nFADP vs GDPR: Key Provisions Compared
The definitive side-by-side guide to Switzerland's nFADP and the EU's GDPR: scope, legal basis, sensitive data, breach notification, automated decisions and AI, sanctions and who pays them — with official sources. General information, not legal advice.
If you run a business in Switzerland, you almost certainly live under two data-protection laws at once. The revised Swiss Federal Act on Data Protection — the nFADP — governs your processing at home. The EU's General Data Protection Regulation — the GDPR — reaches you the moment you offer goods or services to people in the European Union or monitor their behaviour. For most Swiss organisations with even a modest EU audience, the practical question is never 'which one applies?' but 'where do they agree, and where do I have to design for the stricter of the two?'
This guide is the side-by-side answer. It walks through what each law is, who has to comply, and then sets out the key provisions in one large comparison table — entry into force, scope, legal basis, sensitive data, consent, information duties, records, data protection officers, impact assessments, breach notification, automated decisions, data subject rights, international transfers, representatives, and sanctions. After the table, we go deeper on the handful of places where the two laws genuinely diverge, including a dedicated section on automated decision-making and AI, and we name the official sources you can read for yourself.
This is general information, not legal advice
This article summarises the nFADP and the GDPR at a conceptual level to help you orient. It is marketing content, not legal advice, and it cannot account for your specific facts, sector rules, or the latest guidance. Before making compliance or purchasing decisions, consult qualified Swiss and EU data-protection counsel and read the official texts named at the end.
Who this is for
Founders, product owners, privacy officers, and legal leads at Swiss and EU organisations who need a clear, accurate map of how the nFADP and the GDPR line up — especially anyone choosing how to collect personal data through online forms.
What the nFADP is
The nFADP is the fully revised Swiss Federal Act on Data Protection. It was adopted by Parliament in September 2020 and entered into force on 1 September 2023, with no transition period after that date. It replaced the previous Swiss data protection act, which dated back to 1992 and predated the smartphone, the cloud, and modern profiling entirely.
Switzerland revised the law for two connected reasons. First, to ratify and implement the modernised Council of Europe Convention 108+, the international treaty on automated data processing. Second, and just as important commercially, to keep Switzerland's EU adequacy decision: the European Commission's recognition that Swiss law offers a level of protection essentially equivalent to the GDPR, which lets personal data flow from the EU to Switzerland without extra safeguards. The nFADP was deliberately drafted to stay close to the GDPR so that adequacy would survive the EU's own modernisation.
- Expanded the definition of sensitive personal data to include genetic and biometric data that uniquely identifies a person
- Introduced privacy by design and privacy by default as legal duties
- Added a duty to keep records of processing activities, and to carry out data protection impact assessments for high-risk processing
- Created a breach-notification duty to the Federal Data Protection and Information Commissioner (FDPIC)
- Strengthened transparency, including a specific duty to inform about automated individual decisions
- Backed certain wilful breaches with criminal fines aimed at the responsible individuals
The result is a law that feels familiar to anyone who knows the GDPR, but that keeps a distinctly Swiss character — most visibly in how it treats legal basis and how it punishes violations.
What the GDPR is
The GDPR — Regulation (EU) 2016/679 — is the European Union's comprehensive data-protection regulation. It was adopted in 2016 and has applied directly across every EU and EEA member state since 25 May 2018. As a regulation rather than a directive, it applies without each country needing to pass its own transposing law, although member states retain limited room to legislate on specific points such as the age of consent for children.
The GDPR is built around a catalogue of principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, accountability) and a closed list of legal bases for processing. It grants data subjects a strong set of rights, imposes detailed obligations on controllers and processors, and is enforced by independent supervisory authorities in each member state, coordinated through the European Data Protection Board (EDPB). It is the reference point against which most modern privacy laws, including the nFADP, are measured.
Who must comply with which law
The two laws have overlapping but distinct territorial reach, which is exactly why so many organisations end up inside both.
nFADP territorial scope
The nFADP applies to private persons and federal bodies whose data processing produces effects in Switzerland — even if the processing happens abroad. In practice: if you are established in Switzerland, or you process the personal data of people in Switzerland in a way that has an effect there, you are in scope. A foreign online shop that ships to Swiss customers can fall under the nFADP just as a domestic company does.
GDPR territorial scope
The GDPR applies to processing by an establishment in the EU regardless of where the processing happens, and — through its extraterritorial Article 3(2) — to organisations outside the EU that either offer goods or services to people in the EU or monitor the behaviour of people in the EU. A Swiss company with a website that takes orders in euros, ships to Germany, or runs analytics on EU visitors is squarely within GDPR reach.
The dual-regime reality
A Swiss clinic taking registrations from German patients, a Zurich SaaS firm with Spanish customers, a Geneva law office serving clients across the EU — each is subject to the nFADP and the GDPR simultaneously. Adequacy means data can move freely between Switzerland and the EU, but it does not collapse the two laws into one. You still have to meet both.
nFADP vs GDPR: the key provisions side by side
The table below is the centrepiece of this guide: the key provisions of both laws in one place. Where a row says 'aligned', a single well-designed control will usually satisfy both regimes. Where it diverges, design for the stricter requirement and document the difference.
| Provision | Swiss nFADP | EU GDPR |
|---|---|---|
| Entry into force | 1 September 2023 (revised law; previous FADP from 1992) | 25 May 2018 (adopted 2016) |
| Legal form | Federal act (Fedlex SR 235.1) plus the Data Protection Ordinance | Directly applicable EU regulation (2016/679) |
| Territorial scope | Processing with effects in Switzerland, even from abroad | EU establishments, plus non-EU bodies targeting or monitoring people in the EU (Art. 3) |
| Legal basis to process | No general legal-basis catalogue; private processing is lawful unless it unlawfully violates personality rights | Processing needs one of six legal bases in Art. 6 (consent, contract, legal obligation, vital interests, public task, legitimate interests) |
| Sensitive data categories | Art. 5: includes health, religious/political/philosophical/trade-union views, intimate sphere, race/ethnicity, genetic data, biometric data uniquely identifying a person, plus data on administrative/criminal proceedings and social assistance | Art. 9: special categories incl. health, racial/ethnic origin, political/religious/philosophical beliefs, trade-union membership, genetic data, biometric data for unique identification, sex life/orientation |
| Consent | Required for specific situations (e.g. processing sensitive data, high-risk profiling, certain transfers); must be voluntary and informed | One of several legal bases; where used, must be freely given, specific, informed, unambiguous, and as easy to withdraw as to give |
| Information duties | Art. 19: inform the data subject at collection (controller identity, purpose, recipients, countries of transfer) | Arts. 13–14: detailed transparency incl. legal basis, retention periods, rights, and DPO contact |
| Records of processing | Art. 12: required, but companies with fewer than 250 employees whose processing is low-risk are exempted | Art. 30: required, with a similar small-organisation exemption for low-risk processing |
| Data protection officer / advisor | Appointing a data protection advisor is voluntary for private bodies (it brings procedural advantages) | DPO mandatory in defined cases (core large-scale monitoring or large-scale special-category processing; public authorities) |
| Impact assessment | Art. 22 (DPIA): required where processing is likely to entail a high risk to personality or fundamental rights | Art. 35 (DPIA): required for processing likely to result in a high risk to data subjects |
| Privacy by design / default | Required (Art. 7) | Required (Art. 25) |
| Breach notification | Notify the FDPIC 'as soon as possible', only for breaches likely to result in a high risk; inform data subjects where needed for their protection | Notify the supervisory authority without undue delay, where feasible within 72 hours; inform data subjects when high risk to their rights and freedoms |
| Automated individual decisions | Art. 21: duty to inform the data subject about a decision based solely on automated processing that has legal/significant effect; right to state their view and request human review | Art. 22: right not to be subject to a solely automated decision with legal/significant effect, with exceptions and safeguards (incl. human intervention) |
| Data subject rights | Access, rectification, objection, deletion/destruction (via personality protection), data portability, restriction-like remedies | Access, rectification, erasure, restriction, portability, objection, and rights around automated decisions |
| International transfers | Allowed to countries with adequate protection (Federal Council list); otherwise safeguards such as standard contractual clauses | Allowed under an adequacy decision or appropriate safeguards (SCCs, BCRs) per Chapter V |
| Representative requirement | Certain foreign private controllers processing data in Switzerland must designate a Swiss representative | Art. 27: many non-EU controllers/processors must designate an EU representative |
| Sanctions — amount | Criminal fines up to CHF 250,000 | Administrative fines up to EUR 20 million or 4% of total worldwide annual turnover, whichever is higher |
| Sanctions — who pays | Levied on the responsible private individual (criminal-law character); the company is liable only subsidiarily up to CHF 50,000 in defined cases | Levied on the undertaking (the controller or processor as an organisation) |
Read top to bottom, the pattern is clear: the two laws agree far more than they differ. Adequacy is not an accident — it is the product of deliberate alignment. The interesting work is in the rows where they part ways, and those deserve a closer look.
Where the laws genuinely differ
Legal-basis philosophy
This is the deepest structural difference. The GDPR is a permission-based system: you may not process personal data at all unless you can point to one of the six legal bases in Article 6, and you must be able to name it. The nFADP takes the opposite default for private processing. There is no general legal-basis catalogue; processing personal data is lawful in principle, and only becomes unlawful if it unjustifiably violates the data subject's personality rights — for example by ignoring an objection, processing against the data subject's express wishes, or disclosing sensitive data to third parties without justification. Consent, overriding interest, or law then operate as justifications that cure an otherwise unlawful processing, rather than as preconditions you must establish before you start.
In practice, an organisation that already documents a GDPR legal basis for every processing activity will comfortably clear the nFADP bar. But the reverse is not safe: building only to the Swiss model and then assuming EU customers are covered will leave gaps wherever the GDPR demands an affirmative basis you never recorded.
Sanctions on individuals versus companies
The headline numbers point in opposite directions, and so does the target. GDPR fines are large and administrative: up to EUR 20 million or 4% of global annual turnover, imposed on the undertaking by a supervisory authority. The nFADP's fines are smaller in absolute terms — up to CHF 250,000 — but they are criminal in character and, crucially, they are levied on the responsible natural person, not the company. Directors, privacy leads, and other individuals can be personally fined for specific wilful breaches such as intentionally giving false information in a privacy notice or breaching professional confidentiality. The company itself is liable only subsidiarily, up to CHF 50,000, in defined cases where identifying the responsible individual would require disproportionate effort.
Personal exposure is the Swiss twist
Do not read the lower CHF figure as 'the nFADP is softer'. A criminal fine that can land on a named executive changes incentives in a way an administrative fine on a legal entity does not. The two systems punish very differently.
Breach-notification thresholds and deadlines
Both laws require you to notify the regulator of personal-data breaches, but the trigger and the clock differ. Under the GDPR, you notify the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of any breach that poses a risk to individuals; you also tell affected individuals when the risk to their rights and freedoms is high. Under the nFADP, you notify the FDPIC 'as soon as possible', but only for breaches likely to result in a high risk to the data subjects — a higher threshold than the GDPR's authority-notification trigger. The pragmatic answer for a dual-regime business is to run a single 72-hour playbook keyed to the stricter GDPR timing, then apply each law's threshold to decide who actually gets notified.
Sensitive-data lists
The two catalogues are close but not identical. The nFADP's modernisation explicitly added genetic data and biometric data that uniquely identifies a person, bringing it into line with the GDPR's Article 9. But the nFADP's list also expressly includes data on administrative and criminal proceedings or sanctions, and data on social-assistance measures — categories the GDPR handles through separate rules rather than its core special-categories list. A form that asks about criminal records, ongoing proceedings, or social-assistance history may trigger sensitive-data treatment under the nFADP in places where the GDPR's Article 9 would not, on the same wording.
Automated decision-making and AI under the nFADP and GDPR
As more form data feeds scoring models, eligibility engines, and AI systems, the automated-decision provisions have moved from a niche concern to a front-line one. Here the two laws share a goal — keeping humans meaningfully in the loop — but they reach it through different mechanics.
GDPR Article 22: a right not to be subject to automated decisions
The GDPR frames this as a prohibition with exceptions. Under Article 22, a data subject has the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects or similarly significantly affects them. Such decisions are only permitted where they are necessary for a contract, authorised by law, or based on explicit consent, and even then the controller must put safeguards in place, including the right to obtain human intervention, to express a point of view, and to contest the decision. Processing special-category data in solely automated decisions is restricted further still.
nFADP Article 21: a duty to inform about automated decisions
The nFADP approaches the same problem as a transparency-and-review duty rather than a prohibition. Under Article 21, when a controller makes a decision based solely on automated processing that has a legal effect on the data subject or significantly affects them, it must inform the data subject of that fact. The data subject can then request to express their point of view and to have the automated decision reviewed by a natural person. There are exceptions — for example where the decision is directly connected to the conclusion or performance of a contract and the data subject's request is granted, or where consent was given. The destination is similar to the GDPR's: a human must be reachable behind the machine. The framing differs: nFADP starts from 'you must tell them', GDPR from 'they have the right to refuse'.
What this means for AI-era data collection
If your online form feeds a model that decides something consequential — credit, insurance pricing, fraud flags, eligibility, shortlisting — both laws are in play. Disclose the automated decision in the form's notice, make a human reviewer genuinely reachable, and assess the risk before launch (a DPIA may be required). The AI is not exempt because the input came through a simple web form; the form is exactly where the obligation begins.
Official sources
Comparisons are only as good as the texts behind them. These are the authoritative sources you can read directly — we name them in text so you can search for the current versions yourself rather than relying on any secondary summary, including this one.
- The nFADP itself: the Swiss Federal Act on Data Protection, published in the federal compilation Fedlex under classified-compilation number SR 235.1, together with the Data Protection Ordinance (SR 235.11)
- Swiss regulator guidance: the Federal Data Protection and Information Commissioner (FDPIC, in German EDÖB), which publishes guides and explanatory material on the nFADP
- The GDPR itself: Regulation (EU) 2016/679, available in all EU languages via EUR-Lex, the EU's official legal database
- EU regulator guidance: the European Data Protection Board (EDPB), which issues guidelines, recommendations and opinions on how the GDPR is applied, alongside national supervisory authorities
- The adequacy basis: the European Commission's adequacy decision recognising Switzerland, and the modernised Council of Europe Convention 108+, which underpins the Swiss revision
Legal texts and guidance are updated over time. Always check the version in force on the official source named above before relying on any specific provision.
What this means for your data collection and forms
Online forms are where most organisations first touch personal data, which makes them the natural place to operationalise everything above. The dual-regime reality does not require two parallel compliance stacks; it requires designing each form to the stricter applicable rule and documenting the differences. Here is a practical sequence.
Classify the data each form collects
List the fields. Flag anything sensitive under the GDPR's Art. 9 or the nFADP's Art. 5 — and remember the nFADP's extra categories (criminal proceedings, social-assistance history) that the GDPR's special-categories list handles differently.
Map which law or laws apply
Are respondents in Switzerland, the EU, or both? If both, the GDPR and the nFADP run in parallel. Note where you need an affirmative GDPR legal basis even though the nFADP would not demand one.
Minimise what you ask for
Data minimisation is a principle in both regimes. Every field you remove is a field that cannot leak, cannot be subpoenaed, and never needs justifying. Collect only what the purpose genuinely requires.
Secure what you do collect
Apply security appropriate to the risk (nFADP Art. 8, GDPR Art. 32). For sensitive submissions, end-to-end encryption is increasingly the expected baseline, not a luxury.
Document everything
Keep records of processing where required, write a clear privacy notice that satisfies nFADP Art. 19 and GDPR Arts. 13–14, disclose any automated decisions, and run a DPIA where the processing is high-risk.
How encryption changes your exposure under both laws
One technical control quietly improves your position under both regimes at once: zero-knowledge end-to-end encryption of form submissions. When data is encrypted in the respondent's browser and the platform only ever stores ciphertext, the operator cannot read it — and that fact reshapes several of the obligations above.
- Breach severity drops. If exposed data is rendered unintelligible by strong encryption and the keys are not compromised, a breach is far less likely to create the 'high risk' that triggers individual notification — the GDPR explicitly recognises this in Art. 34, and strong encryption materially lowers the risk in the nFADP's high-risk assessment too
- Transfer analysis gets simpler. If what leaves the jurisdiction is ciphertext the provider cannot decrypt, the supplementary-measures question that dominates international-transfer assessments becomes much easier to answer
- The processor surface shrinks. A provider who cannot read submissions holds no plaintext to produce under a subpoena and exposes no readable content to insiders
Schweizerform is built around exactly this architecture. Every submission, including file attachments, is encrypted in the respondent's browser with AES-256-GCM; the per-submission key is wrapped with the form's RSA-OAEP-2048 public key, and the key chain is protected by the owner's Access Code via PBKDF2. The servers store only ciphertext, hosted exclusively in Switzerland on Infomaniak infrastructure — app servers, database, object storage, and email — with no US or EU vendor in the data path and no third-party trackers on the form page. The operator cannot read submissions, even under legal compulsion.
This guide compares the two regimes at the regulation level. For a form-specific deep dive — processor contracts, transfer mechanics, and breach playbooks for online forms — see the companion article on GDPR versus nFADP for form data on this blog.
Bottom line
The nFADP and the GDPR are close cousins by design: Switzerland revised its law specifically to keep step with the EU and preserve adequacy. Build to the stricter requirement, document the handful of genuine divergences — the GDPR's affirmative legal-basis catalogue, the nFADP's criminal exposure for individuals, the different breach thresholds, the extra Swiss sensitive-data categories, and the two approaches to automated decisions — and one well-designed compliance posture will carry you across both.
Forms are where that posture is tested first. Classify, minimise, secure, and document — and let the architecture of the tool, not just the wording of a policy, do as much of the work as it can.
Schweizerform is engineered for the place where the nFADP and the GDPR meet: zero-knowledge end-to-end encryption on every form, Swiss-only hosting, and full EN / DE / FR / IT support — no credit card required on the free tier.
Disclaimer: This article is general information and marketing content, not legal or compliance advice. References to the nFADP, the GDPR, FDPIC and EDPB guidance, adequacy decisions, and Convention 108+ are summarised at a conceptual level and are subject to interpretation and future legislative change. Specific situations — sector-specific rules, cross-border group structures, and high-risk or AI-driven processing — require tailored advice. Consult qualified Swiss and EU data-protection counsel and read the official sources before relying on any single article, including this one, for compliance or purchasing decisions.