SwitzerlandSwiss FADP Expert
Swiss Federal Act on Data Protection (nFADP) expert. Deep knowledge of the revised 2023 Swiss FADP including voluntary DSO, risk-based breach notification, individual criminal enforcement, Swiss transfer mechanisms, and key divergences from GDPR.
Swiss FADP Expert
Deep expertise in the Swiss Federal Act on Data Protection (nFADP) — Switzerland's comprehensive data protection law revised in 2023.
Expertise Areas
Framework Overview
Swiss Federal Act on Data Protection (FADP) — Revised 2023 (nFADP/nDSG) Effective Date: September 1, 2023 Scope: Protection of personality and fundamental rights relating to data processing Articles: 60+ articles across 10 sections
Territorial Scope:
- Establishment: Swiss law applies to controllers/processors established in Switzerland
- Effects in Switzerland: Offers goods/services to Swiss data subjects OR monitors behavior in Switzerland
- Applies: Even if organization not in Switzerland
Material Scope:
- Automated processing of personal data
- Manual processing in filing systems
- Exemptions: Personal/household use, purely professional activities with limited risk
Switzerland is not an EU member state. The FDPIC (Federal Data Protection and Information Commissioner) is the Swiss supervisory authority, not an EU Data Protection Authority. Swiss adequacy decisions are separate from EU adequacy.
Enforcement Model:
- Individual criminal liability: Responsible individuals face criminal sanctions up to CHF 250,000
- Not entity-level fines: Enforcement targets the responsible person, not the legal entity
- FDPIC enforcement: Administrative orders and compliance measures
Key Obligations
Processing Records (RoPA)
- Controllers must maintain records of processing activities
- SME carve-out: Organizations with fewer than 250 employees may be exempt from full records UNLESS processing is likely to result in high risk to personality rights
- Content: Similar to GDPR Article 30 but streamlined for Swiss context
Privacy by Design and Default
- Controllers must implement appropriate technical and organizational measures
- Built-in privacy: At time of determining processing means and during processing itself
- Default settings: Most protective configuration by default
- Focus: Data minimization, pseudonymization, transparency
Transparency / Privacy Notice
- Controllers must provide clear information about processing
- Timing: At collection or before processing begins
- Content: Identity of controller, purposes of processing, categories of data, recipients
- Special categories: Additional disclosure for sensitive data processing
- Data subject rights: Information about access, rectification, objection rights
Data Subject Rights
- Right of Access: Data subjects can request confirmation of processing and access to their data
- Right to Rectification: Inaccurate data must be corrected
- Right to Erasure: Data must be deleted if no longer necessary for processing purpose
- Right to Data Portability: Right to receive data in structured, commonly used format (more limited than GDPR)
- Right to Object: Can object to processing based on overriding private or public interest
- Note: Swiss FADP rights are somewhat more limited in scope than GDPR; no explicit right to restriction of processing
Data Protection Impact Assessments
- Trigger threshold: Processing likely to result in high risk to personality or fundamental rights
- High-risk indicators: Systematic profiling, large-scale processing of sensitive data, public monitoring
- DSO consultation: If DSO is appointed, they must be consulted on high-risk processing
- Content: Systematic description of processing, necessity/proportionality assessment, risk assessment, mitigation measures
Breach Notification
- Trigger: Breaches of security that pose a high risk to personality or fundamental rights
- Timing: Notify FDPIC "as soon as possible" — urgency determined by risk level
- No fixed deadline: Unlike GDPR which has a strict deadline, nFADP uses risk-based urgency
- Content: Nature of breach, categories of data subjects and data, likely consequences, mitigation measures
- Data subject notification: Required if high risk and not adequately mitigated
Cross-Border Transfers
- Adequacy list: FDPIC maintains countries with adequate protection (including EU under GDPR)
- Swiss-approved SCCs: Standard Contractual Clauses must be approved by FDPIC
- EU SCCs alone are NOT sufficient: European Union SCCs are not automatically valid under Swiss law
- Derogations: Explicit consent, performance of contract, important public interest, legal claims, vital interests, legitimate interests (with safeguards)
Processor Agreements
- Controllers must have written agreements with processors
- Mandatory content: Subject matter, duration, nature/purpose, data categories, controller obligations
- Processor obligations: Process only on controller instructions, ensure confidentiality, implement security measures, assist with breach notification, allow audits
- Sub-processors: Require controller authorization (general or specific)
Data Security Officer (DSO)
- Voluntary appointment: Unlike GDPR which requires DPO based on core activities, nFADP DSO appointment is entirely voluntary
- Organizations may appoint: Any controller can appoint a DSO
- Same duties apply: If appointed, DSO has similar monitoring, advisory, and cooperation functions
- No GDPR Article 37 trigger: No automatic requirement based on core activities or scale
Sensitive Data
Special Categories (require heightened protection):
- Health data
- Data about the intimate sphere (including sexual preferences and life)
- Data on affiliation to a race or ethnicity (FADP Art. 5(1)(c)(2))
- Genetic data
- Biometric data (for uniquely identifying a person)
- Religious or philosophical beliefs
- Political opinions
- Trade union membership
- Data concerning administrative or criminal proceedings and sanctions
- Data on social assistance measures (Sozialhilfemassnahmen — FADP Art. 5(1)(c)(6))
Financial data is NOT a special category under nFADP (unlike some other jurisdictions).
GDPR Divergence Cheat-Sheet
| Topic | GDPR | nFADP |
|---|---|---|
| Breach notification clock | Notify supervisory authority without undue delay (GDPR Art. 33) | "As soon as possible" — risk-based, no fixed clock |
| Enforcement target | Entity administrative fines (up to 4% global turnover) | Individual criminal liability (CHF 250,000 per responsible person) |
| DPO / DSO appointment | Required based on core activities/scale | Voluntary — appointment optional |
| Transfer mechanism | EU SCCs, adequacy, BCRs | FDPIC-approved SCCs; EU SCCs alone insufficient |
| Lawful basis flexibility | Legitimate interests (Art. 6(1)(f)) is standalone basis | Legitimate interests require demonstrable overriding private/public interest |
| Regulatory body | National DPAs (EU) + EDPB | FDPIC (Swiss) — not an EU authority |
| Sensitive data: financial | Not a special category | Not a special category |
| Protected entities | Natural persons only | Natural persons only (2023 nFADP narrowed scope; legal persons no longer covered) |
SCF Crosswalk Notes
CH-FADP is supported in the Secure Controls Framework crosswalk via /grc-engineer:gap-assessment today. The /ch-fadp:assess command routes directly to that crosswalk with SCF framework ID emea-che-fadp-2025.
Note on SCF ID year suffix: The SCF lists this framework as (2025) reflecting their internal intake/release cycle, not the law's effective date of September 1, 2023. This suffix must match the SCF crosswalk index exactly for gap-assessment lookups to resolve correctly — do not change it.
Priority SCF control domains for a Swiss controller:
- PRV (Privacy): Privacy by design, data minimization, transparency, data subject rights
- GOV (Governance): Records of processing, DSO (if appointed), accountability, policies
- DCH (Data Classification and Handling): Sensitive data categories, data mapping, retention
- IAO (Incident Analysis and Response): Risk-based breach notification to FDPIC
- IRO (Incident Response and Operations): Security measures, processor agreements, transfers
Available Commands
| Command | Description |
|---|---|
/ch-fadp:assess |
Run a gap assessment against Swiss FADP via the SCF crosswalk |
Upgrade Path — TODOs for Contributors
This stub provides the foundation. Level up to Reference or Full depth by implementing:
- [ ]
/ch-fadp:scope— Framework-specific applicability determination (SME carve-out, effects in Switzerland) - [ ]
/ch-fadp:evidence-checklist— Evidence patterns organized by nFADP articles and sections - [ ]
/ch-fadp:dpia-review— Data Protection Impact Assessment workflow for high-risk processing - [ ]
/ch-fadp:transfer-mechanism-check— Cross-border transfer mechanism selection and validation - [ ]
/ch-fadp:breach-triage— Risk-based breach notification urgency and FDPIC reporting
See Framework Plugin Guide for detailed criteria.
Usage Example
A SaaS company processing Swiss resident HR data invokes /ch-fadp:assess during a Claude Code session. The tool evaluates the company's IaC (Terraform for AWS, GitHub Actions workflows) against 35 SCF controls mapped to 90 Swiss FADP requirements, producing a prioritized gap report grouped by severity (blockers, findings, recommendations) with remediation links to implementation code.
References
- Swiss FDPIC official guidance portal — Data protection authority resources, guidance, and breach reporting
- Federal Chancellery nFADP full text — Official Swiss law portal with complete revised act text
- Data Protection Ordinance (VDSG) — Implementation ordinance effective September 2023
- SCF CH-FADP crosswalk — Secure Controls Framework mapping for Swiss data protection
- GitHub issue #12 — Framework coverage tracker
No additional documents ship with this skill.