revFADP

The revised Federal Act on Data Protection — revFADP, sometimes nFADP for “new” — is the principal Swiss data-protection statute as it has stood since 1 September 2023, when the modernised text took effect after a four-year legislative passage. It supersedes the 1992 federal statute that had grown out of date relative to the EU’s General Data Protection Regulation and to the modernised Council of Europe Convention 108+.

The substantive surface aligns closely with the GDPR: data subjects retain a right of access, a right of rectification, a right of erasure, and a right to data portability; controllers are subject to lawful-basis requirements, accountability obligations, and data-protection-by-design duties; processors operate under controller-processor contracts with specified content. The revision introduces a duty to notify the federal data-protection commissioner of breaches that pose a high risk, and introduces criminal sanctions (capped at CHF 250,000) for specified violations — a sanctions architecture that differs from the GDPR’s administrative-fine model and that, on certain breaches, can be operationally more bite than the EU’s.

Maintenance of the EU’s data-adequacy decision was a primary legislative motivation. The European Commission renewed the decision for Switzerland in 2024, finding the revFADP regime substantially equivalent to GDPR protection for the purposes of third-country transfer. Operationally, this is what permits a Swiss-hosted service to receive EU personal data without bespoke contractual machinery; for an offshore-hosting operator with Swiss presence, the adequacy decision is what makes the jurisdiction practically usable for any subscriber processing EU personal data.

The revFADP coexists with the BÜPF surveillance regime; the two address different ends of the same operational surface, and a complete picture of Swiss hosting requires reading them together.