Data Breach Notification under nFADP (Art. 24): Complete Guide for Swiss SMEs

A ransomware attack locks your customer database at 2 a.m. on a Friday. An employee accidentally sends a spreadsheet containing 3,000 client records to the wrong email address. A cloud misconfiguration exposes your HR files to the public internet for two weeks before anyone notices. These are not hypothetical scenarios — they are the most common data breach patterns reported to supervisory authorities across Europe, and they happen to Swiss SMEs every day.

Since 1 September 2023, the revised Federal Act on Data Protection (nFADP / nDSG / nLPD) has been in force, and with it a formal obligation to notify data breaches. Article 24 nFADP, together with Articles 15 and 16 of the Data Protection Ordinance (DPO), establishes a breach notification regime that every Swiss business must understand. Get it wrong, and you face criminal sanctions of up to CHF 250,000 — imposed not on the company, but on the responsible individual.

This guide covers everything a Swiss SME needs to know: what counts as a breach, when you must report it, what the notification must contain, how it differs from the GDPR, and a practical step-by-step incident response plan you can implement today.

What constitutes a data breach under the nFADP?

The nFADP uses the term "breach of data security" (Verletzung der Datensicherheit / violation de la sécurité des données). Article 5 lit. h nFADP defines it as any breach of security that leads, whether intentionally or not, to the loss, deletion, destruction, modification, or unauthorised access to personal data, regardless of whether the breach was accidental or unlawful.

This definition is deliberately broad. It covers three categories of security incidents:

Confidentiality breaches

Personal data is disclosed to or accessed by unauthorised persons. Examples include:

• A phishing attack grants an attacker access to a mailbox containing client data
• An employee emails a salary list to the wrong recipient
• A former employee retains access to the CRM after leaving the company
• A cloud storage bucket is misconfigured with public read access

Integrity breaches

Personal data is altered without authorisation, whether maliciously or through system error. Examples include:

• Ransomware encrypts and corrupts a patient record database
• A software bug overwrites customer addresses with incorrect data
• An unauthorised third party modifies financial records

Availability breaches

Personal data is temporarily or permanently lost or rendered inaccessible. Examples include:

• A ransomware attack makes the entire customer database unavailable
• A server failure destroys backup-less data
• A DDoS attack prevents access to a health records system for 48 hours

Important: a breach does not require malicious intent. A misconfigured firewall rule, an accidental deletion, or a lost USB stick all qualify. The nFADP focuses on the result — whether data security was compromised — not on the cause.

When is notification to the FDPIC mandatory?

Not every data breach triggers a notification obligation. Article 24 para. 1 nFADP requires the controller to notify the Federal Data Protection and Information Commissioner (FDPIC / EDÖB / PFPDT) as soon as possible when a breach of data security is likely to result in a high risk to the personality or fundamental rights of the data subjects.

The high-risk threshold

The nFADP does not define "high risk" in detail, but the FDPIC and the legislative materials provide guidance. You should assess:

1. The nature of the data affected: sensitive data (health, biometric, racial/ethnic origin, religious beliefs, criminal records, social assistance measures) automatically elevates risk. Financial data, login credentials, and government identification numbers also warrant heightened concern.

2. The volume of data and number of affected persons: a breach affecting 10,000 customers is inherently higher risk than one affecting 3.

3. The nature of the breach: unauthorised external access (e.g., hacking) typically carries higher risk than an internal accidental disclosure that was quickly contained.

4. Identifiability: if the breached data can be directly linked to specific individuals (names, addresses, AHV numbers), the risk is higher than for pseudonymised data.

5. Potential consequences: could the breach lead to identity theft, financial loss, reputational damage, discrimination, or physical danger to the affected persons?

6. Whether data was encrypted: if breached data was encrypted with strong, current encryption and the keys were not compromised, the risk may be reduced below the high-risk threshold.

Practical rule of thumb: when in doubt, notify. The FDPIC has publicly stated that it prefers over-notification to under-notification. Filing a notification that turns out to be unnecessary is generally not penalised, provided it is made in good faith. Failing to file a required notification can lead to criminal prosecution.

No fixed 72-hour deadline — but do not delay

Unlike the GDPR, which imposes a strict 72-hour notification deadline (Art. 33 GDPR), the nFADP requires notification "as soon as possible" (so rasch wie möglich / dans les meilleurs délais). The legislative materials and the FDPIC's guidance indicate that this typically means within 72 hours in practice, but the law deliberately avoids a rigid deadline.

This flexibility has important implications:

• A complex breach requiring forensic analysis may justify a longer timeline — provided you can demonstrate that you acted diligently
• A straightforward breach (e.g., an email sent to the wrong recipient with clearly identifiable data) should be reported within hours, not days
• You may submit an initial notification with available information and supplement it later as your investigation progresses (Art. 15 para. 3 DPO)
• Unjustified delay will be treated as a failure to notify, regardless of the absence of a fixed deadline

The FDPIC provides an online notification form that can be used for initial reporting.

What must the notification contain?

Article 24 para. 2 nFADP and Article 15 DPO specify the minimum content of a breach notification to the FDPIC:

Mandatory information

1. Nature of the breach: describe what happened — the type of breach (confidentiality, integrity, availability), the circumstances, and the attack vector if known

2. Categories and approximate number of data subjects affected: specify whether customers, employees, patients, or other categories are affected, and provide an estimate of the numbers

3. Categories and approximate number of personal data records concerned: detail what types of data were compromised (names, email addresses, financial data, health records, etc.)

4. Likely consequences: assess the potential impact on data subjects — identity theft risk, financial exposure, reputational harm, physical danger

5. Measures taken or planned: describe what you have done to contain the breach and what steps you plan to take to mitigate its effects and prevent recurrence

6. Contact person: name and contact details of a person (or the Data Protection Officer, if appointed) who can provide the FDPIC with additional information

Phased notification

If you cannot provide all required information at the time of initial notification, Article 15 para. 3 DPO allows you to submit information in phases. This is critical for complex breaches where the full scope is not immediately clear — for example, a sophisticated cyberattack where forensic analysis is ongoing.

In practice, you should:

• File the initial notification within 72 hours with the information available
• Clearly indicate that the notification is preliminary
• Provide supplementary information as it becomes available
• Maintain a documented timeline of your investigation

Notification to affected data subjects

Beyond the FDPIC, Article 24 para. 4 nFADP requires the controller to inform affected data subjects when:

1. It is necessary for their protection: if data subjects need to take action to protect themselves — change passwords, block credit cards, monitor accounts — they must be informed

2. The FDPIC requests it: the FDPIC can order the controller to notify data subjects, even if the controller initially decided not to

Content of notification to data subjects

The notification to affected persons should be written in clear, plain language and include:

• What happened (nature of the breach)
• What data was affected
• What the likely consequences are
• What the controller has done and is doing to address the breach
• What the data subjects can do to protect themselves (concrete, actionable steps)
• Contact details for further questions

Exceptions to individual notification

The law does not require individual notification in all cases. The controller may use public communication (e.g., a notice on its website) if individual notification would involve disproportionate effort — for example, when contact details for all affected persons are not available.

Additionally, notification to data subjects may not be necessary if:

• The data was effectively encrypted and the encryption keys were not compromised
• The controller has taken measures that eliminate the risk to data subjects
• The breach is unlikely to result in any tangible harm

The role of data processors in breach notification

Article 9 para. 2 nFADP requires data processors (Auftragsbearbeiter / sous-traitant) to notify the controller as soon as possible when they become aware of a data security breach. The processor's obligation is to inform the controller — not the FDPIC directly.

This has important implications for your vendor relationships:

Contractual requirements

Your data processing agreements (DPAs) must include:

• An obligation for the processor to notify you of any breach without undue delay (specify a timeframe — 24 or 48 hours is standard practice)
• A requirement to provide sufficient detail for you to assess whether the breach triggers your own notification obligations
• Cooperation duties for the processor to assist with your investigation and remediation
• Clarity on whether the processor may independently notify the FDPIC or affected persons (typically, they should not without your approval)

Practical challenges

Many Swiss SMEs rely heavily on cloud services, SaaS platforms, and outsourced IT providers. A breach at your processor is legally your breach — you remain responsible for notification and remediation as the controller. This means:

• You must monitor your processors' security practices
• You should include breach notification requirements in every DPA
• You need a clear escalation path from your processors to your incident response team
• Consider whether your processor's breach notification commitments are realistic and enforceable

nFADP vs. GDPR: breach notification compared

Swiss SMEs that also process EU personal data need to understand both regimes. The differences are significant:

Key takeaway

The nFADP's higher threshold ("high risk" vs. "unless unlikely to result in risk") means fewer breaches require notification to the FDPIC than to an EU supervisory authority. However, the criminal nature of nFADP sanctions — targeting the responsible individual rather than the company — makes the consequences of failure far more personal.

Practical 7-step incident response plan for SMEs

Having a documented incident response plan is not just good practice — it is evidence of due diligence that can protect you if a breach occurs. Here is a practical plan tailored to Swiss SMEs:

Step 1: Detect and contain

Goal: stop the breach and prevent further damage.

• Isolate affected systems (disconnect from network, revoke compromised credentials)
• Preserve evidence (do not wipe or rebuild systems before forensic analysis)
• Activate your incident response team (even in a 5-person company, designate who does what)
• Record the time of detection — this starts the clock for "as soon as possible"

PrivaGuard tip: regular compliance scans can detect misconfigurations — such as exposed tracking scripts, missing cookie consent, or insecure data flows — before they become breach vectors. Proactive monitoring reduces your attack surface.

Step 2: Assess the scope and severity

Goal: determine what happened, what data is affected, and whether the high-risk threshold is met.

• Identify the nature of the breach (confidentiality, integrity, availability)
• Determine what categories of personal data are affected
• Estimate the number of data subjects impacted
• Assess whether sensitive data (Art. 5 lit. c nFADP) is involved
• Evaluate the likelihood and severity of consequences for data subjects
• Document your risk assessment and the reasoning behind your conclusions

Step 3: Notify the FDPIC (if required)

Goal: comply with Art. 24 nFADP by filing a timely notification.

• Use the FDPIC's online breach notification form
• Include all mandatory information from Art. 15 DPO
• If the assessment is ongoing, file a preliminary notification and indicate that updates will follow
• Designate a contact person for FDPIC enquiries
• Document the date and time of notification

Step 4: Notify affected data subjects (if required)

Goal: enable data subjects to protect themselves.

• Determine whether individual notification is necessary (Art. 24 para. 4)
• Draft a clear, non-technical notification in the relevant languages (FR, DE, EN as appropriate)
• Include concrete steps data subjects should take (change passwords, monitor accounts, etc.)
• Choose the appropriate communication channel (email, letter, website notice)
• Document the notification, including its content, timing, and delivery method

Step 5: Remediate and recover

Goal: eliminate the vulnerability and restore normal operations.

• Fix the root cause of the breach (patch vulnerability, reconfigure access controls, etc.)
• Restore affected systems from clean backups
• Reset compromised credentials
• Verify that the breach has been fully contained
• Test remediation measures before returning systems to production

Step 6: Document everything

Goal: comply with Art. 24 para. 5 nFADP, which requires documentation of all breaches.

Your breach register must include:

• Date and time of the breach and its detection
• Nature and scope of the breach
• Data categories and number of persons affected
• Consequences of the breach (actual and potential)
• Measures taken to address the breach
• Whether the FDPIC and/or data subjects were notified, with reasoning
• Timeline of all actions taken

Important: you must document all breaches, not just those that were notified to the FDPIC. This register serves as evidence of your compliance efforts and may be requested by the FDPIC during an investigation.

Step 7: Learn and improve

Goal: prevent recurrence and strengthen your data protection posture.

• Conduct a post-incident review with all involved parties
• Identify what went wrong and what worked well
• Update your security measures, policies, and procedures accordingly
• Train employees on lessons learned
• Test your updated incident response plan
• Schedule regular compliance reviews

Documentation and record-keeping requirements

Article 24 para. 5 nFADP requires the controller to document data security breaches. This obligation applies to all breaches — not just those that triggered a notification to the FDPIC.

What to document

For each breach, your records should include:

• Factual description: what happened, when, how it was discovered
• Scope assessment: data categories, volume, number of affected persons
• Risk assessment: your analysis of whether the breach met the high-risk threshold, and the factors you considered
• Notification decisions: whether you notified the FDPIC and/or data subjects, and the reasoning behind your decision
• Remediation measures: what you did to contain the breach, restore systems, and prevent recurrence
• Timeline: a chronological record of all actions from detection to closure

Retention

The nFADP does not specify a retention period for breach documentation. Best practice is to retain records for at least 10 years (aligned with general Swiss statute of limitations for civil claims), or for the duration of any ongoing investigation or proceeding.

Why documentation matters

Documentation serves three purposes:

1. Legal protection: if the FDPIC investigates or criminal proceedings are initiated, your documentation demonstrates due diligence and good faith
2. Continuous improvement: a breach register helps you identify patterns and systemic weaknesses
3. Accountability: it demonstrates to clients, partners, and regulators that you take data protection seriously

Penalties for failure to notify

The nFADP's criminal sanctions framework applies to breach notification failures in several ways:

Direct sanctions

• Art. 60 nFADP (violation of information obligations): if you fail to inform data subjects about a breach when required, the responsible individual faces up to CHF 250,000
• Art. 61 nFADP (violation of due diligence obligations): failure to implement adequate security measures that led to the breach, or failure to maintain a breach register, can trigger this provision
• Art. 63 nFADP (failure to comply with FDPIC orders): if the FDPIC orders you to notify data subjects and you fail to comply, the responsible individual faces up to CHF 250,000

Indirect consequences

Beyond criminal sanctions, a failure to notify can result in:

• Civil liability: affected data subjects may claim damages under Art. 32 nFADP
• Reputational damage: public disclosure of a mishandled breach can destroy client trust
• Regulatory scrutiny: the FDPIC may open a formal investigation (Art. 49 nFADP) and impose binding measures
• Contract penalties: many B2B contracts and DPAs include breach notification obligations with financial penalties for non-compliance
• Insurance implications: failure to notify may void cyber insurance coverage

Who is personally liable?

As with all nFADP sanctions, liability targets the responsible natural person — not the company. This can be:

• The CEO or managing director who decided not to notify
• The IT manager who concealed the breach
• The Data Protection Officer who failed to escalate
• Any employee who had the authority and duty to act but did not

Common breach scenarios for Swiss SMEs

Understanding real-world breach patterns helps you prepare. These are the most frequent scenarios affecting Swiss businesses:

Ransomware attacks

A malicious actor encrypts your systems and demands payment. This is simultaneously a confidentiality breach (the attacker likely exfiltrated data before encryption) and an availability breach (data is inaccessible). Always assume data exfiltration in a ransomware incident — the high-risk threshold is almost certainly met.

Email misdirection

An employee sends a file containing personal data to the wrong recipient. The severity depends on the data involved: sending a meeting invitation to the wrong person is different from sending a list of employee salaries or patient diagnoses to an external address.

Cloud misconfiguration

A storage bucket, database, or API endpoint is accidentally exposed to the public internet. These breaches are particularly dangerous because they may go undetected for weeks or months, and the scope of potential access is difficult to determine.

Phishing and credential theft

An employee falls for a phishing email, and the attacker gains access to systems containing personal data. The breach scope depends on the compromised account's access rights — an administrator account breach is far more severe than a limited-access account.

Lost or stolen devices

A laptop, phone, or USB drive containing personal data is lost or stolen. Full-disk encryption with a strong passphrase significantly reduces the risk — document this in your risk assessment.

Insider threats

A disgruntled or departing employee copies client data, retains system access, or deliberately sabotages systems. This is why access management and timely offboarding procedures are critical.

How PrivaGuard helps with breach prevention and response

While no tool can prevent all breaches, proactive compliance monitoring significantly reduces your risk:

• Automated compliance scanning detects tracking scripts, cookies, and data flows that could become breach vectors — identifying issues before they lead to incidents
• Continuous monitoring alerts you to configuration changes and new vulnerabilities on your web properties
• Cookie consent management ensures that data collection is lawful and documented, reducing the scope of potential breaches
• Privacy policy generation keeps your data processing documentation current, supporting your notification obligations
• Processing register provides the documentation backbone required by Art. 24 para. 5 nFADP

Data breach notification is not a one-time compliance exercise — it requires ongoing vigilance, documented processes, and a culture of data protection awareness. By understanding your obligations under Art. 24 nFADP and preparing in advance, you transform breach notification from a crisis into a managed process.

Key takeaways

1. Not every breach requires notification — only those likely to result in a high risk to data subjects
2. Act fast but act right — there is no fixed 72-hour deadline, but unjustified delay is treated as non-compliance
3. Document everything — all breaches, not just notified ones, must be recorded
4. Personal liability is real — CHF 250,000 criminal fines target the responsible individual, not the company
5. Prepare now — a documented incident response plan is your best protection when a breach occurs
6. Monitor your processors — a breach at your vendor is legally your breach
7. Prevention beats reaction — regular compliance scanning and monitoring reduce both breach risk and notification burden

Sources: Federal Act on Data Protection (nFADP), Data Protection Ordinance (DPO), FDPIC Guidance on Data Security Breaches