How does the new Data Protection Act affect me?

Internet Risks

Switzerland's new Federal Act on Data Protection (Data Protection Act, FADP) entered into force on 1 September 2023. The new FADP now also covers social media. The definition of sensitive data has been expanded, and projects must now take account of data protection already from the outset. The new law gives private individuals more and better options for controlling their data located at providers. Making use of these options requires a certain amount of knowledge. We summarise the most important points below.


The new Data Protection Act entered into force in Switzerland on 1 September 2023. It now also covers situations arising from use of the internet and social media platforms. The new Swiss law is now again compatible with EU law, in particular with the General Data Protection Regulation (GDPR).

What is protected?
Data of natural persons is protected. Personal data includes all information that is directly linked to a person, such as name, date of birth, and email address. Sensitive data now also includes genetic and biometric data.

How is data protected?
Anyone wanting to use personal data must inform the persons concerned – referred to as the "data subjects" – in advance. The information provided must include an exact specification of which data is collected and for what purpose it is used. The data may not be used for any purposes other than those stated. It must also be disclosed which third parties have access to the data. Explicit consent is required for the use of sensitive data. Anyone who does not want to disclose their data can refuse to have it stored. The principles of "privacy by design" and "privacy by default" are enshrined in the new law. This means that if a new product or service is offered, data security must be taken into account from the outset and the highest level of security for data protection must be ensured by default. As soon as the personal data is no longer required for the stated purpose, it must be deleted or anonymised.

What influence do I have on data that has already been stored?
Under the new Data Protection Act, every person has the right to know what data is stored about them and how this data is used ("right to information"). They can have this data corrected or even deleted. The contact address for that purpose must be stated in the organisation's privacy policy, and the requested information must be disclosed within 30 days following a request.

What happens if an organisation is hacked and my data is stolen?
If the protection of personal data can no longer be ensured due to a cyberattack or for other reasons, thereby posing a high risk to data subjects, the incident must be reported immediately to the Federal Data Protection and Information Commissioner and to all potentially affected parties and individuals. The organisations must take remedial action to minimise the risks to those affected.


Instructions and checklists