nFADP: new Swiss data protection act (2023)

Q: Does the nFADP apply to Swiss SMEs?

Yes. The nFADP applies to any person or company established in Switzerland that processes personal data of natural persons — regardless of size. SMEs must therefore comply with the new obligations: maintain a register of processing activities (if their processing may present a high risk), appoint a data protection adviser (optional but recommended), notify data breaches to the Federal Data Protection and Information Commissioner (FDPIC) and the persons concerned, and carry out a data protection impact assessment (DPIA) for high-risk processing.

Q: What is the difference between the nFADP and the European GDPR?

The nFADP and the GDPR share the same core principles (data minimisation, transparency, data subjects' rights, security). Notable differences: the nFADP protects only personal data of natural persons (not legal entities), whereas the old FADP also protected legal entities. The register of processing activities is mandatory only for high-risk processing under the nFADP (not universally, as under the GDPR). The criminal penalties under the nFADP target natural persons (fines up to CHF 250,000), not companies — unlike GDPR administrative fines (up to 4% of global turnover).

Q: Does the nFADP require a DPO (Data Protection Officer)?

The nFADP does not make the data protection adviser (DPA) mandatory, unlike the GDPR which requires a DPO in certain cases. Appointment of a DPA is optional under the nFADP but recommended for organisations that regularly process sensitive data on a large scale. Voluntarily appointing a DPA can simplify relations with the FDPIC.

Definition

The nFADP (new Federal Act on Data Protection) is the complete revision of the Swiss Federal Act on Data Protection (FADP) of 25 September 2020, which entered into force on 1 September 2023. It replaces the old FADP of 1992 and fundamentally modernises the Swiss legal framework to bring it in line with technological developments and European standards (GDPR).

It is accompanied by the Ordinance on Data Protection (ODP) and by the directives of the FDPIC (Federal Data Protection and Information Commissioner).

Key obligations

Register of processing activities

Companies whose data processing presents a high risk to the rights of the persons concerned must maintain a register of processing activities documenting: the purpose of the processing, the categories of data, the recipients, the retention periods and the security measures.

Data Protection Impact Assessment (DPIA)

Before launching any data processing likely to present a high risk (profiling, large-scale processing of sensitive data, systematic surveillance), a data protection impact assessment (DPIA) is mandatory.

Breach notification

In the event of a data security breach (leak, hacking, loss), the company must notify the FDPIC without delay if the breach is likely to create a high risk for the persons concerned. Persons directly affected must also be informed.

Privacy by Design and by Default

The nFADP codifies the principles of data protection by design and by default: systems and processes must incorporate data protection from the outset, and the default settings must be the most privacy-protective.

Rights of data subjects

The nFADP strengthens the rights of natural persons whose data is processed:

Right of access — to obtain a copy of the data held.
Right to rectification — to have inaccurate data corrected.
Right to data portability — to receive their data in a structured format.
Right to object — to object to processing, particularly to high-risk profiling.

Swiss context

The nFADP applies to companies established in Switzerland and, by extension, to foreign companies whose processing has effects in Switzerland (an extraterritoriality principle comparable to the GDPR). The FDPIC is the independent supervisory authority responsible for its enforcement. It may conduct investigations and issue binding recommendations.

Unlike the GDPR, whose fines target companies (up to 4% of global turnover), the nFADP provides for criminal penalties against natural persons responsible for infringements — fines up to CHF 250,000 per offence.

How Neoffice addresses it

Neoffice hosts its clients' data on servers located in Switzerland, meeting data localisation requirements. The ERP integrates traceability mechanisms (access logs, change history), role-based access control, and management of data subjects' rights (access, rectification, deletion). These features facilitate nFADP compliance for SME clients.

Termes liés

erp plan comptable suisse swissdec

Questions fréquentes — nFADP

Does the nFADP apply to Swiss SMEs?

What is the difference between the nFADP and the European GDPR?

Does the nFADP require a DPO (Data Protection Officer)?

Secure data in Neoffice

Neoffice hosts your data in Switzerland, applies nFADP principles (minimisation, security, traceability) and helps you document your processing activities.

7-day free trial

Des questions sur nFADP ?

Discutez avec Nora, notre assistante IA, pour en savoir plus sur votre activité.

Nora

En ligne

Bonjour ! Je suis Nora. Vous consultez notre service **nFADP**. Comment puis-je vous aider ?

Propulsé par IA locale — vos données restent en Suisse

What is the nFADP?