All questions
Overview
Swiss data protection law is set out in the revised Swiss Federal Data Protection Act of 25 September 2020 (DPA)2 and the accompanying Swiss Federal Ordinance to the Federal Act on Data Protection of 31 August 2022 (DPO).3 Further sector-specific data protection provisions are spread throughout a large number of legislative acts. As Switzerland is neither a member of the European Union (EU) nor of the European Economic Area (EEA), it has no general duty to implement or comply with EU laws. However, because of Switzerland's location in the centre of Europe and its close economic relations with the EU, Swiss law is strongly influenced by EU law.4
The Swiss Data Protection and Information Commissioner (the Commissioner) is the authority responsible for supervising both private businesses and federal public bodies with respect to data protection matters. The Commissioner regularly publishes explanatory guidelines with respect to specific issues.5
The year in review
The most important recent event in terms of data protection law has been the entry into force of the fully revised DPA on 1 September 2023, together with the DPO and the Federal Ordinance on Data Protection Certification (DPCO). In short, the revision leads to stricter constraints and requirements. For example, the DPA now requires organisations to create and maintain an inventory of processing activities, and private controllers with a domicile or residence outside Switzerland are, under certain circumstances, required to appoint a representative in Switzerland if personal data of individuals in Switzerland is processed. In addition, the sanction rules were tightened.6
