The revised Swiss Federal Act on Data Protection (revFADP, commonly referred to as nFADP or new FADP) came into force on 1 September 2023, with no transitional period. Every business processing data of Swiss residents is affected, whether based in Geneva, the French Alps or anywhere else. For organisations in the Franco-Swiss cross-border region, this law sits alongside the EU's GDPR, in effect since May 2018. Both texts pursue a common goal (protecting personal data) but diverge on structural points: consent model, penalty regime and notification obligations. Understanding these differences determines whether your website and data collection tools are genuinely compliant.
What the revised FADP changed from the original Swiss law
The original FADP dated from 1992. Three decades of technological change made an overhaul unavoidable. The revised FADP aligns Switzerland with international data protection standards, a necessary condition for retaining the European Commission's adequacy decision. Without that recognition, data transfers between Switzerland and the EU would have required standard contractual clauses for every exchange.
The scope of the new FADP is limited to personal data of natural persons. The original law also covered data of legal entities. This narrowing brings the Swiss framework closer to the GDPR. The revised FADP introduces concepts of profiling, high-risk profiling and Data Protection Impact Assessment (DPIA), directly inspired by the European regulation.
The Federal Data Protection and Information Commissioner (FDPIC) gains reinforced powers. The authority can open investigations on its own initiative, order modifications or cessation of processing activities and issue injunctions. This institutional strengthening signals a shift from guidance to enforcement.
FADP vs GDPR: the structural divergences
Despite a shared foundation, the two texts differ on several operational aspects. These divergences have direct consequences for how you configure a website, a privacy policy and a consent management platform.
Consent is the most significant divergence. The GDPR requires an opt-in model: no processing of personal data without the user's explicit prior consent (except for alternative legal bases such as legitimate interest). The FADP operates on an opt-out model for most processing activities. Processing is permitted by default unless the individual objects. Explicit consent is required only for sensitive data, high-risk profiling and transfers to countries without adequate protection. This distinction is fundamental for cookie banner configuration.
Penalties follow opposing logics. The GDPR penalises companies with fines of up to EUR 20 million or 4% of global annual turnover. The FADP targets the responsible natural persons, with maximum fines of CHF 250,000. According to the FDPIC, this approach aims to hold individual decision-makers accountable rather than placing the penalty on the organisation.
Data breach notification also diverges. The GDPR requires notification to the supervisory authority within 72 hours of discovering a breach. The FADP requires notification "as soon as possible" to the FDPIC, without a defined deadline. This apparent ambiguity leaves room for interpretation, though the FDPIC's practice tends to align with a timeline comparable to the GDPR.
Data Protection Officer (DPO) designation is mandatory in many cases under the GDPR (public bodies, large-scale processing, sensitive data). The FADP makes this appointment optional. Swiss companies may designate a "data protection advisor," but no obligation requires it regardless of the organisation's size or activity.
International data transfers: two frameworks, two mechanisms
Transferring personal data outside the territory is a major concern for cross-border businesses. The GDPR allows transfers to countries recognised by the European Commission as providing an adequate level of protection. For others, appropriate safeguards are necessary: standard contractual clauses, binding corporate rules or certification mechanisms.
The FADP adopts a similar logic. The Swiss Federal Council publishes a list of countries deemed adequate. Switzerland recognises the EU as adequate territory, and vice versa. Transfers between France and Switzerland therefore require no additional safeguards, simplifying operations for businesses in the Franco-Swiss region.
The situation grows more complex for transfers to the United States. The Swiss-U.S. Data Privacy Framework, validated in 2024, governs these flows under specific conditions. The EU-U.S. Data Privacy Framework covers the GDPR side. Every third-party tool on your site (Google Analytics, Meta Pixel, a US-hosted CRM) must be evaluated against both frameworks if your audience spans Switzerland and the EU.
Practical consequences for a cross-border website
A website targeting both French and Swiss visitors must satisfy both regulations. According to a University of Zurich study (2024), only 37% of Swiss websites displayed a cookie banner compliant with the new FADP one year after it came into force. On the French side, CNIL found that 65% of European cookie banners failed to comply with the GDPR according to a Cookiebot audit (2023). Non-compliance remains the norm, not the exception.
The privacy policy must be drafted with both texts in mind. Required information differs. The GDPR mandates disclosure of the legal basis for processing, individual rights (access, rectification, erasure, portability, objection) and DPO contact details where applicable. The FADP requires disclosure of the data controller's identity, processing purpose, recipients and the destination country for any transfer outside Switzerland. The document must cover both sets of obligations to avoid legal gaps.
The cookie banner poses a technical challenge. For visitors subject to the GDPR (located in the EU), the banner must block all non-essential cookies before consent (opt-in). For Swiss visitors, the FADP does not require this pre-blocking for standard processing. Should you display two banner versions based on visitor geolocation?
In practice, most CMPs handle this differentiation. Cookiebot and Axeptio offer geolocation rules: a visitor detected in Switzerland sees an informational banner (opt-out), while an EU visitor sees a blocking banner (opt-in). This technical configuration is handled within consent management and requires careful setup to avoid misapplication.
Simultaneous compliance strategy
Applying the stricter standard (GDPR) to all visitors regardless of location is the safest approach. This choice simplifies technical maintenance and eliminates the risk of applying the wrong regime to a mislocated visitor. It is the recommended option for organisations without a dedicated legal team.
This approach has a cost. Imposing opt-in on Swiss visitors reduces the overall consent rate, which decreases the data volume collected in GA4 and weakens the signal transmitted to advertising platforms. For businesses where Swiss clients represent a significant share of revenue, the analytics shortfall justifies investing in a geolocation-enabled CMP.
The optimal technical configuration rests on several components. Consent Mode v2 from Google must be activated to recover modelled conversions regardless of consent choice. Server-side tracking via a solution like Stape.io improves data reliability by bypassing browser blockers while respecting the consent rules transmitted by the CMP. These two technical layers partially offset the data loss from strict opt-in.
Five concrete actions structure the compliance process. Audit current data processing to identify which falls under the GDPR, the FADP or both. Update the privacy policy with mandatory disclosures from both texts. Configure the CMP with geolocation rules or apply GDPR by default. Verify that data transfers to third countries are covered by adequate frameworks. Document processing activities in a register compliant with both regulations.
The specific case of the French Alps / Geneva basin
The Annemasse-Geneva corridor illustrates cross-border complexity. Approximately 50% of workers in Annemasse commute to Switzerland. A local shop or medical practice on the French side serves patients and customers residing on both sides of the border. Their website collects data from both Swiss and EU residents, triggering both regulations.
Healthcare professionals face particular exposure. A physiotherapy practice or a dental surgery in the border area offering online appointment booking processes health data, categorised as sensitive by both texts. The FADP requires explicit consent for this data, which cancels the opt-out advantage. The GDPR adds a DPIA obligation if processing is systematic and large-scale.
E-commerce businesses delivering to Switzerland must also evaluate their FADP compliance. The determining criterion is not the site's hosting location or the company's registered office, but the targeted audience. A .fr website displaying prices in CHF, offering Swiss delivery or publishing content aimed at the Swiss market falls within the FADP scope, even without a physical presence in Switzerland.
Tools and resources for managing compliance
Cookiebot (Usercentrics) offers a specific module for the FADP, with adapted legal texts and geolocation management. The automatic cookie scan identifies trackers on your site and categorises them according to both regulatory frameworks. Pricing starts at around EUR 12 per month for sites with up to 100 pages.
Axeptio provides a polished interface and generally higher consent rates thanks to considered design. Its multi-regulatory configuration enables differentiated banners based on visitor location. Cost begins at approximately EUR 19 per month.
The FDPIC publishes practical guides for SMEs on its website, including processing register templates and checklists. The CNIL offers its PIA (Privacy Impact Assessment) tool for conducting GDPR-compliant impact analyses. Combining resources from both authorities builds comprehensive documentation.
Frequently asked questions
Does the FADP apply to a company with no presence in Switzerland?
Yes, as soon as the company processes data of persons located in Switzerland. The criterion is territorial: if your site actively targets the Swiss market (prices in CHF, delivery to Switzerland, content specifically addressing that audience), the FADP applies. The registered office location is irrelevant.
Can a single cookie banner cover both Switzerland and the EU?
Yes, by applying the GDPR (strict opt-in) to all visitors. This approach guarantees compliance with both texts since the GDPR is more restrictive. The alternative is to differentiate the banner by geolocation via a CMP like Cookiebot or Axeptio, which preserves a higher consent rate on the Swiss side.
What penalties does an SME face for FADP non-compliance?
The FADP provides for fines of up to CHF 250,000, directed at the natural person responsible for the breach (director, data controller). This logic differs from the GDPR, which penalises the legal entity. The risk therefore falls personally on the business owner, strengthening the incentive to comply.
Do you need to appoint a DPO to comply with both regulations?
The GDPR mandates a DPO in specific cases: public bodies, large-scale processing of sensitive data, systematic monitoring of individuals. The FADP never requires one. If your activity falls under a mandatory GDPR case, appointing a DPO covers the Swiss dimension as well. Otherwise, the appointment remains optional but recommended for structuring data governance.
Does the Swiss opt-out model mean you can skip the cookie banner?
No. The FADP imposes an information obligation. Swiss visitors must be informed about data processing, its purpose and their right to object. An informational banner remains necessary, even though pre-blocking cookies is not required for standard processing. Sensitive data and high-risk profiling require explicit consent under the FADP as well.
