New data protection legislation

The data protection legislation has been completely revised in order to adapt to new technological and societal conditions and to the requirements of international law. It came into force on 1 September 2023.

1. What has happened so far

• 1992 – First Federal Act on Data Protection (FADP)

  The first Federal Act on Data Protection (FADP) came into force on 19 June 1992. With technological and societal developments and increasing data protection threats, the Federal Council considered it necessary to strengthen the data protection legislation.

  • Federal Act of 19 June 1992 on Data Protection (FADP) (status as of 1 March 2019)
    (FADP, CC 235.1)
  • Bericht des Bundesrates vom 9. Dezember 2011 über die Evaluation des Bundesgesetzes über den Datenschutz / Rapport du Conseil fédéral du 9 décembre 2011 sur l'évaluation de la loi fédérale sur la protection des données / Rapporto del Consiglio federale del 9 dicembre 2011 concernente la valutazione della legge federale sulla protezione dei dati
    (BBl 2012 335 / FF 2012 255 / FF 2012 227) (This document is not available in English)

• 2017 – Dispatch on the total revision of the FADP

  An advisory group was set up to prepare a preliminary draft revision of the FADP. On 15 September 2017, the Federal Council adopted the draft new FADP and the related dispatch. The revised text aimed to better protect citizens' rights and to strengthen the economy by harmonising Swiss law with the protection standards of the EU and the Council of Europe, particularly with regard to the cross-border disclosure of personal data.

  • Entwurf zur Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz (siehe insbesondere den Anhang, S. 7206) / Projet de loi fédérale sur la révision totale de la loi fédérale sur la protection des données et sur la modification d’autres lois fédérales (voir spécialement l’annexe, p. 6815) / Disegno della legge federale relativa alla revisione totale della legge federale sulla protezione dei dati e alla modifica di altri atti normativi sulla protezione dei dati (v. in particolare l’allegato, p. 6213)
    (BBl 2017 7193 / FF 2017 6803 / FF 2017 6173) (This document is not available in English)
  • Botschaft des Bundesrates vom 15. September 2017 zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz / Message du Conseil fédéral du 15 septembre 2017 concernant la loi fédérale sur la révision totale de la loi fédérale sur la protection des données et sur la modification d’autres lois fédérales / Messaggio del Consiglio federale del 15 settembre 2017 concernente la legge federale relativa alla revisione totale della legge sulla protezione dei dati e alla modifica di altri atti normativi sulla protezione dei dati
    (BBl 2017 6941 / FF 2017 6565 / FF 2017 5939) (This document is not available in English)

• 2018 – Adoption of the SDPA (Schengen)

  Parliament debated the draft and divided it in two. Initially, it decided only to adopt Directive (EU) 2016/680 (Development of the Schengen acquis) approving the Schengen Data Protection Act (SDPA), which came into force on 1 March 2019. However, it was repealed on 1 September 2023 when the major reform of data protection legislation came into force. The SDPA did not apply to private data controllers. It only applied to the processing of personal data carried out by federal bodies in the criminal and judicial fields.

  • Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
  • Parlamentarische Beratungen (17.059) zum Entwurf 1 und 2 (Erste Etappe: Datenschutzbestimmungen für die Schengener Zusammenarbeit in Strafsachen und Genehmigung des Notenaustausches zwischen der Schweiz und der EU) / Délibérations parlementaires (17.059) sur les projets 1 et 2 (première étape : disposition de protection des données pour la coopération Schengen en matière pénale et approbation de l’échange de notes entre la Suisse et l’UE) / Deliberazioni parlamentari (17.059) sui disegni 1 e 2 (prima tappa: disposizioni sulla protezione dei dati per la collaborazione Schengen in materia penale e approvazione dello scambio di note tra la Svizzera e l’UE)
    (This document is not available in English)
  • Bundesgesetz über den Datenschutz im Rahmen der Anwendung des Schengen-Besitzstands in Strafsachen (Schengen-Datenschutzgesetz) / Loi fédérale sur la protection des données personnelles dans le cadre de l'application de l'acquis de Schengen dans le domaine pénal (Loi sur la protection des données Schengen) / Legge federale sulla protezione dei dati personali nell'ambito dell'applicazione dell'acquis di Schengen in materia penale (Legge sulla protezione dei dati in ambito Schengen)
    (SDSG, AS 2019 639 / LPDS, RO 2019 639 / LPDS, RU 2019 639) (This document is not available in English)

• 2020 – Adoption of the new FADP

  In a second phase, Parliament tackled the revision of the Federal Data Protection Act (FADP). The aim of this revision was not only to meet the challenges posed by technological developments, but also to take account of developments at an international level, in particular the reforms carried out by the Council of Europe in this area, i.e. Convention 108+ and EU (Regulation (EU) 2016/679 for data protection (GDPR), which came into force on 25 May 2018 (although the GDPR is not formally binding on Switzerland). The Federal Data Protection Act was adopted by Parliament on 25 September 2020 following intense debate in the two Chambers and after a conciliation meeting had addressed the issue of high-risk profiling. The revised FADP came into force on 1 September 2023.

  • Convention 108+
    Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data of 18 May 2018
  • Parlamentarische Beratungen (17.059) zum Entwurf 3 (Zweite Etappe: Totalrevision des DSG) / Délibérations parlementaires (17.059) sur le projet 3 (deuxième étape : révision totale de la LPD) / Deliberazioni parlamentari (17.059) sul disegno 3 (seconda tappa: revisione totale della LPD)
    (This document is not available in English)
  • Federal Act of 25 September 2022 on Data Protection
    (FADP, CC 235.1)

• 2022 – Adoption of new ordinances (DPO and DPCO)

  The Federal Council adopted the Data Protection Ordinance (DPO) and the Data Protection Certification Ordinance (DPCO) on 31 August 2022. They supplement the FADP and came into force on 1 September 2023.

  • Ordinance of 31 August 2022 on Data Protection
    (DPO, CC 235.11)

  • Verordnung über den Datenschutz (Datenschutzverordnung, DSV). Erläuternder Bericht / Ordonnance sur la protection des données (OPDo). Rapport explicatif / Ordinanza sulla protezione dei dati (OPDa). Rapporto esplicativo

    (This document is not available in English)

    PDF3.14 MB31 August 2022

  • Ordinance of 28 September 2007 on Data Protection Certification
    (DPCO, CC 235.13)

  • Verordnung über Datenschutzzertifizierungen (VDSZ). Erläuternder Bericht / Ordonnance sur les certifications en matière de protection des données (OCPD). Rapport explicatif / Ordinanza sulle certificazioni in materia di protezione dei dati (OCPD). Rapporto esplicativo

    PDF548.43 kB31 August 2022

  • Richtlinien des EDÖB über die Zertifizierung von Managementsystemen vom 31. August 2023 / Directives du PFPDT sur la certification de l’organisation et de la procédure du 31 août 2023 / Direttive del IFPDT sulla certificazione dei sistemi di gestione del 31 agosto 2023
    (BBl 2023 1999 / FF 2023 1999 / FF 2023 1999) (This document is not available in English)
  • Richtlinien des EDÖB über die weiteren datenschutzrechtlichen Kriterien für die Prüfung zu den Anforderungen an die Zertifizierung von Produkten, Dienstleistungen und Prozessen vom 31. August 2023 / Directives du PFPDT sur les autres critères en matière de protection pour l’évaluation des exigences relatives à la certification des produits, des services et des processus du 31 août 2023 / Direttive del IFPDT sugli altri criteri in materia di protezione dei dati per l’esame dei requisiti per la certificazione di prodotti, servizi e processi del 31 agosto 2023  
    (BBl 2023 2000 / FF 2023 2000 / FF 2023 2000) (This document is not available in English)

• 2023 – The new FADP and ordinances come into force

  The Federal Council decides that the Data Protection Act and the related ordinances (DPO and DPCO) will come into force on 1 September 2023.

  • Neues Datenschutzrecht ab 1. September 2023 / Nouveau droit de la protection des données à partir du 1er septembre 2023 / Nuovo diritto in materia di protezione dei dati dal 1° settembre 2023
    Medienmitteilung des Bundesrates vom 31. August 2022 mit der Ankündigung des Inkrafttretens des neuen Datenschutzrechts / Communiqué aux médias du Conseil fédéral annonçant l’entrée en vigueur du nouveau droit de la protection des données / Comunicato per i media del Consiglio federale che annuncia l’entrata in vigore del nuovo diritto sulla protezione dei dati (This document is not available in English)

2. International framework

Like Swiss law, international law has also had to take account of technological developments.

Within the Council of Europe, the first Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was signed in Strasbourg on 28 January 1981. The Federal Council ratified the Convention in 1997; it came into force in Switzerland on 1 February 1998.

• Übereinkommen zum Schutz des Menschen bei der automatischen Verarbeitung personenbezogener Daten vom 28. Januar 1981 / Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981 / Convenzione del 28 gennaio 1981 per la protezione delle persone in relazione all’elaborazione automatica dei dati a carattere personale
  (SR 0.235.1 / RS 0.235.1 / RS 0.235.1) (This document is not available in English)

In 2018, an Amending Protocol was adopted to meet the challenges posed by new information and communication technologies and to ensure the effective implementation of the Convention. The Protocol was signed on 21 November 2019 and ratified on 7 September 2023 by Switzerland.

• Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No 108) of 18 May 2018

The modernised Convention 108, also known as Convention 108+, will come into force once 38 States Parties have ratified the Protocol of Amendment; it is not yet in force.

• Convention 108+

On the European Union side an initial Directive on data protection was adopted in 1995. Switzerland, however, is not bound by this instrument.

• Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

In 2012, the European Commission proposed a comprehensive reform of the Data Protection Directive adopted in 1995, with the aim of improving the privacy rights of data subjects while taking account of the digital economy. On 27 April 2016, the General Data Protection Regulation (GDPR) and Directive (EU) 2016/680 were adopted. Directive (EU) 2016/680 is binding on Switzerland to the extent that it forms part of the development of the Schengen acquis. The GDPR, on the other hand, is not binding on Switzerland.

• Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHI
• Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)

Further information

• Links

  The full dossier on improving data protection is available at the following page

  • Rechtsetzungsprojekt «Stärkung des Datenschutzes» / Projets législatifs « Renforcement de la protection des données » / Progetto di legislazione «Rafforzamento della protezione dei dati»
    (This document is not available in English)

  The various reports and legal opinions relating to the complete revision of the Data Protection Act are available at the following page

  • Berichte und Rechtsgutachten zur Totalrevision des Datenschutzgesetzes / Rapports et avis de droit relatifs à la révision totale de la loi sur la protection des données / Rapporti e pareri giuridici relativi alla revisione totale della LPD
    (This document is not available in English)