When is a DPIA mandatory under Swiss law?

A Data Protection Impact Assessment is mandatory under Art. 22 nFADP whenever planned data processing is likely to entail a high risk for the personality or fundamental rights of data subjects. High risk is typically present when processing involves new technologies, large-scale profiling, systematic monitoring, or extensive processing of sensitive data.

What must a DPIA contain according to Art. 22 nFADP?

A DPIA must contain a description of the planned processing activity, an assessment of the risks to data subjects' personality and fundamental rights, the measures envisaged to mitigate those risks, and, where applicable, an evaluation of proportionality and necessity. The level of detail should be proportionate to the risk.

Does a Swiss SME have to consult the FDPIC before processing?

Only if the DPIA shows that the planned processing still entails a high risk despite the mitigation measures taken. In that case, Art. 23 nFADP requires the controller to consult the FDPIC before starting the processing. If a data protection adviser under Art. 10 nFADP has been appointed and consulted, this prior consultation obligation can be waived.

How does a Swiss DPIA differ from a GDPR DPIA?

The core methodology is similar, but key differences exist. Under the nFADP, there is no mandatory consultation with the supervisory authority if a data protection adviser has been consulted. The nFADP also does not require a formal list of processing operations subject to mandatory DPIAs, and the penalties for non-compliance differ significantly from the GDPR regime.

What happens if a Swiss company skips a required DPIA?

The nFADP does not impose a direct fine for failing to conduct a DPIA. However, processing personal data without a required DPIA weakens the organisation's position in any FDPIC investigation and can lead to binding orders to cease or modify processing. Intentional violations of other nFADP provisions can attract criminal fines up to CHF 250,000 against responsible individuals.

DPIA Under nFADP: Complete Guide to Data Protection Impact Assessments for Swiss SMEs

Every Swiss organisation that processes personal data eventually faces the question: do we need a Data Protection Impact Assessment? Under the new Federal Act on Data Protection (nFADP), the answer depends on the level of risk your processing activities pose to individuals. This guide walks you through the legal requirements, the practical methodology, and the common pitfalls — so you can approach DPIAs with confidence rather than confusion.

What Is a Data Protection Impact Assessment?

A Data Protection Impact Assessment — known in German as Datenschutz-Folgenabschätzung (DSFA) and in French as Analyse d'impact relative à la protection des données (AIPD) — is a structured process through which an organisation identifies, evaluates, and mitigates the data protection risks of a planned processing activity before it begins.

The obligation is set out in Article 22 of the new Federal Act on Data Protection (nFADP, fedlex.admin.ch). In essence, the law requires you to think before you process — not after a breach forces you to.

A DPIA is not a one-off compliance exercise. It is a living document that should be revisited whenever the processing activity changes materially: new data categories, new technologies, new recipients, or a different scope.

When Is a DPIA Mandatory?

Art. 22 para. 1 nFADP states that a DPIA must be conducted when planned processing is likely to entail a high risk for the personality or fundamental rights of data subjects. The law does not provide an exhaustive checklist of triggers, but the following indicators are well established in Swiss practice and in guidance from the FDPIC:

High-Risk Indicators

Systematic and extensive profiling — Art. 21 nFADP specifically addresses high-risk profiling, which is profiling that leads to an assessment of essential aspects of a person's personality. If your processing involves profiling that reaches this threshold, a DPIA is required.
Large-scale processing of sensitive data — health data, biometric data for identification, data on political or religious opinions, data on criminal proceedings or sanctions. "Large-scale" is assessed relative to the number of data subjects, the volume of data, the geographic scope, and the duration of processing.
Systematic monitoring of publicly accessible areas — video surveillance of public spaces, WiFi tracking in retail environments, or any technology that monitors the movements and behaviour of individuals in accessible areas.
Use of new technologies — artificial intelligence, machine learning models, automated decision-making systems, facial recognition, or other technologies whose impact on data subjects is not yet fully understood.
Automated individual decision-making — processing that produces legal effects or significantly affects a person without meaningful human intervention.
Large-scale matching or combination of data sets — merging data from multiple sources in a way that exceeds the reasonable expectations of data subjects.
Processing involving vulnerable persons — employees (power imbalance), children, patients, or other groups with limited ability to consent or object freely.

The Cumulative Approach

Swiss practice generally follows a cumulative approach: the more indicators that apply, the more likely a DPIA is required. A single indicator may suffice if the risk is severe (for example, large-scale biometric processing). Two or more indicators together almost always trigger the obligation.

Exemption for Legally Required Processing

Art. 22 para. 2 nFADP provides an exemption: no DPIA is required if the processing is prescribed by law and the law already regulates the specific processing activity in sufficient detail. This exemption is narrow — simply having a legal basis for processing does not automatically exempt you.

Step-by-Step DPIA Methodology

While the nFADP does not prescribe a specific methodology, the following approach aligns with Swiss practice and with the recommendations of major data protection frameworks. You can adapt it to the size and complexity of your organisation.

Step 1 — Describe the Processing Activity

Start with a clear, comprehensive description of what you intend to do:

What personal data will you collect? List every category, including data that may seem trivial (device identifiers, IP addresses, timestamps).
From whom will you collect it? Customers, employees, website visitors, third-party data brokers?
For what purpose? Be specific. "Marketing" is not a purpose — "personalised product recommendations based on purchase history" is.
How will you process it? Manual review, automated decision-making, algorithmic scoring, AI inference?
Who will have access? Internal teams, processors, partner organisations, authorities?
Where will the data be stored and transferred? Domestic servers, cloud providers, cross-border transfers?
How long will you retain it?

This description is the foundation of the entire DPIA. If it is incomplete, every subsequent step will be flawed.

Step 2 — Assess Necessity and Proportionality

Before evaluating risks, assess whether the processing is necessary and proportionate to the stated purpose:

Is there a less intrusive way to achieve the same goal? If you can accomplish your business objective with less data, fewer recipients, or a shorter retention period, you should.
Is the purpose legitimate and specific? Vague purposes like "business improvement" are insufficient under the nFADP.
Is the data minimisation principle respected? You should only process data that is genuinely necessary for the stated purpose.
Have you established a valid legal basis? Consent, overriding private interest, legal obligation, or contract performance — which one applies, and is it robust?

This step is where many organisations discover that they can redesign the processing activity to reduce risk before they even reach the risk assessment phase.

Step 3 — Identify and Evaluate Risks

For each aspect of the processing activity, identify the potential risks to data subjects. Risks fall into several categories:

Confidentiality risks — unauthorised access, data breaches, accidental disclosure to wrong recipients.

Integrity risks — data corruption, inaccurate profiling, decisions based on incorrect data.

Availability risks — data loss, inability to respond to access requests, system outages affecting essential services.

Broader impact risks — discrimination, reputational damage to individuals, financial loss, loss of employment, social stigma, chilling effects on fundamental rights.

For each identified risk, evaluate:

Likelihood — how probable is it that this risk will materialise? Consider your existing security measures, the threat landscape, and historical incidents.
Severity — if the risk materialises, how serious is the impact on data subjects? A breach of health data is far more severe than a breach of newsletter subscription data.

Combine likelihood and severity into an overall risk rating. A simple matrix (low/medium/high for each dimension) is sufficient for most SME scenarios.

Step 4 — Define Mitigation Measures

For each risk rated as medium or high, define concrete mitigation measures. These should be both technical and organisational:

Technical measures:

Encryption at rest and in transit
Pseudonymisation or anonymisation where feasible
Access controls and role-based permissions
Automated logging and monitoring
Data loss prevention tools
Regular security testing and vulnerability scanning

Organisational measures:

Data protection training for all staff involved in the processing
Clear data processing agreements with all processors
Incident response procedures
Regular audits and reviews
Appointment of a data protection adviser (Art. 10 nFADP)
Data retention schedules with automated deletion

After defining mitigation measures, re-evaluate the residual risk. If the residual risk remains high, you may need to consult the FDPIC (see below) or reconsider the processing activity entirely.

Step 5 — Document and Approve

Document the entire DPIA in a structured format. Your documentation should include:

The description of the processing activity
The necessity and proportionality assessment
The risk assessment with likelihood and severity ratings
The mitigation measures and their expected effect
The residual risk assessment
The decision: proceed, modify, or abandon the processing
The name and role of the person who approved the DPIA
The date of the assessment and the planned review date

This documentation is not submitted to the FDPIC automatically — but it must be available upon request, and it serves as evidence of your compliance efforts.

High-Risk Profiling Under Art. 21 nFADP

Art. 21 nFADP introduces a concept that does not exist in the GDPR: high-risk profiling (Profiling mit hohem Risiko / profilage présentant un risque élevé). This is profiling that allows an assessment of essential aspects of someone's personality — for instance, combining data points to evaluate their health status, economic situation, reliability, or behaviour patterns.

High-risk profiling requires either the explicit consent of the data subject or a justification by law or overriding private interest. It is also one of the clearest triggers for a mandatory DPIA.

Common examples in an SME context include:

Credit scoring of customers based on multiple data sources
Employee performance analytics that combine productivity data, communication patterns, and attendance records
Customer segmentation engines that infer sensitive attributes (health interest, political leaning, financial stress) from browsing or purchase behaviour
AI-based hiring tools that score candidates on behavioural or personality traits

If your organisation conducts any form of profiling, conduct a threshold analysis to determine whether it reaches the "high-risk" level — and document your conclusion either way.

The Role of the Data Protection Adviser (Art. 10 nFADP)

Art. 10 nFADP allows organisations to appoint a voluntary data protection adviser (Datenschutzberaterin / conseiller à la protection des données). Unlike the GDPR's mandatory Data Protection Officer for certain organisations, the nFADP makes this role entirely voluntary — but attaches a significant procedural advantage.

If you have appointed a data protection adviser who meets the independence and expertise requirements of Art. 10 nFADP, and if you consult this adviser during the DPIA process, you are exempt from the obligation to consult the FDPIC under Art. 23 nFADP — even if the residual risk remains high.

This is a powerful incentive for Swiss SMEs. Appointing a data protection adviser — whether internal or external — can streamline your DPIA process significantly and avoid the delays and administrative burden of a formal FDPIC consultation.

The adviser must:

Be professionally qualified in data protection law and practice
Exercise the function independently
Not receive instructions regarding the exercise of this function
Have access to all relevant processing activities and information

Differences Between nFADP DPIA and GDPR DPIA

Swiss organisations operating across borders — or comparing notes with EU counterparts — should understand the key differences:

Aspect	nFADP (Switzerland)	GDPR (EU/EEA)
Legal basis	Art. 22 nFADP	Art. 35 GDPR
Trigger	High risk to personality or fundamental rights	High risk to rights and freedoms
Mandatory DPA consultation	Only if residual risk remains high AND no data protection adviser consulted (Art. 23 nFADP)	Mandatory if residual risk remains high (Art. 36 GDPR)
Exemption via adviser	Yes — appointing and consulting an Art. 10 adviser exempts from FDPIC consultation	No equivalent exemption
List of mandatory DPIA operations	No mandatory list published by FDPIC	Supervisory authorities must publish lists (Art. 35(4) GDPR)
Penalties for non-compliance	No direct fine for missing DPIA; criminal fines up to CHF 250,000 for other nFADP violations	Administrative fines up to EUR 10 million or 2% of global turnover
Penalty target	Responsible natural person	Legal entity (undertaking)

The most practically significant difference is the adviser exemption. In the GDPR world, a high residual risk always triggers mandatory DPA consultation. Under the nFADP, you can avoid this entirely by involving a qualified data protection adviser.

Consultation with the FDPIC (Art. 23 nFADP)

If your DPIA reveals that the planned processing still entails a high risk despite the mitigation measures you have implemented, and you have not consulted a data protection adviser under Art. 10 nFADP, you must consult the Federal Data Protection and Information Commissioner (FDPIC) before commencing the processing.

What to Submit

Art. 23 nFADP requires you to submit the DPIA to the FDPIC. In practice, this means providing:

The complete DPIA documentation (description, risk assessment, mitigation measures, residual risk)
An explanation of why the residual risk could not be reduced further
Your intended timeline for commencing the processing

The FDPIC's Response

The FDPIC has two months to respond (extendable once by one month for complex cases). The FDPIC may:

Raise no objections — you may proceed
Propose modifications to the processing or additional safeguards
Recommend that you abandon or fundamentally redesign the processing

Importantly, the FDPIC's response under Art. 23 is an opinion, not a binding decision at this stage. However, ignoring the FDPIC's recommendations significantly increases your legal exposure if problems arise later.

Common Processing Activities That Require a DPIA

Here are concrete examples of processing activities that typically require a DPIA for a Swiss SME:

AI and Machine Learning Tools

If you deploy AI tools that process personal data — whether for customer service chatbots, predictive analytics, content personalisation, or automated recommendations — a DPIA is almost certainly required. The opacity of AI models, the potential for bias, and the difficulty of explaining automated decisions to data subjects all contribute to high risk.

Employee Monitoring

Monitoring employee emails, internet usage, location, or productivity through software tools creates a high-risk scenario due to the power imbalance in employment relationships. Swiss employment law (Art. 328b CO) adds further constraints. A DPIA should assess whether the monitoring is proportionate and whether less invasive alternatives exist.

Large-Scale Customer Profiling

Building comprehensive customer profiles by combining purchase history, browsing behaviour, social media data, loyalty programme data, and third-party data sources is classic high-risk processing. The more data points you combine, and the more granular the resulting profile, the higher the risk.

Biometric Data Processing

Fingerprint scanners for building access, facial recognition for security purposes, or voice recognition for authentication all involve biometric data — a category of sensitive data under Art. 5 lit. c nFADP. Any systematic biometric processing is a strong DPIA trigger.

Health Data Processing

HR systems that process employee health certificates, insurance platforms, wellness apps, or any system that handles medical data must undergo a DPIA if the processing is large-scale or systematic.

Video Surveillance

If your business operates CCTV cameras in areas accessible to the public, employees, or customers, a DPIA is required. This includes not just traditional video surveillance but also smart cameras with analytics capabilities (people counting, heat mapping, behaviour analysis).

Practical DPIA Template for SMEs

You do not need an expensive consulting engagement to produce a valid DPIA. Here is a practical template structure that covers all legal requirements:

Section 1: Processing Overview

Processing activity name and reference number
Controller identity and contact details
Data protection adviser (if appointed) and contact details
Date of assessment and planned review date

Section 2: Processing Description

Categories of personal data processed
Categories of data subjects
Purposes of processing
Legal basis for processing
Data recipients and processors
International data transfers
Retention periods
Technologies used

Section 3: Necessity and Proportionality

Why this processing is necessary for the stated purpose
Whether less intrusive alternatives were considered
Data minimisation measures in place
How data subjects are informed

Section 4: Risk Assessment

Risk identification (list each risk)
Likelihood assessment (low/medium/high) for each risk
Severity assessment (low/medium/high) for each risk
Overall risk rating for each risk

Section 5: Mitigation Measures

Technical measures (encryption, access control, pseudonymisation, etc.)
Organisational measures (training, policies, agreements, audits)
Expected risk reduction for each measure

Section 6: Residual Risk

Residual risk rating after mitigation
Decision: proceed / modify / consult FDPIC / abandon
Justification for the decision

Section 7: Approval

Name and role of approver
Date of approval
Planned review schedule

With a tool like PrivaGuard, you can manage this entire process digitally — from initial risk identification through documentation to periodic reviews — without juggling spreadsheets and email chains.

Documentation and Record-Keeping

The nFADP does not specify how long you must retain DPIA documentation, but best practice is to keep it for the entire duration of the processing activity and for a reasonable period after the processing ceases — at least the relevant statute of limitations for data protection claims.

Your DPIA documentation should be:

Versioned — track changes over time, especially when the processing activity is modified
Accessible — the FDPIC can request it at any time during an investigation
Linked to your processing register — your DPIA should cross-reference the corresponding entry in your record of processing activities (Art. 12 nFADP)
Reviewed periodically — at minimum annually, or whenever a material change occurs

What Happens If You Skip a Required DPIA

The nFADP does not impose a specific fine for failing to conduct a DPIA. This sometimes leads organisations to underestimate the obligation. That would be a mistake. Here is why:

1. FDPIC investigation powers. The FDPIC can open an investigation into any processing activity. If the investigation reveals that a DPIA should have been conducted but was not, the FDPIC can issue binding orders to modify or cease the processing. Non-compliance with an FDPIC order is a criminal offence.

2. Criminal liability for other violations. While the missing DPIA itself may not attract a fine, the processing activity it should have assessed may violate other nFADP provisions — for example, inadequate security measures (Art. 8), failure to inform data subjects (Art. 19), or unlawful cross-border transfers (Art. 16–17). These violations can lead to criminal fines of up to CHF 250,000 against the responsible natural person.

3. Reputational damage. In the event of a data breach or a public complaint, the absence of a DPIA is a clear indicator of negligence that can amplify reputational harm and undermine trust with customers, partners, and regulators.

4. Civil liability. Data subjects who suffer harm as a result of unlawful processing can bring civil claims. The absence of a DPIA weakens your defence and may be interpreted as evidence that the organisation did not take reasonable steps to protect personal data.

Integrating DPIAs Into Your Compliance Programme

A DPIA should not exist in isolation. To maximise its value, integrate it into your broader data protection compliance programme:

Link DPIAs to your processing register. Every processing activity in your register (Art. 12 nFADP) that presents a high risk should have a corresponding DPIA. PrivaGuard's processing register makes this cross-referencing straightforward.
Include DPIAs in project governance. For any new project, product, or technology that involves personal data, include a DPIA checkpoint in your project plan — ideally before procurement or development begins.
Train your teams. Ensure that product managers, IT staff, and business owners understand when a DPIA is needed and whom to contact. A simple internal decision tree can reduce the risk of oversight.
Use your DPIA to improve your privacy policy. The risks and measures documented in a DPIA feed directly into the transparency information you provide to data subjects.
Schedule reviews. Set calendar reminders to review each active DPIA at least annually. Changes in technology, regulation, or business context can shift the risk profile significantly.

Conclusion

Data Protection Impact Assessments under Art. 22 nFADP are not bureaucratic hurdles — they are practical tools that help Swiss organisations process personal data responsibly and defensibly. For SMEs, a well-executed DPIA can prevent costly incidents, strengthen your position before the FDPIC, and build trust with customers and employees.

The key principles are straightforward: identify high-risk processing early, assess risks honestly, implement proportionate mitigation measures, document everything, and review regularly. If residual risk remains high, either consult a data protection adviser or engage with the FDPIC before proceeding.

With PrivaGuard, Swiss SMEs can manage DPIAs alongside their processing registers, privacy policies, and consent management — all in one Swiss-hosted platform designed specifically for nFADP compliance. Start your free compliance check with PrivaScan to identify where your organisation stands today.