In one sentence. The revised Swiss FADP (nFADP) in force since 1 September 2023 and the GDPR in force since 25 May 2018 share most concepts but diverge on three operational points: (1) breach notification timing — FADP requires “as soon as possible” with no fixed deadline vs 72 hours under GDPR Article 33; (2) sanctions — FADP fines up to CHF 250,000 imposed on individuals (not entities) vs GDPR’s €20M / 4% on legal persons; (3) supervisory authority — Switzerland has a single FDPIC vs the EU’s network of DPAs coordinated by the EDPB. Switzerland was granted renewed adequacy by the Commission on 15 January 2024.
For multinationals operating in both jurisdictions, compliance design must reconcile the GDPR baseline with FADP-specific obligations on consent for high-risk profiling, ROPA exemption thresholds, and personal criminal liability.
Key takeaways
- nFADP in force 1 September 2023; GDPR in force 25 May 2018.
- Breach notification: FADP “as soon as possible” vs GDPR 72 hours.
- Sanctions: FADP CHF 250,000 on individuals vs GDPR €20M/4% on entities.
- Supervisory authority: FDPIC (Switzerland) vs EDPB + national DPAs (EU).
- Renewed Commission adequacy decision for Switzerland: 15 January 2024.
- ROPA exemption higher under FADP (companies <250 employees with low-risk processing).
1. Breach notification — side-by-side
| Aspect | FADP (Art. 24) | GDPR (Art. 33-34) |
|---|---|---|
| Threshold | Likely high risk to data subject | Likely risk to rights and freedoms |
| Deadline to authority | As soon as possible (no fixed hours) | 72 hours after awareness |
| Authority | FDPIC | Competent supervisory authority |
| Notification to data subject | If necessary for protection / if FDPIC requires | If high risk (Article 34) |
| Documentation duty | Implicit | Article 33(5) explicit |
The FADP’s “as soon as possible” is intentionally flexible but the Federal Council message indicates 72 hours is a reasonable benchmark in practice.
2. Sanctions — fundamentally different model
FADP (Articles 60-65):
- Maximum fine: CHF 250,000
- Sanction imposed on the responsible individual (not the company)
- Criminal procedure (cantonal prosecutor)
- Limited to specific willful violations (consent, information, due diligence)
GDPR (Article 83):
- Maximum fine: €20M or 4% of global turnover (top tier)
- Sanction imposed on the legal entity (controller or processor)
- Administrative procedure (DPA)
- Broad scope across most GDPR violations
Key consequence: under FADP, a CEO or DPO can face personal criminal liability of up to CHF 250,000; under GDPR, the company pays. Companies operating in Switzerland must therefore consider personal liability training and director protections.
3. Supervisory authorities
Switzerland — FDPIC (Federal Data Protection and Information Commissioner):
- Single national authority
- Located in Bern
- Investigation, recommendation, order powers
- Cannot impose fines directly (those go through criminal courts)
EU — Network model:
- National DPA in each Member State
- EDPB for consistency and binding decisions in cross-border cases
- Lead supervisory authority under Article 56 (one-stop-shop)
- Direct administrative fining power
4. Adequacy: Switzerland’s status
Commission Implementing Decision (EU) 2024/254 of 15 January 2024 confirmed Switzerland’s adequacy under nFADP. Effect:
- EU-to-Switzerland transfers free flow (no SCCs required)
- Switzerland-to-EU transfers similarly recognised
- Adequacy reviewed every 4 years
5. ROPA thresholds
FADP: SMEs with <250 employees and low-risk processing exempt (similar to GDPR Article 30(5)). GDPR Article 30(5): same threshold but exemption almost never applies in practice (risk threshold easy to meet).
In practice both jurisdictions require ROPA for SaaS, e-commerce, and HR processing.
6. Consent and high-risk profiling
FADP (Article 6): explicit consent required for processing involving high-risk profiling (specific provision). GDPR (Article 9 + 22): special categories require explicit consent (Article 9(2)(a)); automated decisions with significant effect require Article 22 conditions.
The FADP wording is narrower but the regulatory effect is similar.
7. DPO / data protection advisor
FADP: Article 10 provides for a Data Protection Advisor (DPA) — designation is optional and triggers procedural advantages (DPIA review without FDPIC consultation). GDPR: DPO mandatory in three cases (Article 37(1)); see Article 39 DPO tasks.
8. International transfers
FADP (Article 16-17): adequacy list maintained by Federal Council; safeguards (SCCs, BCRs) otherwise; derogations narrow. GDPR (Articles 44-50): see Article 44 transfers.
Both jurisdictions now recognise the EU SCCs (2021) for transfers; Switzerland accepts EU SCCs with the FDPIC’s addenda.
9. Rights of data subjects
Largely aligned: access, rectification, erasure, restriction, portability, objection. Slight FADP differences:
- No specific Article 22 equivalent (handled through high-risk profiling provisions)
- Information rights detail more limited than GDPR Articles 13-14
10. Practical dual-compliance checklist
- ROPA covers both Swiss and EU activities (same data model satisfies both)
- Breach response procedure with 72-hour clock satisfies both
- Privacy notice combines FADP + GDPR information requirements
- International transfer mechanisms apply (EU SCCs with Swiss addenda)
- DPO appointment satisfies GDPR; doubles as FADP advisor
- Director and officer liability insurance addresses personal FADP exposure
- Cross-references to GDPR Article 33
11. Tooling
Legiscope supports dual FADP + GDPR compliance: unified ROPA covering both regimes, breach notification timer with FDPIC + DPA forms, transfer mechanism management with Switzerland adequacy, personal liability training tracker.
FAQ
What’s the breach notification deadline under FADP vs GDPR?
FADP requires notification to the FDPIC “as soon as possible” with no fixed deadline. GDPR Article 33 imposes 72 hours from awareness. In practice both converge on a ~72h benchmark.
What are the sanctions under FADP vs GDPR?
FADP: maximum CHF 250,000, imposed on the responsible individual through criminal proceedings. GDPR: maximum €20M or 4% of global turnover, imposed on the legal entity by administrative DPA decision.
Who are the supervisory authorities?
Switzerland has a single FDPIC. The EU has a network of national DPAs coordinated by the EDPB, with a lead authority under the one-stop-shop mechanism (Article 56 GDPR).
Is Switzerland adequate for GDPR transfers?
Yes — Commission Implementing Decision (EU) 2024/254 of 15 January 2024 renewed Switzerland’s adequacy under the nFADP for another 4 years.
Do I need separate compliance programmes for FADP and GDPR?
No. A well-designed unified programme satisfies both. Key adjustments: personal liability awareness for FADP, EU SCCs with Swiss addenda for transfers, breach process aligned on 72 hours.
Legiscope automates this for you
Stop doing compliance manually. Legiscope's AI handles ROPA creation, DPA audits, and gap analysis — in minutes, not weeks.
Start free trial
