Switzerland's revised data protection legislation entered into force in September 2023, fundamentally reshaping obligations for every business that processes personal data of Swiss residents. Since then, the Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (Federal Data Protection and Information Commissioner, or FDPIC) has moved from a purely advisory posture toward active enforcement. Companies that assumed the transition period would extend indefinitely are now facing formal investigations, mandatory corrective orders, and reputational exposure. The window for quiet remediation is narrowing.
Switzerland's revised data protection legislation – colloquially known as the revDSG – became fully applicable on 1 September 2023, replacing the previous regime and introducing obligations broadly comparable to GDPR compliance standards in the EU. Every data controller and data processor handling personal data of persons in Switzerland must meet these requirements, regardless of where the organisation is incorporated. The FDPIC now holds expanded investigation powers and may issue binding recommendations enforceable through criminal sanctions.
This alert sets out what has changed at the enforcement level, which business categories face the greatest exposure, and what immediate actions international companies should take before further regulatory action intensifies.
What changed – the enforcement shift and its effective date
The revised Swiss data protection regime came into force on 1 September 2023. The transition period that many practitioners had anticipated did not materialise in the form of regulatory forbearance. By early 2025, the FDPIC had opened a series of formal inquiry procedures against organisations across financial services, technology, healthcare, and retail sectors.
The core change is structural. Under the previous regime, the FDPIC could investigate and recommend – but had limited tools to compel action. Under the revised legislation, the Commissioner may issue binding recommendations. Failure to comply triggers referral to the competent federal authority, which may impose criminal penalties. The liability sits primarily with natural persons – that is, with responsible individuals within the organisation – not merely with the legal entity itself.
Several specific enforcement patterns have emerged. First, the FDPIC has scrutinised cross-border data transfer arrangements, particularly transfers to countries lacking an adequacy decision from Switzerland. Standard contractual clauses and binding corporate rules must be adapted to the Swiss standard – not simply carried over from EU frameworks. Second, organisations processing sensitive personal data – including health data, biometric data, and data on religious or political views – face heightened documentation requirements. Third, consent mechanism validity has been challenged in consumer-facing digital services, with particular attention to pre-ticked boxes and bundled consent.
The Bundesgericht (Swiss Federal Supreme Court) has confirmed in a line of decisions that data subjects retain enforceable rights to information and correction that cannot be contractually waived. Practitioners note that Swiss courts apply a strict proportionality test to data processing activities. One that goes beyond the letter of the revised statute and draws on the broader principles embedded in the Swiss Code of Obligations (the foundational civil liability regime governing damages claims arising from unlawful data processing).
Companies registered in Switzerland – whether as an AG (Aktiengesellschaft, a Swiss joint-stock company) or a GmbH CH (Gesellschaft mit beschränkter Haftung. A Swiss limited liability company) and appearing in the Handelsregister Schweiz (Swiss Commercial Register) – bear direct compliance obligations. Foreign entities that process Swiss residents' data without a local establishment must designate a representative in Switzerland in many circumstances.
Who is affected – threshold criteria and categories at risk
The revised regime applies to any private-sector organisation that processes personal data of natural persons in Switzerland, irrespective of the organisation's place of establishment. The extraterritorial reach mirrors the EU approach: if your service targets Swiss residents, Swiss data protection law applies to you.
The following categories of organisations face the most immediate enforcement exposure:
- Technology platforms and SaaS providers processing Swiss user data at scale
- Financial institutions and fintech companies subject to dual regulation by the FDPIC and FINMA
- Healthcare providers, insurers, and medical device companies handling sensitive health data
- E-commerce and retail businesses using behavioural profiling or automated decision-making
- Multinational groups operating EU-Swiss data flows under GDPR compliance programmes that have not been separately adapted to Swiss law
A non-obvious threshold criterion concerns data processor relationships. Many organisations assume that using a data processor – a cloud provider, payroll service, or analytics vendor – transfers compliance responsibility. Under Swiss data protection legislation, the data controller remains fully accountable. Processor contracts must contain specific clauses aligned with the revised regime, and controllers must conduct due diligence on processor security measures. Gaps in these arrangements are a primary focus of current FDPIC inquiries.
Organisations that rely solely on their GDPR compliance documentation should be aware of material differences. Switzerland is not an EU member state. The legal standard in Switzerland is set by federal data protection legislation, not by EU Regulation. GDPR compliance is a useful baseline, but it does not substitute for a Swiss-specific assessment.
For a tailored assessment of your organisation's data protection exposure in Switzerland, contact us at info@ferrazwhitmore.com.
What to do now – immediate actions and compliance timeline
The following five actions address the areas of highest enforcement risk identified in recent FDPIC activity. International companies should treat these as priority items for the first quarter of 2026.
1. Audit your data transfer mechanisms. Review every transfer of personal data from Switzerland to a third country. Identify whether the destination country appears on Switzerland's list of countries with adequate protection. For transfers to countries not on that list, verify that appropriate safeguards are in place under Swiss data protection legislation – not solely under EU frameworks. Standard contractual clauses used for EU transfers require separate adaptation for Swiss law compliance.
2. Review and update your consent mechanisms. Examine every consent mechanism used in Swiss-facing digital services. Consent must be freely given, specific, informed, and unambiguous. Bundled consent – where agreement to data processing is a condition of accessing a service – is unlikely to withstand FDPIC scrutiny. Pre-ticked boxes are not valid. Update privacy notices and consent flows to meet the current standard.
3. Map sensitive data processing and document proportionality. Compile a complete inventory of processing activities involving sensitive personal data. For each category, document the legal basis, the necessity of processing, and the proportionality assessment. Swiss data protection legislation requires that processing be proportionate to the purpose pursued. The absence of documented proportionality analysis is a recurring deficiency identified in enforcement proceedings.
4. Strengthen data processor contracts. Audit all agreements with data processors against the requirements of the revised Swiss data protection regime. Contracts that were drafted to satisfy GDPR requirements alone may be insufficient. Ensure that processor agreements address sub-processing chains, security obligations, and the controller's audit rights in terms that comply with Swiss law.
5. Appoint a Swiss representative if required. Foreign organisations that process Swiss residents' data without a local establishment must assess whether they are required to designate a representative domiciled in Switzerland. The obligation applies where processing is carried out on a large scale or involves sensitive data. Failure to designate a representative where required is itself a compliance deficiency.
Companies with AI-driven data processing activities in Switzerland face an additional layer of scrutiny. The intersection of automated decision-making and data protection obligations is an active area of regulatory attention. For guidance on that intersection, our analysis of AI and technology law in Switzerland sets out the applicable requirements in detail.
Organisations seeking a broader view of their data protection obligations across Swiss and EU operations should also review our data protection services for Switzerland. This addresses the full compliance cycle from gap assessment through to regulatory engagement.
For a preliminary review of your organisation's data protection position in Switzerland, email info@ferrazwhitmore.com.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice covers organisations operating across European civil law and common law systems, with direct experience in Swiss, EU, and cross-border data protection compliance. Sophie Kellner leads the firm's IP and technology practice, advising technology companies, institutional investors, and multinational groups on data protection strategy, regulatory engagement, and consent mechanism design. Engaging a lawyer in Switzerland with cross-border experience matters when enforcement risk spans multiple legal systems – our team bridges the Swiss regulatory environment and international business requirements. As an international law firm serving Switzerland and the broader European market, Ferraz & Whitmore provides results-oriented counsel to in-house legal teams and executive leadership facing active regulatory scrutiny. To discuss your organisation's compliance position, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.