When did the revised Swiss FADP take effect?

It entered into force on 1 September 2023, with no separate grace period beyond that date.

Who is the Swiss data protection regulator?

The Federal Data Protection and Information Commissioner (FDPIC) supervises and enforces the revFADP.

Is the revFADP the same as the EU GDPR?

No. It is aligned with the GDPR and aids Swiss adequacy, but is less formalistic and differs on points such as who bears fines and the scope of obligations.

🇨🇭 Switzerland · Data privacy

revFADP

Revised Federal Act on Data Protection (revFADP)

The revised Federal Act on Data Protection entered into force on 1 September 2023, replacing the 1992 act without a separate transition period. It modernizes Swiss data protection, expands sensitive-data categories to include genetic and biometric data, and introduces GDPR-aligned obligations while remaining less formalistic. The FDPIC supervises and enforces the law.

Jurisdiction:🇨🇭 Switzerland

Type:Data privacy

In effect:2023

Authority:Federal Data Protection and Information Commissioner (FDPIC)

Who it applies to

Processing of personal data of natural persons by private persons and federal bodies, including processing outside Switzerland that has effects within the country.

Identity requirements

Provide transparent information to data subjects when collecting personal data and uphold rights of access, rectification, and deletion
Carry out a data protection impact assessment for high-risk processing
Maintain a record of processing activities, subject to limited exemptions for smaller organizations
Apply privacy by design and privacy by default principles
Report personal data breaches to the FDPIC as soon as possible where they likely pose a high risk
Ensure cross-border transfers go only to countries with adequate protection or under recognized safeguards

How it impacts identity systems

Identity area	Impact
Customer identity & consent (CIAM)	Requires transparency and a valid basis for processing, with explicit consent for sensitive data including biometrics.
Breach notification	High-risk personal data breaches must be reported to the FDPIC as soon as possible.
Data residency & cross-border transfer	Transfers abroad are allowed only to adequate jurisdictions or under approved safeguards such as standard clauses.
Audit, logging & accountability	Controllers and processors must keep records of processing and apply privacy by design and default.
Identity verification (KYC/proofing)	Genetic and biometric identifiers are now expressly sensitive data subject to heightened protection.

Penalties

Intentional serious violations can lead to fines of up to 250,000 Swiss francs, imposed primarily on responsible individuals rather than companies.

Official source

https://www.edoeb.admin.ch/en

revFADP: frequently asked questions

When did the revised Swiss FADP take effect?: It entered into force on 1 September 2023, with no separate grace period beyond that date.
Who is the Swiss data protection regulator?: The Federal Data Protection and Information Commissioner (FDPIC) supervises and enforces the revFADP.
Is the revFADP the same as the EU GDPR?: No. It is aligned with the GDPR and aids Swiss adequacy, but is less formalistic and differs on points such as who bears fines and the scope of obligations.

Educational summary, not legal advice. Confirm current requirements with the relevant authority or counsel. See all Switzerland regulations or the full country index.