Switzerland's revised Federal Act on Data Protection (nFADP, also known as revDSG or nDSG) came into force on 1 September 2023, bringing Swiss privacy law significantly closer to European standards. Yet despite the alignment, the nFADP and the EU's General Data Protection Regulation (GDPR) differ in ways that matter enormously for Swiss SMEs β especially those with customers, suppliers, or employees in the European Union.
This guide cuts through the complexity and explains the 10 most important differences between the nFADP and the GDPR, with concrete implications for your business.
Quick Comparison Table
| Criterion | nFADP (Switzerland) | GDPR (EU) |
|---|---|---|
| Personal scope | Natural persons only (since 2023 revision) | Natural persons only |
| Fines | Up to CHF 250,000 (criminal, natural person) | Up to β¬20 million or 4% global turnover (administrative, company) |
| Data Protection Officer | Optional (recommended) | Mandatory in certain cases |
| Legal basis default | Overriding interest | Consent / legitimate interest |
| Breach notification | Without delay if high risk | Within 72 hours if risk to individuals' rights and freedoms |
| Processing register | All companies in principle | Companies > 250 employees or high-risk processing |
| Supervisory authority | FDPIC | National authority per EU member state |
| Cross-border transfers | FDPIC adequacy list | EU Commission adequacy decision |
| DPO obligation | Art. 10 nFADP: recommended | Art. 37 GDPR: mandatory (specific cases) |
| Special data categories | Includes genetic + biometric data | Similar list, partially different |
1. Personal Scope: Alignment with the GDPR
nFADP: With the revision effective 1 September 2023, Switzerland's law now protects only natural persons. The previous FADP also covered legal entities β this uniquely Swiss feature was dropped to align with European standards.
GDPR: The regulation covers only natural persons. Data about companies or organisations falls entirely outside its scope.
Practical implication: Both laws are now aligned on this point. B2B contact data relating to natural persons (e.g. contacts within companies) remains protected. Purely corporate data (company names, trade register entries) no longer falls under the nFADP.
2. Sanctions: Criminal vs Administrative
This is perhaps the most important difference β and the most commonly misunderstood.
nFADP: Violations are sanctioned under criminal law, with fines up to CHF 250,000. Crucially, liability targets natural persons β executives, IT managers, compliance officers β not the company itself. Prosecution typically requires a complaint or action by the Federal Data Protection and Information Commissioner (FDPIC).
GDPR: Fines are administrative and target the company directly β up to β¬20 million or 4% of annual global turnover, whichever is higher. Supervisory authorities can impose these fines on their own initiative.
Practical implication: Under the nFADP, company leaders face personal criminal exposure. Under GDPR, the company bears the financial risk. Both risks can exist simultaneously if you have EU customers β making personal and corporate compliance equally important.
3. Data Protection Officer (DPO)
nFADP (Art. 10): Appointing a data protection adviser is voluntary but strongly recommended. If you do appoint one, they must be independent and benefit from dismissal protection.
GDPR (Art. 37): A DPO is mandatory for public authorities, organisations whose core activities involve large-scale systematic monitoring, and those processing special categories of data at scale.
Practical implication: Most Swiss SMEs are not legally required to appoint a DPO under either law. However, designating an internal data protection responsible significantly reduces personal criminal risk under nFADP and demonstrates good-faith GDPR compliance.
4. Lawful Basis for Processing
nFADP: Processing is generally lawful unless it violates the core principles of the Act (Art. 6 nFADP). An overriding interest of the controller can justify processing in many situations. Explicit consent is not always required.
GDPR (Art. 6): Six explicit legal bases must be identified for each processing activity: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Each must be documented and communicated to data subjects.
Practical implication: The nFADP gives slightly more flexibility for routine processing. Once EU users are involved, you must map and document a GDPR legal basis for every processing activity β which demands greater operational rigour across your systems.
5. Data Breach Notification
nFADP (Art. 24): Breaches likely to result in high risk to data subjects must be reported to the FDPIC without delay. Notification to affected individuals is required only when necessary for their protection.
GDPR (Art. 33β34): Any breach likely to result in a risk to individuals must be reported to the supervisory authority within 72 hours of becoming aware of it β unless the breach is unlikely to result in any risk. High-risk breaches also require direct notification to affected individuals.
Practical implication: The GDPR's 72-hour clock is strict and unforgiving. The nFADP also demands prompt action but without a fixed deadline. Prepare an incident response plan now β with clear internal escalation, FDPIC notification templates, and a communications protocol for affected individuals.
6. Territorial Scope
nFADP: Applies to organisations established in Switzerland and to foreign organisations whose processing has effects in Switzerland (the effects principle).
GDPR: Applies to any organisation that offers goods or services to EU residents, or monitors their behaviour β regardless of where the organisation is based.
Practical implication: A Zurich-based SME with an English-language website serving German or French customers is subject to both laws simultaneously. A company operating exclusively within Switzerland only needs to comply with the nFADP. If in doubt, GDPR likely applies.
7. Rights of Data Subjects
Both laws grant similar rights β access, rectification, erasure, and data portability β with meaningful differences in implementation:
nFADP (Art. 25): Enhanced right to information from the moment of data collection. The right of access is generally free of charge except in cases of abuse. Right to data portability exists but is less prescriptive than under GDPR.
GDPR (Art. 15β22): Highly detailed rights with a one-month response deadline (extendable to three months for complex requests). Right to data portability in a structured, commonly used, machine-readable format. Explicit right to object to profiling.
Practical implication: Set up a dedicated internal process for handling data subject requests. Under GDPR, the one-month clock starts from the date of the request β not when you acknowledge it. Log all requests and responses for accountability purposes.
8. International Data Transfers
nFADP: The FDPIC maintains a list of countries with an adequate level of data protection. Transfers to other countries require appropriate safeguards (Swiss Standard Contractual Clauses, BCRs, or similar).
GDPR: The EU Commission maintains its own separate adequacy list. Switzerland is recognised as adequate by the EU. The reverse is not automatic β Swiss adequacy decisions are based on FDPIC assessments and may differ.
Practical implication: Transferring data to the US or other third countries requires compliance with both frameworks. Scrutinise your contracts with cloud providers, CRM platforms, and marketing tools β SCCs and supplementary measures may be needed under one or both laws depending on the data flows involved.
9. Record of Processing Activities
nFADP (Art. 12): In principle, all companies must maintain a record of processing activities. Exceptions apply for companies with fewer than 250 employees whose processing does not carry high risk for data subjects.
GDPR (Art. 30): The obligation applies to companies with more than 250 employees, unless the processing is not occasional, poses risks to rights and freedoms, or involves special categories of data.
Practical implication: The nFADP is potentially stricter for small businesses. A 10-person startup in Lausanne may be exempt from the GDPR register obligation but still required to maintain one under nFADP. Start with a simple, well-structured register from day one β it supports compliance with both laws and reduces risk in the event of an FDPIC inquiry.
10. Supervisory Authorities
nFADP: The Federal Data Protection and Information Commissioner (FDPIC) is Switzerland's sole supervisory authority. The FDPIC issues recommendations, conducts investigations, and can issue binding orders.
GDPR: Every EU member state has its own supervisory authority β for example, the CNIL in France, the BfDI in Germany, and the ICO in the UK. The "one-stop-shop" mechanism routes cross-border cases through the authority in the country of an organisation's main EU establishment.
Practical implication: For Switzerland-only operations, you have a single regulator to engage with. Once EU activities are involved, multiple authorities may assert jurisdiction. Stay informed via edoeb.admin.ch for Swiss guidance, and monitor the relevant national DPAs in your key EU markets.
When Both Laws Apply Simultaneously
Your Swiss SME is subject to both laws at the same time if you:
- Offer products or services to EU residents (even for free),
- Monitor the online behaviour of EU residents (cookies, tracking pixels, analytics), or
- Have employees, freelancers, or data processors located in the EU.
The practical rule: apply the higher standard. In most cases, the GDPR is more demanding β stricter deadlines, mandatory DPO in certain cases, much larger fines targeting the company. However, the nFADP has uniquely Swiss requirements that have no EU equivalent: personal criminal liability for executives and a broader register obligation.
Checklist for dual-exposure companies:
- Privacy policy that addresses both laws (or market-specific versions)
- Complete record of processing activities (Art. 12 nFADP + Art. 30 GDPR)
- Documented breach response procedure (72h GDPR clock for EU data subjects)
- Legal basis documented for each processing activity
- Data processing agreements compliant with both legal frameworks
- GDPR-compliant cookie banner for EU visitors
- Internal data protection responsible or DPO as appropriate
Conclusion
The nFADP and GDPR share a common philosophy but diverge in their enforcement mechanisms, sanctions, and day-to-day requirements. For a Swiss SME operating exclusively in Switzerland, only the nFADP applies. The moment EU customers, partners, or data processors enter the picture, GDPR comes into force alongside it.
The encouraging reality: the two laws are similar enough that a single, well-designed compliance programme covers the majority of both frameworks. Investing in data protection is also a competitive differentiator β Swiss and European customers increasingly make purchasing decisions based on how seriously you take their privacy.
Not sure whether your website is compliant with the nFADP? Run a free analysis with PrivaScan β automatic detection of cookies, trackers, and compliance gaps in minutes.