nFADP Compliance for Online Forms

On 1 September 2023, Switzerland's revised Federal Act on Data Protection — known as the nFADP (revDSG in German, nLPD in French, nLPD in Italian) — entered into force. The law modernises Swiss privacy rules, aligns many concepts with the EU's GDPR, and meaningfully raises the stakes for any organisation that collects personal data from Swiss residents.

Online forms sit at the centre of this shift. Whether you run a dental practice collecting patient histories, a law firm handling client intake, or an e-commerce store with a contact form, the nFADP applies to you. This guide walks through what the law requires, what has changed, and how to make your forms compliant in practice.

What the nFADP Is — and What Changed

The nFADP is a full revision of Switzerland's 1992 data protection act. It was passed by Parliament in September 2020 and entered into force on 1 September 2023 with no further grace period. From that date, compliance has been mandatory.

The revision pursues two goals: to modernise the law for the digital era, and to keep Switzerland's data-protection regime adequate in the eyes of the European Commission — a crucial point for the free flow of data between Switzerland and the EU.

Key changes at a glance

• Protection is now limited to personal data of natural persons — data about legal entities is no longer covered
• "Sensitive personal data" has been broadened to include genetic and biometric data that uniquely identifies an individual
• Privacy by design and privacy by default are explicit legal obligations
• Data Protection Impact Assessments (DPIAs) are mandatory for high-risk processing
• Breach notification to the Federal Data Protection and Information Commissioner (FDPIC) is now required "as soon as possible" for breaches likely to result in high risk
• Controllers must maintain a record of processing activities (small businesses under 250 employees with low-risk processing are exempt)
• Individuals have strengthened rights to information, access, and data portability
• Criminal penalties of up to CHF 250,000 can be imposed on responsible individuals — not just on companies

Why Online Forms Are a Compliance Focus

Forms are the most common entry point for personal data into any organisation. They are also, in most cases, the least-scrutinised. A typical business may have dozens of forms scattered across websites, client portals, and intranets — each one quietly accumulating names, contact details, health information, financial data, or other protected categories.

Under the nFADP, each of those forms must satisfy the full range of legal obligations: a legitimate basis for collection, clear and complete information to the data subject, proportionality in the data requested, appropriate security, and defined retention. The FDPIC has indicated that online forms will be a practical area of audit focus because they are visible, testable, and often fall short of basic requirements.

Seven Core Obligations for Online Forms

1. Lawful basis and purpose limitation

Every form must collect data for a specific, identifiable purpose. You cannot collect information "in case it becomes useful" or reuse it for a purpose the respondent did not expect. The principle of proportionality requires that only data strictly necessary for the stated purpose be requested.

2. Duty to inform

Article 19 nFADP expands the information duty. At the moment data is collected, the data subject must be informed of the identity and contact details of the controller, the purpose of the processing, the categories of recipients (including any third-party processors), and the countries to which data may be transferred. This information must be accessible directly from the form — a link to a privacy policy is the standard approach.

3. Consent — but only where needed

Consent is not always required, but when it is (for example for sensitive personal data or for high-risk profiling), it must be explicit, specific, informed, and freely given. Pre-ticked boxes, buried checkboxes, or "by submitting this form you agree to everything" clauses are not compliant.

4. Data security

Article 8 nFADP requires controllers and processors to ensure a level of security appropriate to the risk. The accompanying ordinance (DPO) and FDPIC guidance explicitly mention encryption, pseudonymisation, access controls, and regular testing. For forms that collect sensitive data, end-to-end encryption is rapidly becoming the expected baseline.

5. Data minimisation and retention

Collect only what you need, keep it only as long as you need it, and delete or anonymise it afterwards. Your form tool should allow you to set retention policies and delete submissions when they are no longer necessary for the original purpose.

6. Data subject rights

Respondents have the right to know what data you hold about them, to request a copy (data portability), to correct inaccuracies, and in many cases to demand deletion. Your processes and your form tool must enable you to fulfil these requests within 30 days.

7. Cross-border transfers

Transferring personal data to a country without an adequate level of data protection — which for Swiss law includes the United States under many circumstances — requires specific safeguards: standard contractual clauses, binding corporate rules, or explicit consent. For many organisations, the simplest answer is to host form data in Switzerland or the EU.

Penalties — Why This Is Not Just GDPR-Lite

A common misconception is that the nFADP is a watered-down version of the GDPR. In one crucial respect, it is arguably stricter: criminal penalties can target responsible individuals directly, not just the company.

Unlike the GDPR, where fines are administrative and imposed on organisations, the nFADP's fines are criminal and can be imposed on directors, data protection officers, or other natural persons who commit the violation. This makes personal accountability a very real factor.

How Schweizerform Helps You Comply

Schweizerform was designed from day one against the backdrop of the nFADP. The platform handles many of the technical obligations by default, so your compliance work is about policy and process — not about patching a tool that was built for a different regulatory climate.

Your nFADP Form Compliance Checklist

Use the following checklist as a starting point. Each item maps to a core obligation discussed above.

1. Each form has a documented purpose and collects only the data strictly needed for it
2. A privacy notice is linked directly from every form, naming the controller, purposes, recipients, and transfer countries
3. Where consent is relied upon, it is obtained through an explicit, clearly labelled checkbox that is not pre-ticked
4. Sensitive personal data is never transmitted or stored in plain text — end-to-end encryption is used
5. Form submissions are hosted in Switzerland or in a country with adequate protection
6. A retention period is defined for each form and enforced in practice
7. You have a documented process to respond to access, correction, and deletion requests within 30 days
8. A breach response process exists and names the person responsible for notifying the FDPIC
9. The record of processing activities lists every form and the data it collects (if required)
10. High-risk forms have been assessed through a Data Protection Impact Assessment

The Bottom Line

The nFADP is not a future concern — it has been in force since September 2023. For most Swiss organisations, the fastest and most durable path to compliance is to combine good internal process with a form platform that is compliant by design.

If your current form tool stores submissions in plain text, sits in a non-adequate jurisdiction, or gives you no real control over retention, you are carrying compliance risk that is easy to eliminate. Swiss hosting and zero-knowledge encryption are no longer premium features — they are what the law expects.