Year in review: Privacy, data protection and cybersecurity in Switzerland

All questions

Year in review

2024 was the first year after the fully revised DPA came into force on 1 September 2023, together with the DPO and the Federal Ordinance on Data Protection Certification (DPCO). If companies have not yet taken the necessary data protection measures, it is strongly recommended that they do so. For example, the DPA requires organisations to create and maintain an inventory of processing activities, and private controllers with a domicile or residence outside Switzerland are, under certain circumstances, required to appoint a representative in Switzerland if personal data of individuals in Switzerland is processed. Under the revised DPA, the criminal sanction rules have been tightened, but as far as can be seen, criminal sanctions for data protection violations have hardly been enforced to date. By contrast, the Commissioner, which has been strengthened in terms of personnel, has become increasingly active and has investigated a number of violations of data protection obligations: Between 2024 and 2025, 20 preliminary investigations and nine formal investigations were carried out. Two proceedings are now pending before the Federal Administrative Court. Furthermore, data protection awareness in society is increasing, which is also shown by the fact that the data protection authority received over 1,000 complaints within one year.⁵

Switzerland does not have AI legislation, but the Commissioner has clarified that current data protection legislation applies to AI tools as well.