Switzerland FADP and analytics
The revised Federal Act on Data Protection (FADP, 'nFADP'), in force since September 2023, modernised Swiss data-protection law and brought it closer to the GDPR. It applies to processing of personal data of people in Switzerland, including by some organisations abroad, and adds transparency, records-of-processing, privacy-by-design, and breach-notification duties. The FDPIC supervises. Analytics on Swiss users can be in scope. This is educational, not legal advice.
What this means
The revised FADP overhauled Switzerland's 1992 data-protection law to align more closely with the GDPR, while remaining a distinct Swiss statute supervised by the Federal Data Protection and Information Commissioner (FDPIC). It governs the processing of personal data of individuals and applies extraterritorially to processing that has effects in Switzerland. Although influenced by the GDPR, it is not identical — for example its handling of certain definitions and obligations differs.
Duties relevant to analytics
The revised FADP introduced or strengthened obligations familiar from the GDPR: transparency and information duties, data protection by design and by default, a register of processing activities (with exemptions for smaller organisations), data protection impact assessments for high-risk processing, and notification of data security breaches to the FDPIC where there is likely high risk. For analytics, minimising identifiers, disclosing processing clearly, and keeping records aligns with these duties.
- Aligned with but distinct from the GDPR
- Transparency, records, and privacy-by-design duties
- Breach notification to the FDPIC for high-risk breaches
How it appears in analytics and logs
If analytics handles identifiers from Swiss users, the revised FADP's transparency, records, and breach-notification obligations can apply.
Diagnostic use case
Check whether analytics processes personal data of people in Switzerland, since the revised FADP adds GDPR-like transparency and breach duties to that processing.
What WebmasterID can help detect
WebmasterID's minimised, privacy-by-design model aligns with the revised FADP's data-protection-by-design expectation and reduces its personal-data scope.
Common mistakes
- Assuming GDPR compliance automatically satisfies the FADP.
- Skipping the register of processing activities where required.
- Ignoring breach-notification duties to the FDPIC.
Privacy and accuracy notes
This page is educational, not legal advice. Minimised, anonymised analytics reduces the personal data the revised FADP's transparency and records rules govern.
Related pages
- Records of processing activities (ROPA)
Records of processing activities (ROPA) is the documented inventory GDPR Article 30 requires controllers and processors to keep: what personal data you process, why, who receives it, where it goes, and how long you keep it. There is a partial exemption for some smaller organisations, but analytics is exactly the kind of processing a ROPA should capture. Maintaining one is also a practical map of your data. This is educational, not legal advice.
- Privacy by design and by default
Privacy by design and by default, codified in GDPR Article 25, requires data protection to be built into systems from the outset and the most privacy-protective settings to be the default. For analytics this points to minimised collection, cookieless and anonymised defaults, and short retention out of the box — protection that does not depend on the user opting in. This is an educational overview, not legal advice.
- Personal data breach notification
A personal data breach is a security incident leading to accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data. The GDPR requires notifying the supervisory authority without undue delay and where feasible within 72 hours of becoming aware, unless the breach is unlikely to risk people's rights; high-risk breaches also require telling affected individuals. Analytics stores are in scope. This is educational, not legal advice.
- Privacy-first analytics
Privacy-by-design posture aligned with the revised FADP.
Sources and verification notes
- FDPIC — Revised Federal Act on Data Protection (FADP)Swiss regulator guidance. Educational, not legal advice.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.