When European companies think about data protection fines, they picture billion-euro penalties handed to multinationals β Google, Meta, Amazon. The GDPR targets companies. Switzerland's new Federal Act on Data Protection (nFADP, known as nDSG in German and nLPD in French) targets people. This fundamental distinction is still unknown to most Swiss SME leaders, and it changes everything.
Since 1 September 2023, the revised nFADP has been in force. Its sanctions framework, set out in Articles 60 to 66, establishes personal criminal liability reaching up to CHF 250,000. This guide explains who faces what risk, in which situations, and how to protect yourself and your organisation.
Criminal law, not administrative fines: a completely different logic from the GDPR
The first thing to understand is that nFADP sanctions are not administrative fines β they are criminal offences. It is not the supervisory authority that directly levies a financial penalty against a company; it is the public prosecutor who pursues a specifically identified natural person under criminal law.
This approach has important consequences:
- Convictions appear on the criminal record of the individual concerned
- Proceedings follow the Swiss Code of Criminal Procedure (CCP)
- Companies cannot be directly penalised under the nFADP (unlike the GDPR)
- Prosecution requires a complaint β the FDPIC cannot act ex officio for criminal offences
Who can be prosecuted?
The nFADP targets responsible natural persons within the organisation. In practice, this can include:
- Chief executives and members of the management board
- IT managers (CIO, CTO) supervising data processing systems
- Data Protection Officers (where appointed)
- Any employee who personally committed or ordered the violation
Responsibility is assessed concretely: who took the faulty decision? Who had the power to act and failed to do so? That person faces the sanction β not necessarily the formal head of the organisation.
The four categories of sanctioned violations
1. Breach of information obligations (Art. 60)
The controller must inform data subjects when collecting personal data. This obligation covers:
- The identity and contact details of the controller
- The purpose of the processing
- The categories of data processed
- Recipients or categories of recipients
- Where applicable, cross-border disclosure of data
Real-world scenario: A Swiss online retailer installs Google Analytics 4 and a Meta Pixel without mentioning these tools in its privacy policy or disclosing that data is transferred to the United States. The marketing manager who carried out the installation can be personally held liable.
Maximum penalty: CHF 250,000 (Art. 60 para. 1)
2. Breach of due diligence obligations (Art. 61)
This offence covers failures to meet security and data protection obligations, including:
- Absence of adequate technical and organisational measures (TOMs)
- Failure to maintain a record of processing activities where required
- Failure to carry out a mandatory Data Protection Impact Assessment (DPIA)
- Cross-border data transfers without appropriate safeguards
Real-world scenario: A 300-employee fiduciary firm processes sensitive tax data on an unencrypted server, with no formalised processing register and no documented risk assessment. In the event of a data leak, the IT director who approved this infrastructure can face criminal prosecution.
Maximum penalty: CHF 250,000 (Art. 61)
3. Breach of professional secrecy (Art. 62)
Certain professions bound by confidentiality obligations (doctors, lawyers, auditors, etc.) face enhanced requirements. The unauthorised disclosure of personal data obtained in that professional context constitutes a separate criminal offence.
Maximum penalty: CHF 250,000 (Art. 62)
4. Breach of cooperation duties with the FDPIC (Art. 63β64)
The FDPIC has broad investigative powers. Refusing to cooperate with an investigation, providing false information, or failing to comply with the authority's orders constitutes an autonomous offence.
Maximum penalty: CHF 250,000
Comparison table: nFADP penalties vs GDPR fines
| Criterion | nFADP (Switzerland) | GDPR (EU) |
|---|---|---|
| Nature of sanction | Criminal (penal offence) | Administrative (direct fine) |
| Target | Individual (responsible natural person) | Organisation (legal or natural person) |
| Maximum amount | CHF 250,000 per offence | β¬20 million or 4% of global turnover |
| Authority | Public prosecutor (on complaint) | Supervisory authority (ex officio) |
| Consequences | Criminal record entry | Public sanctions register |
| Limitation period | 3 years from the date of the offence | Varies by member state |
| Corporate joint liability | Not provided for under nFADP | Yes, under the GDPR |
The contrast is stark. Under the GDPR, Amazon received a β¬746 million fine as a company. Under the nFADP, it is the director or IT manager of a Swiss SME in Zurich or Lausanne who ends up personally before the public prosecutor.
The role of the FDPIC: investigator, not judge
The Federal Data Protection and Information Commissioner (FDPIC) is the independent supervisory authority responsible for overseeing compliance with the nFADP. Its powers are substantial:
- Open investigations on its own initiative or following a complaint
- Request information from controllers
- Issue recommendations
- Issue orders requiring corrective measures
- File a criminal complaint with the public prosecutor for statutory violations
Critically, the FDPIC does not itself impose criminal fines. It investigates, identifies violations, and may refer the case to the competent public prosecutor who can then initiate criminal proceedings.
In practice, the FDPIC has published several investigations against major Swiss organisations in its annual activity reports, notably in the banking, insurance, and healthcare sectors.
Real cases: when Swiss SMEs put themselves at risk
Case 1 β The e-commerce site with a non-compliant cookie banner
A Geneva-based online shop with 15 employees uses Google Analytics, Hotjar, and the Facebook Pixel. It displays a "We use cookies" banner with a single "Accept" button β no rejection option, no cookie list, no mention of transfers to the United States.
Risk: Violation of information obligations (Art. 60) and due diligence obligations (Art. 61). The website manager or CEO can be personally held liable if a user or the FDPIC files a complaint.
Case 2 β The data breach with no notification
A Zurich HR consultancy suffers a cyberattack. Personal data (CVs, salaries, performance reviews) belonging to 500 candidates is exfiltrated. Management decides not to notify the FDPIC to "avoid a scandal". Three months later, the data surfaces on an online forum.
Risk: Violation of due diligence obligations and obstruction of an investigation. The HR director and IT manager expose themselves to criminal prosecution. The failure to notify significantly aggravates the situation.
Case 3 β The negligent IT service provider
A Basel fiduciary outsources its hosting to an IT provider that stores client data without encryption, without formalised access controls, and without a data processing agreement compliant with Art. 9 nFADP. During an FDPIC audit, the fiduciary firm β and its director β bear responsibility, even though the service provider was at fault.
Risk: The controller remains accountable for its processors. The fiduciary's management can face criminal proceedings.
Case 4 β The undisclosed contact form
A Valais medical practice collects health data through an online form hosted on a server in Germany. Neither the privacy policy nor patients are informed of this cross-border transfer. No DPIA, no contractual safeguards in place.
Risk: Violation of information obligations and due diligence obligations for sensitive data (health). Maximum exposure under Art. 60 and 61.
How to protect yourself: essential compliance measures
1. Map your data processing activities
Start with a comprehensive inventory: what data do you collect? On which systems? With which service providers? In which countries? This mapping exercise is the foundation of any serious compliance effort.
2. Document everything
In the event of a dispute or investigation, documentation is your first line of defence. Keep records of:
- The record of processing activities (even in simplified form for SMEs with fewer than 250 employees)
- Data Protection Impact Assessments carried out
- Contracts with processors (data protection clauses)
- Evidence of user consent
- Internal security procedures
3. Deploy a compliant consent banner
The banner must make it as easy to decline as to accept. Third-party scripts (analytics, social media, advertising) must be blocked until consent is granted. This is the legal minimum.
4. Train your staff
Criminal liability can reach any employee who made a faulty decision. Even a half-day training session on the basic obligations under the nFADP significantly reduces risk across the organisation.
5. Appoint an internal responsible person
Even though the nFADP does not make a Data Protection Officer mandatory for most SMEs, designating an internal (or external) contact person creates clear accountability and makes incident coordination far easier.
Insurance: D&O and cyber cover as complementary protection
Faced with the risk of personal liability, two types of insurance deserve serious consideration:
Directors and Officers liability insurance (D&O) It covers defence costs and damages arising from the personal liability of a director for breaches committed in the exercise of their duties. Some policies explicitly include regulatory violations.
Cyber liability insurance It covers costs associated with a data breach: notification of affected individuals, crisis management, IT remediation, and in some cases legal defence costs. Criminal fines are generally excluded, but the overall financial impact of an incident is substantially reduced.
Important: review your policy exclusions carefully. Some insurers exclude intentional violations or "deliberate" regulatory breaches β a provision that can be invoked if you have taken no compliance measures whatsoever.
What the nFADP does not punish
It is important not to over-interpret the sanctions regime. The nFADP does not punish imperfection β it punishes gross negligence and deliberate disregard of obligations. An SME that:
- made a genuine good-faith effort to comply,
- documented its steps,
- corrected identified shortcomings when they came to light,
...will be in a far stronger position than one that did nothing, even if its compliance is not perfect.
The FDPIC has publicly stated that it favours a preventive and educational approach β particularly with good-faith SMEs β before resorting to criminal referrals.
The best protection against nFADP sanctions starts with knowing exactly which trackers and cookies are active on your website. Scan your site for free with PrivaScan and get an instant compliance report.