Market · Switzerland

Switzerland is not the EU

Most consultancies treat "Europe" as one regime and quietly mean the GDPR. That leaves Switzerland exposed. It sits outside both the EU and the EEA, with its own data-protection act, its own regulator, and its own transfer rules. Privello runs the Swiss overlay as a first-class part of the program, not a footnote.

The regime

The revFADP, in force since 1 September 2023

Switzerland's revised Federal Act on Data Protection modernised Swiss law and brought it close to the GDPR — but not identical to it. It carries its own duties to inform data subjects, its own expectations around a register of processing activities, mandatory breach notification to the Federal Data Protection and Information Commissioner, and data-protection impact assessments for high-risk processing.

Crucially, the revFADP added criminal penalties that can fall on responsible individuals, not only administrative fines on the company. That changes how carefully the Swiss layer has to be documented.

See the market-entry program
  • Not the EU, not the EEA. The GDPR does not apply to Switzerland directly; the revFADP governs.
  • Own regulator. The Federal Data Protection and Information Commissioner (FDPIC).
  • Own transfer rules. The Swiss–U.S. Data Privacy Framework, and Swiss-amended SCCs where it does not apply.
  • Personal exposure. Criminal penalties can attach to individuals, raising the cost of getting it wrong.

Transfers

Moving Swiss data to the United States

A Swiss transfer to the U.S. is its own question, separate from the EU one. Switzerland recognises the Swiss–U.S. Data Privacy Framework for transfers to certified U.S. recipients. Where a recipient is not certified, the route is Swiss-amended standard contractual clauses backed by a transfer impact assessment. Privello builds and documents the Swiss mechanism alongside — not merged into — your EU transfer file.

Compare the EU regime

Common questions

Questions about the Swiss market

Is a GDPR program enough for Switzerland?

No. Switzerland is outside the EU and the EEA, so the GDPR does not apply to it directly. Swiss processing is governed by the revised Federal Act on Data Protection (revFADP), in force since 1 September 2023, which closely tracks the GDPR but has its own duties to inform, its own register expectations, and its own transfer regime. A GDPR program is the right base, but it needs a mapped Swiss overlay.

How do we move Swiss personal data to the United States?

Switzerland recognises the Swiss–U.S. Data Privacy Framework for transfers to certified U.S. recipients. Where the recipient is not certified, Swiss-amended standard contractual clauses backed by a transfer impact assessment are the usual route. The Swiss mechanism is distinct from the EU–U.S. one and has to be documented separately.

Who enforces data protection in Switzerland?

The Federal Data Protection and Information Commissioner (FDPIC). The revFADP also introduced criminal penalties that can attach to responsible individuals, not only corporate fines, which raises the stakes for getting the Swiss overlay right.

Scope. Privello LLC is a data-regulation consultancy and is not a law firm; it does not practice Swiss law. Patrick Smith is a U.S.-licensed attorney (State of Texas); his bar admission is stated as a credential only. Where a matter requires formal legal advice under Swiss law, Privello coordinates qualified Swiss counsel. Privello also operates a Swiss-facing sister site at privello.ch.

Begin

Add Switzerland to your European file

Tell us where your Swiss data comes from and where it flows. We will map the revFADP overlay and the Swiss–U.S. transfer mechanism onto your existing program.