Switzerland's nFADP: Privacy Policy Requirements Guide

Switzerland's new Federal Act on Data Protection (FADP, in force since 1 Sept 2023) requires clear, concise privacy notices. Your policy should identify the controller, provide contact details (and your advisor/DPO if appointed), state purposes, legal bases, recipients, retention periods, cross-border disclosures, sources of data, and whether automated decisions/profiling occur. Explain individuals' rights to access, correction, deletion, and objection. Map your processing, then align the notice. LegalDocs.ai can audit your data flows, auto-build compliant clauses, and keep versioned records for inspections.

Cross-border transfers must meet Swiss adequacy rules under the FADP and the Ordinance to the FADP (OFADP). Check the FDPIC list of states with adequate protection; if a destination is not listed, implement safeguards such as standard contractual clauses, risk assessments, and supplementary measures. Your privacy policy should name the countries (or categories), the safeguards used, and how to obtain copies. Review vendor contracts and data maps annually. LegalDocs.ai offers jurisdiction tracking, SCC generators, and automated transfer risk assessments to streamline compliance.

Consider appointing a Data Protection Advisor (DPO) under the FADP; while optional, a notified advisor can replace prior consultation with the FDPIC for certain high-risk processing and supports DPIAs, training, and monitoring. Publish the advisor's contact details in your policy. For breaches, promptly assess risk and notify the FDPIC as soon as possible where there is a high risk to personality rights; inform affected individuals when necessary. Maintain an incident playbook, test it, and log decisions. LegalDocs.ai provides DPO toolkits and breach workflows.