Market · Switzerland
Switzerland is not the EU
Most consultancies treat "Europe" as one regime and quietly mean the GDPR. That leaves Switzerland exposed. It sits outside both the EU and the EEA, with its own data-protection act, its own regulator, and its own transfer rules. Privello runs the Swiss overlay as a first-class part of the program, not a footnote.
The regime
The revFADP, in force since 1 September 2023
Switzerland's revised Federal Act on Data Protection modernised Swiss law and brought it close to the GDPR — but not identical to it. It carries its own duties to inform data subjects, its own expectations around a register of processing activities, mandatory breach notification to the Federal Data Protection and Information Commissioner, and data-protection impact assessments for high-risk processing.
Crucially, the revFADP added criminal penalties that can fall on responsible individuals, not only administrative fines on the company. That changes how carefully the Swiss layer has to be documented.
See the market-entry program- Not the EU, not the EEA. The GDPR does not apply to Switzerland directly; the revFADP governs.
- Own regulator. The Federal Data Protection and Information Commissioner (FDPIC).
- Own transfer rules. The Swiss–U.S. Data Privacy Framework, and Swiss-amended SCCs where it does not apply.
- Personal exposure. Criminal penalties can attach to individuals, raising the cost of getting it wrong.
Transfers
Moving Swiss data to the United States
A Swiss transfer to the U.S. is its own question, separate from the EU one. Switzerland recognises the Swiss–U.S. Data Privacy Framework for transfers to certified U.S. recipients. Where a recipient is not certified, the route is Swiss-amended standard contractual clauses backed by a transfer impact assessment. Privello builds and documents the Swiss mechanism alongside — not merged into — your EU transfer file.
Common questions
Questions about the Swiss market
Is a GDPR program enough for Switzerland?
No. Switzerland is outside the EU and the EEA, so the GDPR does not apply to it directly. Swiss processing is governed by the revised Federal Act on Data Protection (revFADP), in force since 1 September 2023, which closely tracks the GDPR but has its own duties to inform, its own register expectations, and its own transfer regime. A GDPR program is the right base, but it needs a mapped Swiss overlay.
How do we move Swiss personal data to the United States?
Switzerland recognises the Swiss–U.S. Data Privacy Framework for transfers to certified U.S. recipients. Where the recipient is not certified, Swiss-amended standard contractual clauses backed by a transfer impact assessment are the usual route. The Swiss mechanism is distinct from the EU–U.S. one and has to be documented separately.
Who enforces data protection in Switzerland?
The Federal Data Protection and Information Commissioner (FDPIC). The revFADP also introduced criminal penalties that can attach to responsible individuals, not only corporate fines, which raises the stakes for getting the Swiss overlay right.
Begin
Add Switzerland to your European file
Tell us where your Swiss data comes from and where it flows. We will map the revFADP overlay and the Swiss–U.S. transfer mechanism onto your existing program.