Draft revision of the Swiss Federal Data Protection Act compared with the legal situation in the EU

Your contact

On 21 December 2016, the Federal Department of Justice and Police published a draft bill of the revised Swiss Federal Data Protection Act (FDPA). The proposed amendments are intended to adapt the existing law so as to align it with old and new developments on the European level, in particular the amendments introduced into European law by the General Data Protection Regulation (GDPR), which will apply from 25 May 2018, replacing Directive 95/46/EC, and the draft protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108) of 15/16 June 2016, expected to be adopted by the Council of Europe in early 2017.


1. Geographic scope

The FDPA has already been interpreted by Swiss courts to apply to data processing activities outside of Switzerland that have notable effects in Switzerland (“effects principle”).

The GDPR explicitly extends the geographic reach of EU data protection law by applying EU law to activities of controllers and processors established in the EU even if the processing takes place outside the EU, and to processing activities of controllers and processors not established in the EU that are related to the offering of goods or services to the relevant data subjects in the EU or to the monitoring of the behaviour of individuals taking place within the EU.

2. Substantive scope

According to the draft revised FDPA, the substantive scope shall be limited to data concerning individuals (natural persons) and shall no longer cover personal data of legal entities (corporations). A particularity of Swiss law without counterpart in EU law, it had little practical effects but caused many furrowed brows.

The FDPA’s definition of sensitive personal data shall be extended to biometric and genetic data, in compliance with the GDPR.

3. New terminology

“Profiling” (a dynamic process) shall replace “personality profile” (the static result of data processing activities) and “controller” shall replace “controller of the data file”, to bring the terminology of the FDPA in line with the GDPR. The term “data collection” (Datensammlung, fichier) shall be dropped altogether.

4. Qualification of the consent

The draft revised FDPA adds to the existing consent requirement that the consent must be given “unambiguously”. The consent for the processing of sensitive personal data shall be – in the French and Italian versions – exprès and espresso, thereby making clear that such consent can also be given implicitly by a clear affirmative action, all in line with the GDPR.

Already under the existing FDPA, consent should cover all of the purposes for which the data are being processed, so that a later processing for a purpose originally not recognisable for the data subject is not permitted without new consent, in line with the GDPR.

5. The data subject’s right to information and to be forgotten

The draft revised FDPA aims at strengthening the individual’s rights and increasing transparency. In particular it requires ay federal body and private person to inform the data subject when collecting any category of personal data, not just sensitive personal data.

In compliance with the GDPR, the FDPA shall explicitly regulate the obligation to delete personal data when the original purpose for processing the data no longer justifies their retention, and shall give the data subject an explicit right to have them deleted.

6. Rights in data of the dead

According to the draft revised FDPA, anybody who can show a legitimate interest shall have access to the personal data relating to a deceased person, whereby such legitimate interest is presumed for children, grandchildren or parents of the deceased person or their spouses, registered partners or de facto spouses.

7. Automated individual decision-making

The draft revised FDPA, in compliance with in the GDPR, requires information and consultation when a controller takes a decision solely on the basis of automated data processing without human intervention or evaluation, which produces legal effects for or significantly affects the data subject. Such information and consultation can also be carried out retroactively.

8. Data protection by design and by default

The draft revised FDPA as well as the GDPR provide that the controller shall implement appropriate technical and organizational measures to reduce the risk of violations of personality or fundamental rights and prevent such violations (so-called privacy by design) and for ensuring that, as a standard, only personal data which are necessary for each specific purpose are processed (so-called privacy by default).

9. International data transfer

The FDPA continues to allow the transfer of personal data only to countries with an adequate level of data privacy protection. The Federal Council shall be competent to attest bindingly the adequacy of protection of a specific country. If there is no adequate foreign protection, data may still be transferred on the basis of international treaties (such as ETS 108), individual contractual agreements previously notified to the Commissioner, approved standardised safeguards, or approved internal data protection regulations that apply to all of the transferring and receiving entities.

10. Extended duties and powers of the Commissioner

According to the draft revised FDPA, the commissioner’s powers to supervise compliance with the FDPA shall be extended to all private persons and shall not be limited to specific cases. The commissioner also shall be enabled to render administrative decisions binding for the parties, but he or she shall still not have the power to impose fines and other penalties. Also under EU law, the supervisory authority is given broader responsibilities.

11. Administrative fines and penalties

According to the draft revised FDPA, the penal provisions shall be extended. This shall be in compliance with the GDPR with the exception that the supervisory authority has the investigative power to impose administrative fines and that it is up to the member states to lay down the rules on other penalties applicable to infringement of the GDPR. The maximum amount of fines is increased to CHF 500,000, and violations of the duty of professional confidentiality may be sanctioned with imprisonment of up to three years or a monetary penalty of up to CHF 1,080,000. In the case of violations committed within a business undertaking, the law enforcement authorities may either prosecute the responsible persons or instead condemn the company to pay the fine.

Share post

most read


MLL Legal

MLL Legal is one of the leading law firms in Switzerland with offices in Zurich, Geneva, Zug, Lausanne, London and Madrid. We advise our clients in all areas of business law and stand out in particular for our first-class industry expertise in technical-innovative specialist areas, but also in regulated industries.

MLL Meyerlustenberger Lachenal Froriep


Much is still unclear in relation to liability questions around AI tools.

Read our latest post about “Liability during the Lifecycle of an AI Tool” and download our white paper.

Show article.

Our Story

MLL Legal is a leading Swiss law firm with a history that dates back to 1885. The firm has grown both organically and by means of strategic mergers, the latest of which took place on 1st July 2021 between Meyerlustenberger Lachenal and FRORIEP.

The merger establishes MLL Legal, a combined new entity as one of the largest commercial law firms in Switzerland with 150 lawyers in four offices in Switzerland and two offices abroad, in London and Madrid serving clients seeking Swiss law advice.

Our firm has a strong international profile and brings together recognised leadership and expertise in all areas of law affecting commerce today, with a focus on high-tech, innovative and regulated sectors. 

About us


Click here for our latest publications


Read all our legal updates on the impact of COVID-19 for businesses.

COVID-19 Information

Job openings

Looking for a new challenge?

Our talented and ambitious teams are motivated by a common vision to succeed. We value open and straightforward communication accross all levels of the organisation in a supportive working environment.

Job openings

Firm News

Click here for our latest firm news.

Our Team

The regulatory and technological landscape continually require businesses to adapt and evolve.
Our 150+ lawyers are continuously innovating and striving for improvement in everything they do. We embrace new ideas and technologies, combining our wealth of expertise with creative thinking and diligence. With our hands-on approach, we implement viable solutions for the most complex legal challenges.

Our Team.

LexCast – the podcast series by MLL NexGen

Smart legal education on the go. The LexCast hosted by MLL NexGen provides legal insights in a short format that allows listeners to educate themselves on and about legal issues wherever they are and whenever they find the time.

Listen to our podcast series – stay tuned.

MLL Legal on Social Media

Follow us on LinkedIn, Twitter und Instagram.