.<\/p>\n<p>However, a cyberattack only must be reported if it (i) jeopardizes the functionality of critical infrastructure involved (employees or third parties affected by system disruptions or the affected organisation or authority can only maintain its operations with the help of emergency plans), (ii) has led to manipulation or leakage of information (business-relevant information viewed, altered, or disclosed by unauthorised parties, or reports of data security breaches under the FADP), (iii) remained undetected over an extended period (more than 90 days), especially if there are indications it was executed to prepare for further cyberattacks, or (iv) is associated with extortion, threat, or coercion.<\/p>\n<p>The report must include the type and execution of the cyberattack, the impact of the cyberattack, the measures taken, and the planned further actions, if known (Article 74e ISA).<\/p>\n<p>In the financial sector, institutions supervised by the Swiss Financial Market Supervisory Authority (FINMA) must notify FINMA of cyberattacks that are of substantial supervisory importance within 24 hours of detection and conduct an initial assessment of the incident\u2019s criticality, in accordance with Article 29 para. 2 of the Financial Market Supervision Act (FINMASA) and FINMA\u2019s Guidances 2024\/3 and 2020\/5. The actual report must then be submitted within 72 hours via the FINMA web-based survey and application platform (EHP). These reports help supervisors assess sector-wide risks and can trigger audits or additional oversight.<\/p>\n<p>Additionally, under Article 96 Ordinance on Telecommunications Services (OTS), telecommunications service providers must immediately report any faults \u2013 including cybersecurity incidents \u2013 in telecommunications infrastructure or services that could impact at least 10,000 customers to the National Emergency Operations Centre (NEOC).<\/p>\n<p>In the healthcare sector, specific reporting obligations apply to providers of electronic patient records (EPR), which must report incidents classified as security-relevant to the Federal Office of Public Health (FOPH). Similarly, manufacturers of medical devices must report any serious incidents involving a medical device made available in Switzerland to Swissmedic, if the incident in question occurred in Switzerland (Article 66 Medical Devices Ordinance). Outside of these formal obligations, the NCSC encourages voluntary reporting and participation in public-private information exchange platforms.<\/p>\n<p>Additionally, under the FADP, companies must notify the Federal Data Protection and Information Commissioner (FDPIC) of personal data breaches (see Q31). While this pertains specifically to personal data breaches rather than broader cybersecurity threats, it reinforces the overall expectation of transparency and accountability following security incidents.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Can individuals bring a private right of action for cybersecurity incidents or other violations of cybersecurity laws?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action and\/or a class action may be brought?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Individuals can bring private civil claims in Switzerland following a cybersecurity incident, but typically not as a standalone \u201ccybersecurity law\u201d claim. In practice, claims are usually based on general civil law causes of action, in particular personality rights protection (injunction\/cessation and declaratory relief) and, where quantifiable loss can be shown, civil liability tort-style claims for damages (often with a high evidentiary burden on loss and causation).<\/p>\n<p>Switzerland generally does not allow U.S.-style class actions (especially not broad, opt-out damages class actions). Collective redress is limited and tends to focus on narrower mechanisms (e.g., certain association actions for injunctive\/declaratory relief, or procedural coordination\/aggregation only in specific circumstances), so cyber incidents are most commonly pursued individually rather than through a single class proceeding.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In the area of national cyber resilience, the National Cyber Security Centre (NCSC) coordinates responses to cyber threats, especially those involving critical infrastructure operators. Since 1 April 2025, these operators are legally required to report serious cyber incidents to the NCSC within 24 hours of discovery (see Q42). Failure to report or cooperate can result in administrative consequences and increased regulatory scrutiny. Although the NCSC itself is not an enforcement authority in the traditional sense, it plays a key role in providing information, facilitating escalation, and coordinating responses across relevant federal and cantonal authorities.<\/p>\n<p>For regulated sectors such as banking and insurance, the Swiss Financial Market Supervisory Authority (FINMA) plays a central enforcement role. It monitors compliance with cybersecurity obligations through audits, supervisory reviews, and incident reporting requirements. When a financial institution suffers a cyber incident or demonstrates deficiencies in information and communications technology (ICT) risk management, FINMA may investigate, require remedial action plans, impose restrictions on operations, or, in serious cases, initiate enforcement proceedings. These proceedings can result in public reprimands, orders requiring the institution to restore compliance with the law, bans on board or management members from exercising their functions at a supervised institution, or \u2013 as a measure of last resort (ultima ratio) \u2013 licence withdrawal.<\/p>\n<p>For personal data breaches, the Federal Data Protection and Information Commissioner (FDPIC) is responsible for enforcement under the FADP (see Q35).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Swiss regulators have significant oversight and inspection authority in relation to cybersecurity compliance, particularly within regulated sectors such as finance and critical infrastructure. The Swiss Financial Market Supervisory Authority (FINMA) holds extensive audit and investigative powers over banks, insurers, and other supervised entities. Under its supervisory framework, FINMA can conduct on-site inspections, review internal documentation and information and communications technology (ICT) risk management processes, and demand access to security policies, audit reports, penetration test results, and records of cyber incidents. FINMA may also mandate external audits through licensed audit firms, issue formal orders for remediation, and require institutions to demonstrate compliance with its Circulars setting forth cybersecurity and outsourcing requirements. In more serious cases, it can initiate enforcement proceedings (see Q44).<\/p>\n<p>The Federal Data Protection and Information Commissioner (FDPIC) exercises supervisory authority under the FADP. It may initiate investigations on its own initiative (ex officio) or in response to complaints and assess the adequacy of the technical and organisational measures (TOMs) implemented by controllers or processors (see Q35). Where the FDPIC determines that minimum security measures have not been implemented, it may refer suspected criminal violations to the competent prosecution authorities.<\/p>\n<p>For critical infrastructure operators, the National Cyber Security Centre (NCSC) plays a central role in monitoring and coordinating responses to cyber threats. While the NCSC does not carry enforcement authority in the traditional sense, it oversees the mandatory cyber incident reporting regime introduced in April 2025. The NCSC may conduct follow-up assessments, request technical details and logs related to reported incidents, and advise on improvements to security posture. Failure to cooperate may trigger involvement from other authorities or lead to reputational and compliance consequences.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction? What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Sanctions for cybersecurity law violations in Switzerland stem primarily from the FADP, sector-specific regulations such as those imposed by the Swiss Financial Market Supervisory Authority (FINMA), and the Information Security Act (ISA).<\/p>\n<p>Under the FADP, individuals may face criminal sanctions for wilful violations of certain data protection-related obligations (see Q36).<\/p>\n<p>In the financial sector, FINMA has the power to take administrative enforcement measures rather than impose fines. These include the confiscation of profits, issuance of binding orders, public reprimands, the appointment of an independent monitor, orders requiring the institution to restore compliance with the law, bans on board or management members from exercising their functions at a supervised institution, or \u2013 as a measure of last resort (ultima ratio) \u2013 licence withdrawal (see Q44). While FINMA does not levy monetary penalties, its actions can significantly disrupt business operations and lead to loss of client trust.<\/p>\n<p>For critical infrastructure operators, who have been subject to mandatory cyber incident reporting under the ISA since 1 April 2025, failure to report or cooperate with the National Cyber Security Centre (NCSC) may initially result in increased scrutiny, regulatory escalation, and potential liability under sector-specific legislation. As of 1 October 2025, persistent failure to report \u2013 following expiry of two deadlines set by the NCSC \u2013 can result in fines of up to CHF 100,000 (Articles 74g-74h ISA). Nevertheless, the NCSC\u2019s 2025 annual report notes that organisations subject to the reporting obligation are taking the new regulation seriously and fulfilling their responsibility for national cybersecurity. As a result, no fines were imposed in 2025.<\/p>\n<p>Failure by telecommunications service providers to comply with their reporting obligations under Article 96 Ordinance on Telecommunications Services (OTS) \u2013 including the duty to report faults, such as cybersecurity incidents, that could affect at least 10,000 customers to the National Emergency Operations Centre (NEOC), or to publish related information on a publicly accessible website \u2013 may result in fines of up to CHF 5,000 (Article 53 Telecommunications Act (TCA)).<\/p>\n<p>At present, Swiss law does not provide specific or formulaic rules for calculating fines or establishing clear thresholds for sanctions related to cybersecurity violations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, enforcement decisions in Switzerland are open to appeal, depending on the authority involved and the legal basis of the decision.<\/p>\n<p>With regard to the Information Security Act (ISA) and obligations to report cyber incidents to the National Cyber Security Centre (NCSC), the NCSC may issue a binding decision. Such decisions are subject to appeal through administrative objection proceedings. If the matter is not resolved at that stage, it may be challenged before the Federal Administrative Court. As a final instance, an appeal to the Federal Supreme Court is possible if legal issues are at stake.<\/p>\n<p>In the context of data protection, decisions issued by the Federal Data Protection and Information Commissioner (FDPIC) may be appealed to the Federal Administrative Court. A further appeal to the Federal Supreme Court is possible, but only on limited legal grounds. See Q37.<\/p>\n<p>For entities supervised by the Swiss Financial Market Supervisory Authority (FINMA), enforcement actions can also be appealed to the Federal Administrative Court. The appeal must generally be filed within 30 days of notification. The Court reviews the legality, legally relevant facts of the case, and adequacy of FINMA\u2019s actions. Further appeal to the Federal Supreme Court, which power of review is limited to legal issues, is possible.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">15439<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/139490","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=139490"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}