How does the revised FADP compare to the EU GDPR?

The revision of the FADP (Federal Act on Data Protection) is based on the requirements of the EU GDPR  (General Data Protection Regulation) but has some distinctive features. In most cases, the revFADP is less formalistic and has less specific regulatory content than the GDPR. If your Swiss based company is already GDPR-compliant, you may want to consider whether you will adapt the provisions of the revFADP for data processing outside of the scope of the GDPR, in order to benefit from the flexibility (or in some cases less stringent provisions) of the rev FADP. In any case, you should consider that the revFADP is not a carbon copy of the GDPR and that there are a few points where the revFADP will be even stricter than the GDPR. To ensure readiness, it is essential that companies commit to the change in regulation early enough.


Philipp Rosenauer

Partner Legal, PwC Switzerland

+41 58 792 18 56


What are the differences between the revFADP and the GDPR?

The following table portrays the differences of the revFADP and your need for action:



Need for action

Controller and processor:

  • GDPR determines minimum contents of a controller-processor relationship.
  • Contractual specification of the responsibilities.
  • Limited liability of the processor.
  • Less detailed content requirements, but data exports must be mentioned.
  • No explicit contractual obligation.
  • All participating persons can be held liable.

Update contracts

Data exports:

  • No data export to third countries without adequate data protection: European Commission publishes list of countries with adequate data protection.
  • In case the protection isn’t adequate: protective measures such as Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR) must be used.
  • Exceptions in case of consent, fulfilment of a contract or legal obligation.
  • Same concept. The Federal Council determines the countries with adequate data protection and follows the EU.
  • Use of EU SCC and BCR is possible.
  • Similar exceptions.

Update procedures

Data breach notifications:

  • Data breaches bearing risks for data subjects must be reported to the data protection authority within 72 hours.
  • Affected person must be notified in case of high risk to personality.
  • Controller must only inform the FDPIC in case of high risk.
  • No 72-hour time limit.
  • Notification only if ‘necessary for the protection of the data subject’.
  • Exceptions if excessive effort is required.

Update procedures

Professional secrecy:

  • Member states may adopt specific rules
  • Professional secrecy
  • Personal fines up to CHF 250,000 in case of violation

Consider personal liability

Enforcement and fines

Supervisory authorities may:

  • investigate processing activities,
  • cease or restrict processing activities
  • impose fines up to EUR 10/20 million or 2/4% of the annual worldwide turnover. Further fines may apply to a company according to local law.

The FDPIC may:

  • investigate processing activities
  • cease or restrict processing activities.
  • A number of violations of the revFADP or lack of cooperation with the FDPIC can result in criminal fines of up to CHF 250,000 against responsible individuals (acting intentionally).

Consider personal liability

For further support and information, please visit our website.


Read more insights

Register for personalised updates tailored to your interests.

Subscribe to PwC updates 


Contact us

Philipp Rosenauer

Philipp Rosenauer

Partner Legal, PwC Switzerland

Tel: +41 58 792 18 56

Lorena Rota

Lorena Rota

Manager, MLaw, Data Privacy & Security Healthcare, PwC Switzerland

Tel: +41 58 792 2750