Checklist for SMEs: how to comply with the Data Protection Act

The new Data Protection Act (nFADP) will come into force on September 1, 2023. All Swiss companies are impacted. Here's how they can prepare for it.

All companies in Switzerland must prepare for the new Data Protection Act (nFADP) to be implemented on September 1, 2023. For companies that have not already adapted to the 2018 European General Data Protection Regulation (GDPR), compliance with the new Swiss law will take time and will require engaging those with legal and technical expertise in data protection. 

To prepare for compliance with the nFADP, the data processed during the course of business must be identified and the risks involved analyzed. The more data a company processes and/or the more sensitive it is (e.g. related to religion, health, lawsuits, etc.), the greater the requirements will be.

The nFADP's 12 key requirements

Swiss SMEs must implement the following 12 measures to comply with the nFADP:

  1. Check and modify data protection statements (website, contracts, advertising content, etc.)
  2. Draft (or modify) corporate data handling guidelines
  3. Establish a data processing register (except for companies with less than 250 employees and if there is no significant privacy risk)
  4. Establish procedures for responding promptly to data subjects' requests (e.g., for information or deletion of data)
  5. Implement a data breach reporting procedure
  6. Establish a process for impact assessments that are required when data processing is high risk (e.g., in the case of systematic monitoring of the broader public domain)
  7. Analyze contracts with subcontractors, to check whether data security is provided and add clauses in this regard (including data breach notification)
  8. Provide for the data to be deleted or rendered anonymous (and immediately after they are no longer necessary for the original purpose for which they were processed)
  9. Review the countries where data is transmitted, including for simple cloud backup (these countries must be on a Federal Council list. If not, more stringent requirements apply)
  10. Ensure data security through appropriate technical and organizational measures
  11. Ensure the data is provided in electronic format (in the case of automated data processing and, in particular, the conclusion or implementation of a contract)
  12. Designate a data protection advisor and publish his or her contact details ( it is recommended that this person be notified to the Federal Data Protection and Information Commissioner (FDPIC)).

This list is not intended to be all inclusive or comprehensive. For further information, please refer to the FAPD and the Data Protection Ordinance. The FDPIC website also offers verified legal and technical information on the subject.

Sources: Interview published on 19.01.2022 on the SME Portal "If data theft occurs, we have already failed", article published on 19.05.2021 on the Economisesuisse website "Data protection: an overview of the new law" and article published on 06.12.2021 on the Axa website "New data protection law: what companies should know".


Last modification 04.04.2022

Top of page