revDSG / FADP 2023 Overview

The revised Swiss Federal Act on Data Protection (revDSG, also known as FADP) modernizes Swiss data protection law to maintain compatibility with international standards, particularly the European Union's GDPR. Understanding revDSG is essential for organizations processing data of Swiss residents.

Understanding revDSG

The revised Federal Data Protection Act took effect on September 1, 2023, replacing the previous version from 1992. The revision aligns Swiss law with GDPR standards to maintain the EU adequacy decision enabling free data flows between Switzerland and the European Union. The law strengthens individual rights while maintaining Switzerland's distinct approach to data protection.

Key Revisions

Enhanced information obligations now apply to all personal data collection, not just sensitive data. Organizations must provide comprehensive information about data processing whenever they collect personal data. Individuals must be informed of the identity of the controller, processing purposes, recipient categories, and data transfer details.

Record-keeping obligations require organizations to maintain records of processing activities. Both data controllers and processors face documentation requirements. Small and medium enterprises with fewer than 250 employees may be exempt if their processing presents minimal risk to data subjects.

Privacy by design and by default principles now have explicit legal backing. Organizations must consider data protection when designing systems and processes. Default settings must favor data protection, processing only data necessary for stated purposes.

Data protection impact assessments are required when processing may result in high risk to individuals. The Federal Data Protection and Information Commissioner (FDPIC, or EDÖB in German) may be consulted when assessments indicate high remaining risks.

Sanctions

The revised law introduces significant sanctions for violations. Fines up to 250,000 Swiss francs may be imposed on natural persons, not just organizations. This personal liability represents a significant departure from the previous regime. Criminal responsibility requires intentional violation, though negligent violations may still face administrative consequences.

EDÖB Authority

The Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB, Federal Data Protection and Information Commissioner) serves as the supervisory authority. The EDÖB issues guidance, investigates complaints, and can order corrective measures for violations.