Skip to main content

Swiss Data Protection Overview (nFADP/nLPD)

What Changed in Swiss Data Protection

Switzerland's new Federal Act on Data Protection (nFADP/nLPD - nLoi fédérale sur la Protection des Données) came into effect on September 1, 2023, replacing the previous Data Protection Act (DPA) from 1992.

Key Changes from Old DPA to nFADP

AreaOld DPA (1992)New nFADP (2023)
ScopeOnly legal entitiesIndividuals and legal entities
ConsentImplied consent often sufficientExplicit consent required for sensitive data
Data BreachNo mandatory notification72-hour notification to FDPIC
PenaltiesCHF 10,000 maximumCHF 250,000 maximum
TerritorialSwiss companies onlyExtraterritorial application
RightsLimited individual rightsEnhanced rights (portability, erasure)

Why This Matters for Website Owners

The nFADP significantly expands when explicit consent is required and introduces substantial penalties for non-compliance. Many websites that previously operated without consent banners now require them.

📋 Mandatory Consent Scenarios

You must implement a consent solution when your website:

1. Third-Party Services & External Scripts

✅ Requires Consent:
• Google Analytics, Google Ads, Facebook Pixel
• YouTube embeds, Vimeo embeds
• Social media widgets (Facebook Like, Twitter Share)
• Live chat services (Intercom, Zendesk)
• CDN-hosted web fonts with tracking
• Marketing automation tools (HubSpot, Mailchimp)

⚠️ Gray Areas (Best Practice: Get Consent):
• Essential CDNs (jQuery, Bootstrap) without tracking
• Security services (reCAPTCHA) - functional necessity
• Payment processors (Stripe, PayPal) - transaction necessity

2. Profiling and Behavioral Tracking

  • Cross-site tracking: Connecting user behavior across multiple websites
  • Behavioral profiling: Creating detailed user profiles for marketing
  • Retargeting: Serving ads based on previous website visits
  • A/B testing with personal data beyond basic functionality

3. IP Address Processing

✅ Consent Required:
• Geolocation beyond basic country detection
• IP-based user identification/tracking
• Storing full IP addresses for analytics
• Cross-referencing IPs with other personal data

❌ Consent NOT Required:
• Basic server logs for security (anonymized after 24-48h)
• Load balancing and DDoS protection
• Fraud prevention for specific transactions
Cookie TypeConsent RequiredExamples
Strictly Necessary❌ NoSession cookies, security tokens, load balancing
Functional⚠️ RecommendedLanguage preferences, shopping cart (if persistent)
Analytics✅ YesGoogle Analytics, Adobe Analytics, custom tracking
Marketing✅ YesFacebook Pixel, Google Ads, retargeting pixels

What Comprises "Personal Data" Under Swiss Law

📊 Personal Data Definition (Art. 5 lit. a nFADP)

Personal data is any information relating to an identified or identifiable natural person.

Categories of Personal Data

Directly Identifying Data

  • Name, address, phone number, email
  • Government ID numbers (AHV, passport)
  • Bank account details, credit card numbers
  • Photos, videos showing faces

Indirectly Identifying Data

  • IP addresses (even dynamic ones)
  • Device fingerprints (browser, OS, screen resolution combinations)
  • Cookie IDs and similar online identifiers
  • Location data (GPS coordinates, WiFi SSIDs)
  • Behavioral patterns (browsing history, purchase patterns)

Particularly Sensitive Personal Data (Art. 5 lit. c nFADP)

Requires heightened protection and explicit consent:

  • Health information
  • Religious or philosophical beliefs
  • Political opinions
  • Trade union membership
  • Genetic and biometric data
  • Sexual orientation
  • Criminal records

🎯 Website-Specific Examples

Personal Data on Websites:
✅ Clearly Personal Data:
• Form submissions (contact forms, newsletter signups)
• User account information
• Comment authors and email addresses
• IP addresses in server logs
• Cookie-based user tracking

⚠️ Often Overlooked Personal Data:
• UTM parameters with user IDs
• Referrer headers from authenticated pages
• Session replay tools (Hotjar, LogRocket)
• Error logs containing user data
• A/B testing with user segmentation

Penalties and Enforcement

🚨 Financial Penalties (Art. 60-61 nFADP)

ViolationMaximum Fine
Individual violationsCHF 250,000 per person
Corporate violationsNo upper limit (unlimited fines)
Data breach non-reportingCHF 250,000
Intentional violationsUp to 3 years imprisonment

Enforcement Authority

Federal Data Protection and Information Commissioner (FDPIC)

  • Investigation powers
  • Administrative orders
  • Criminal referrals for serious violations
  • Cross-border cooperation with EU authorities

📈 Audit Triggers

Common scenarios that trigger FDPIC investigations:

  • Data breach notifications (mandatory within 72 hours)
  • Consumer complaints through official channels
  • Media reports of privacy violations
  • Cross-border investigations from EU/EEA authorities
  • Sector-specific audits (healthcare, finance, telecom)

Best Practices for Compliance

✅ Technical Implementation

  1. Consent Management

    // ✅ Good: Granular consent with clear categories
    biskoui.consent.request({
      analytics: true,
      marketing: false,
      functional: true
    });

    // ❌ Bad: Bundled consent without granularity
    biskoui.consent.requestAll();

  2. Data Minimization

    • Only collect data necessary for stated purposes
    • Anonymize or pseudonymize when possible
    • Implement automatic deletion schedules

  3. Consent Documentation

    Required Records:
    • Who gave consent (user identifier)
    • When consent was given (timestamp)
    • What was consented to (specific services)
    • How consent was obtained (banner, form, etc.)
    • Evidence of consent mechanism (banner text, version)

🔒 Security Requirements

  • Encryption in transit (HTTPS mandatory)
  • Encryption at rest for sensitive personal data
  • Access controls and audit logs
  • Data breach response plan (72-hour notification)
  • Cross-border transfer safeguards (adequacy decisions or SCCs)

📋 Documentation Requirements

  1. Data Processing Register (Art. 12 nFADP)
  2. Privacy Impact Assessments for high-risk processing
  3. Consent logs with tamper-proof timestamps
  4. Data retention and deletion policies
  5. Third-party data sharing agreements

Swiss Data Residency with biskoui

🇨🇭 Why Swiss Hosting Matters

  • No adequacy decision required for data transfers within Switzerland
  • Strong data protection laws aligned with EU standards
  • Political stability and privacy traditions
  • Reduced legal complexity for Swiss organizations

biskoui's Swiss Infrastructure

Data Processing Locations:
✅ Consent logs: Swiss data centers only
✅ Analytics: Processed in Switzerland
✅ Configuration: Stored in Swiss cloud infrastructure
✅ Backups: Remain within Swiss borders

Common Compliance Questions

A: Yes, if using Google's CDN (fonts.googleapis.com). Google can track users across sites. Solution: Self-host fonts or use biskoui to block until consent.

Q: What about essential cookies like session cookies?

A: Strictly necessary cookies for core website functionality don't require consent, but document them in your privacy policy.

A: Swiss law doesn't explicitly recognize legitimate interest like GDPR. Consent is safer for marketing and analytics.

A: No specific requirement, but recommended: 3 years minimum for audit defense, aligned with limitation periods.

⚖️ Legal Disclaimer: This overview provides general guidance on Swiss data protection law. For specific legal advice, consult with qualified Swiss privacy counsel. Laws and interpretations may change.