On 1 September 2023 the new Swiss Federal Act on Data Protection (nFADP) came into force. Almost a year on, the question is uncomfortable but necessary: how many Swiss companies are truly compliant?

The reality on the ground

Our direct experience with Ticino and Swiss SMEs tells a fragmented story. Some companies tackled the adaptation rigorously — updating privacy notices, building the records of processing, revising supplier contracts. Others made only superficial adjustments. Many have not yet started.

The most common causes of delay:

  • Underestimating the scope — “we’re small, it doesn’t concern us” is a widespread and mistaken perception
  • Lack of internal resources — in SMEs there is almost never a dedicated privacy officer
  • Perceived complexity — the law seems technical and distant from day-to-day operations
  • Competing priorities — urgent IT projects systematically displace compliance ones

What the law says to SMEs

The nFADP includes some simplifications for small companies: a business with fewer than 250 employees that processes data only for ordinary commercial purposes has reduced requirements for the records of processing. But it is not exempt from all obligations.

The following remain mandatory for all companies:

  • Information notices to data subjects (customers, employees) on how their data is processed
  • Adequate technical and organisational measures to protect the data
  • Breach notification procedure
  • Correct contractual bases with suppliers processing data on the company’s behalf

The practical starting point

If you do not know where to begin, the answer is always the same: with a blank sheet of paper and a simple question — which personal data do we process every day? Customers, employees, suppliers, business contacts. Where it comes from, where it ends up, who sees it.

Everything else is built from that list. You do not need a legal consultant for the first step: you need honesty and a few hours of work.


Sources