Swiss Data Protection Act (DSG) for Online Retailers 2026: nFADP Compliance & E-Commerce Guide

The 2026 Swiss Data Protection Landscape at a Glance

The ten pillars below are the load-bearing structure of nFADP compliance for online retailers. Keep this card stack nearby as you read each deep-dive section — every Swiss e-commerce data protection obligation maps to one of these ten cards.

1. nFADP — The Revised FADP in Force Since 1 September 2023

Three Decades of Reform, in One Date

The original Swiss FADP (DSG) dated to 1992 — predating the EU's Data Protection Directive by three years and the GDPR by a quarter of a century. By the mid-2010s the gap had become untenable: Switzerland needed to maintain an EU "adequacy decision" to keep data flowing freely between Swiss controllers and European businesses. The Federal Council tabled a full revision in 2017; the revised FADP — nFADP / revDSG — was adopted on 25 September 2020, with 1 September 2023 as the entry-into-force date.

The result is a law that is visibly inspired by the GDPR — same controller/processor logic, same data subject rights catalogue, same risk-based DPIA requirement — but with deliberate Swiss particularities: personal criminal liability and lighter administrative obligations for SMEs.

The Eight Big Changes for E-Commerce

If you ran a Swiss online shop under the old 1992 FADP and kept doing what you were doing, you are now non-compliant on at least eight separate counts:

• Only natural persons are protected — legal-entity protection dropped, aligning with GDPR
• Strengthened duty to inform (Art. 19) — disclose every recipient, transfer and legal basis
• Privacy by Design / by Default (Art. 7) — identical wording to GDPR Art. 25
• Records of processing (Art. 12) — mandatory for 250+ employees or high-risk processing
• Data Protection Impact Assessment (Art. 22) — required for high-risk processing
• Right to data portability (Art. 28) — newly added, almost identical to GDPR Art. 20
• Breach notification (Art. 24) — "as soon as possible" for high-risk breaches
• CHF 250,000 personal fine — replaces the symbolic CHF 10,000 of the 1992 law

Who Is in Scope? The Extraterritorial Reach

Art. 3 nFADP defines a broad extraterritorial reach: the law applies "to circumstances that have an effect in Switzerland, even if they are initiated abroad". In e-commerce terms, an EU or non-EU retailer that:

• ships physical goods to Swiss addresses, OR
• operates a Swiss-targeted website (German / French / Italian language, .ch domain, CHF pricing, Swiss flag in the header), OR
• runs paid acquisition targeting Swiss postcodes / Swiss residents, OR
• processes payment via TWINT, PostFinance or Swiss credit cards

…falls within the scope of the nFADP and must comply. Art. 14 then layers in the obligation, for controllers not established in Switzerland, to appoint a Swiss representative in certain cases (regular large-scale processing of Swiss residents, high-risk processing, or processing of sensitive personal data).

The Compliance Calendar — 2026

By June 2026 every Swiss-targeted online shop must already be on the new regime. There is no further transitional period — the 1 September 2023 effective date applied immediately, without grandfathering. If your privacy policy still references the 1992 law, your records of processing are missing, or your breach response runbook does not name the EDÖB, you are non-compliant today.

2. EDÖB — The Swiss Federal Data Protection Authority

Who Is the EDÖB?

The Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB) — Federal Data Protection and Information Commissioner — is the Swiss equivalent of the German BfDI, the French CNIL or the UK ICO. It is an independent federal authority based in Bern, currently led by Adrian Lobsiger (in office since 2016, reappointed for the 2022–2027 term).

Powers Under the New Law

The 2023 revision substantially strengthened the EDÖB's toolkit. Under the new nFADP the Commissioner can:

• Open formal investigations on its own initiative or on complaint
• Issue binding administrative orders — including ordering a controller to modify, suspend or stop a processing operation
• Mandate breach notification publication if a controller fails to inform affected data subjects
• Refer cases for criminal prosecution — Swiss criminal fines on individuals run through the cantonal criminal courts
• Coordinate with cantonal data protection authorities (each canton has its own DPA for cantonal public bodies)
• Issue official statements and guidance — the EDÖB's Leitfäden are treated as quasi-binding in practice

The EDÖB's Public Guidance Library

Unlike many European DPAs, the EDÖB publishes most of its guidance in three languages (DE / FR / IT) and increasingly in English. Key documents Swiss e-commerce operators should keep open in a browser tab:

• Leitfaden zur Datensicherheit — guidance on technical and organisational security measures
• Leitfaden zur Meldung von Verletzungen der Datensicherheit — the official breach notification playbook
• Erläuterungen zur Datenschutz-Folgenabschätzung — DPIA methodology
• Liste der Staaten mit angemessenem Datenschutzniveau — adequacy list of third countries
• Standardvertragsklauseln — Swiss SCCs for cross-border transfers

How Active Is Enforcement in Practice?

The EDÖB is historically a pragmatic, dialogue-first regulator. Annual reports show single-digit to low double-digit formal investigations per year, but high informal correspondence. The 2023 change is the credible threat of criminal referral against individuals: enforcement risk has shifted from "abstract corporate fine" to "concrete personal criminal record".

3. Cookie Consent in Switzerland — Less Strict Than EU, But Recommended

The Surprising Truth About Swiss Cookie Law

This is the single biggest "Switzerland is not the EU" point operators get wrong: Swiss law does not require statutory opt-in consent for non-sensitive cookies. The basis is twofold: (1) the nFADP uses transparency + legitimate interest — there is no Swiss equivalent of EU ePrivacy Art. 5(3) opt-in; (2) Art. 45c of the Swiss Telecommunications Act (FMG) requires only that users are informed and given the possibility to refuse — explicit prior consent is not mandated.

A Swiss-only site can thus comply with a "soft" banner that informs, offers opt-out and proceeds with tracking unless the user objects — closer to the US "notice-and-choice" model than to the EU "prior informed consent" model.

The Catch — EU Dual-Targeting

The catch is that any Swiss online shop that also serves EU visitors — and almost all do (DACH or wider Europe) — falls within GDPR + ePrivacy as soon as an EU resident lands on the site. In practice, almost every Swiss e-commerce site implements a GDPR-style CMP consent banner as the safe default, even though Swiss law alone would tolerate something lighter.

What the EDÖB Actually Expects

The Commissioner has signalled that for non-sensitive cookies (analytics, basic personalisation), transparency + meaningful opt-out is sufficient. For sensitive processing (cross-device tracking, behavioural advertising, profiling with significant effect), the consent threshold tightens — explicit, granular consent is required. "Cookie walls" that refuse access unless tracking is accepted are problematic.

The Practical 2026 Stack

• Tier 1 — strictly necessary: no consent needed (session, cart, language, CSRF)
• Tier 2 — functional + analytics: transparent banner + opt-out under Swiss law; opt-in best practice for EU dual-targeting
• Tier 3 — marketing / cross-device: explicit opt-in, granular per vendor, with revocation
• Documentation: per-vendor cookie registry, retention duration and legal basis

4. Privacy Policy — Mandatory Under Art. 19 nFADP

The Duty to Inform — Now Strict

Art. 19 nFADP imposes a structured duty to inform (Informationspflicht) on every controller. Whenever personal data are collected — whether directly from the data subject or from a third party — the controller must proactively disclose:

• The identity and contact details of the controller (company name, legal form, registered office, email)
• The purposes of processing in clear, specific language — not generic boilerplate
• The categories of recipients — internal departments, processors, third-party services, public bodies
• Each transfer abroad — destination country, legal basis (adequacy decision, Swiss SCCs, BCR, explicit consent)
• The retention periods per data category
• The full catalogue of data subject rights and how to exercise them

How to Structure the Privacy Policy

The EDÖB does not prescribe a single mandatory format, but the practical industry standard for Swiss e-commerce is:

1. Identity and contact — controller, registered office, EDÖB-registered Datenschutzberater (if any), Swiss representative for foreign controllers
2. Categories of personal data — identification, contact, account, order history, payment, behavioural, technical
3. Purposes and legal bases — fulfilment of contract, legitimate interest, legal obligation, consent
4. Recipients and processors — named list with country of establishment
5. Transfers abroad — destination, legal basis, link to Swiss SCCs or adequacy decision
6. Retention periods — per data category, anchored to a specific statutory or contractual basis
7. Data subject rights — full catalogue, contact for DSAR, complaint route to the EDÖB
8. Automated decisions and profiling — disclosure under Art. 21 nFADP
9. Cookies and tracking — overview, link to the cookie CMP, opt-out instructions
10. Security measures — high-level summary of technical and organisational measures

Common Mistakes to Avoid

• Copy-pasted German policies referencing the GDPR/BfDI instead of nFADP/EDÖB
• Generic "we process your data to provide our services" — fails Art. 19 specificity
• Missing cross-border transfer disclosure for AWS, Google Workspace, US SaaS
• No DSAR contact channel — must give a working email or form
• No "last updated" date — every material change must be dated

5. Data Protection Officer / Datenschutzberater — Voluntary but Strategic

The Swiss Term: Datenschutzberater

The 2023 revision deliberately did not adopt the GDPR's mandatory DPO regime. Art. 10 nFADP introduces the Datenschutzberater (data protection advisor) as a voluntary appointment for private companies — both to provide SME relief and to maintain a distinct, lighter-touch alternative to the GDPR while still securing the EU adequacy decision.

Why You Should Appoint One Anyway

Despite being voluntary, appointing and registering a Datenschutzberater with the EDÖB brings a major practical benefit: self-clearance of high-risk DPIAs. Under Art. 23 nFADP, if a DPIA shows a residual high risk, the controller must consult the EDÖB before proceeding — except when a registered Datenschutzberater has been involved in the assessment, in which case the controller can rely on the internal advisor's opinion and proceed without EDÖB consultation.

For e-commerce operators that run any form of profiling, recommendation engine, fraud-scoring or cross-device tracking, this is a meaningful operational advantage — EDÖB consultations can take weeks to months.

Who Can Be a Datenschutzberater?

Art. 10 nFADP requires that the advisor:

• has the professional qualifications required to perform the function (legal + technical literacy)
• performs the function independently and is not subject to instructions in carrying it out
• has no conflict of interest with the function
• is empowered to access all necessary information and resources

The advisor can be an internal employee or an external consultant. For small Swiss e-commerce SMEs the most common setup is an external Swiss lawyer specialising in data protection, billed on a retainer.

Registration with the EDÖB

To unlock the DPIA self-clearance benefit, the controller must register the Datenschutzberater with the EDÖB via the federal portal. The registration is free, takes a few days to process, and must include the advisor's name, qualifications and contact details. The EDÖB maintains a public register of registered advisors.

For Federal Bodies — DPO Is Mandatory

Federal bodies (departments, agencies, courts) must appoint a DPO under Art. 10 nFADP — matching the GDPR's mandatory regime for public authorities.

6. Data Subject Rights Under the nFADP

The Full Catalogue

The nFADP grants Swiss data subjects a catalogue of rights that is, in substance, almost identical to GDPR Articles 15–22:

• Right of information (Art. 19) — proactive disclosure at the moment of collection
• Right of access (Art. 25–27) — the data subject can request a copy of all personal data being processed, the purposes, recipients, retention, source and any automated individual decisions
• Right of rectification (Art. 32) — correction of inaccurate data
• Right of erasure — derived from Art. 32 and from the proportionality principle; not always absolute (statutory retention obligations may prevail)
• Right to object — to processing based on legitimate interest, including profiling
• Right against automated individual decisions (Art. 21) — the right to be informed about, and to demand human review of, decisions made solely by automated means with legal or significant effect
• Right to data portability (Art. 28) — newly added in the 2023 revision; right to receive personal data in a structured, commonly used, machine-readable format

The DSAR Workflow

Under Art. 25 nFADP the controller must respond to an access request within 30 days. The deadline can be extended in case of complexity, with the data subject informed. Critically, the response must be free of charge in normal cases; the controller can only charge a reasonable fee (up to CHF 300) when the request is manifestly excessive or repetitive.

The required content of a DSAR response is detailed:

• A copy of the personal data being processed
• The purposes of processing
• The retention period or, if not possible, the criteria used to determine it
• The information available about the source of the data
• The categories of recipients
• Information about the existence of automated individual decisions and the underlying logic
• Where applicable, the recipients abroad and the safeguards in place

Refusal Grounds (Art. 26)

The controller may refuse, restrict or postpone an access request only on narrow grounds: statutory grounds, predominant third-party interest, predominant controller interest (where data are not disclosed to anyone and the interest is justified), or predominant public interest (especially internal/external security). Any refusal must be reasoned, with notice of the right to complain to the EDÖB or seize the civil courts.

7. Data Breach Notification — "As Soon As Possible"

The Swiss Standard Is Flexible — But Not Lax

Art. 24 nFADP imposes a breach notification duty on controllers whenever a data security breach is likely to result in a high risk to the personality or fundamental rights of the data subject. The notification is to the EDÖB, and must happen "as soon as possible" — in German "so rasch als möglich", in French "dans les meilleurs délais".

This is the most-cited Swiss-vs-GDPR difference. The GDPR fixes a hard 72-hour clock from the moment the controller becomes aware. The nFADP deliberately rejects a hard deadline — but EDÖB guidance has made clear that "as soon as possible" should be measured in working days, not weeks, and that delays beyond five working days will attract questioning.

When Is Notification Required?

Only breaches with high risk to the personality or fundamental rights need to be notified. Practical examples that always meet the threshold:

• Loss of an unencrypted laptop or backup tape containing customer records
• Ransomware encryption or exfiltration of order / payment databases
• Misconfigured cloud bucket exposing customer addresses, phone numbers or order history
• Successful phishing on a customer service inbox that touched personal data
• Insider exfiltration of marketing or sales contact lists
• Vendor / processor breach that touched Swiss data subjects

Notification Content

The notification to the EDÖB must include:

• The nature of the breach — what happened, when, how it was discovered
• The categories and approximate number of data subjects concerned
• The categories and approximate number of personal data records involved
• The likely consequences for the data subjects
• The measures already taken or planned to remediate
• The contact details of the Datenschutzberater or other contact point

The EDÖB provides a structured online form on its federal portal for submission.

Notification to the Data Subjects

The controller must also notify the affected data subjects directly when this is necessary for their protection or when the EDÖB requires it. The notification can be omitted if the controller has taken adequate protective measures (e.g. the affected data were encrypted and the key was not compromised) — in which case the EDÖB notification still stands.

The Practical Runbook

1. T+0: incident detected, isolate, freeze the scene
2. T+24h: triage — quantify breach, identify data subject categories, assess high-risk threshold
3. T+72h: internal decision — Datenschutzberater + legal + management agree on notification
4. T+5 working days: EDÖB notification via federal portal
5. Post-incident: data subject notification if required, file in records of processing, update DPIAs

8. Cross-Border Data Transfers — Adequacy List + Swiss SCCs

The Federal Council Adequacy List

Art. 16 nFADP allows transfers if the Federal Council has determined that the country provides an adequate level of protection. As of June 2026 the list covers:

• The full EU and EEA (27 Member States + Iceland, Liechtenstein, Norway) — most common destination for Swiss e-commerce data
• UK, Andorra, Argentina, Canada (commercial), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, Monaco, New Zealand, South Korea, Uruguay
• United States — only for organisations certified to the Swiss-US Data Privacy Framework (in force since 2024)

Transfers to any other country require a separate legal basis: Swiss SCCs, Binding Corporate Rules, explicit consent, or a narrow Art. 17 derogation.

Swiss Standard Contractual Clauses

The EDÖB has officially recognised the EU SCCs (2021/914) as Swiss-law-compliant, subject to country-specific tweaks (GDPR → nFADP, Member State law → Swiss law). For EU+Swiss combined flows you can deploy a single set of SCCs that satisfies both regimes — the de-facto industry standard.

The Swiss-US Data Privacy Framework

After Schrems II invalidated the EU-US and Swiss-US Privacy Shield, a successor was negotiated. The Swiss-US Data Privacy Framework entered into force on 15 September 2024, restoring adequacy for US organisations that self-certify. AWS, Google Cloud, Microsoft Azure and most major DPF-certified SaaS vendors can again receive Swiss data without separate SCCs.

The Practical Transfer Matrix

• Hosting in Switzerland or EU/EEA — no specific transfer formalities, just disclose in the privacy policy
• Hosting in DPF-certified US vendor — disclose, verify the certification on the DPF list, no SCCs needed
• Hosting in US non-DPF vendor — Swiss SCCs mandatory, plus transfer impact assessment
• Hosting in third country with no adequacy (India, China, Russia, Singapore for some purposes) — Swiss SCCs + thorough transfer impact assessment + ideally encryption with keys held in Switzerland

9. Penalties — Up to CHF 250,000 on the Individual

The Most Important Swiss Particularity

This is the single biggest reason Swiss e-commerce founders, directors and DPOs should care about nFADP compliance personally — not just at the company level. The penalty for major nFADP infringements is a criminal fine of up to CHF 250,000, imposed on the responsible individual, not on the company.

This is fundamentally different from the GDPR's company-level administrative fines (up to 4% of global turnover). In Switzerland:

• The fine targets the natural person who breached the law — typically a manager, director, founder or designated officer
• It is a criminal fine imposed by a cantonal criminal court, not an administrative fine issued by the regulator
• The conviction can appear on the Swiss criminal record of the individual — with downstream impact on residency permits, financial regulatory status, board appointments
• The fine cannot be reimbursed by the company under D&O insurance — criminal fines are generally uninsurable in Switzerland

Penalty Bands by Offence Type

Corporate Fine — Only in Narrow Cases

Art. 64 nFADP allows fines of up to CHF 50,000 on the company itself — but only if identifying the responsible individual would require disproportionate investigation. In practice this is a fallback when the corporate governance structure is so opaque that the prosecutor cannot pinpoint the natural person responsible. The default remains personal liability.

What Triggers a Prosecution?

• EDÖB referral after a failed compliance dialogue or non-compliance with a binding order
• Criminal complaint by a data subject
• Cantonal criminal procedure initiated on its own motion (rare in practice)
• Spill-over from a parallel GDPR investigation involving a European DPA

Mitigating Factors

Swiss criminal courts weigh several mitigating factors when setting the actual fine within the maximum band:

• Existence of a registered Datenschutzberater and documented internal compliance programme
• Prompt cooperation with the EDÖB
• Voluntary breach notification and remediation
• Absence of prior infringements
• SME status and limited financial capacity

10. E-Commerce DSG vs GDPR — The Practical Delta

Side-by-Side Comparison Table

The single most useful artefact for a Swiss e-commerce operator is a side-by-side delta showing where nFADP diverges from the GDPR. The table below summarises the ten dimensions that matter most for online retail.

Dimension	Swiss nFADP / revDSG	EU GDPR	Practical Impact
Max fine	CHF 250,000 on the individual	4% of global turnover on the company	Personal criminal liability in CH
Cookie consent	Transparency + opt-out	Prior opt-in consent	CMP recommended for dual-targeting
DPO / advisor	Voluntary, with self-clearance benefit	Mandatory in defined cases (Art. 37)	Strategic registration for DPIA relief
Breach notification	"As soon as possible"	72 hours hard deadline	Build runbook for ≤5 working days
Records of processing	250+ employees or high-risk only	All controllers and processors (with exemptions)	SME relief in CH, mandatory in EU
Data portability	Art. 28 nFADP — newly added in 2023	Art. 20 GDPR — since 2018	Almost identical in practice
Profiling / automated decisions	Art. 21 + duty to inform	Art. 22 GDPR	Equivalent — single workflow possible
Cross-border	Federal Council adequacy list + Swiss SCCs	Commission adequacy + EU SCCs	EU SCCs reused with Swiss annex
Protection scope	Natural persons only (legal entities removed)	Natural persons only	Aligned in 2023 revision
Regulator	EDÖB (federal) + cantonal DPAs	National DPAs + EDPB	Single Swiss entry point

Reading the table: nFADP and GDPR are now broadly aligned in substance, but the five Swiss particularities — personal criminal liability, lighter cookie regime, voluntary DPO, flexible breach deadline, SME relief on records of processing — create distinct operational decisions. The optimal stack for a Swiss e-commerce site that also serves EU customers is to build to the higher of the two standards in each dimension, ensuring both regimes are covered with a single workflow.

The "Build Once, Comply Twice" Stack

• Privacy policy — DE/FR/IT/EN, referencing both nFADP and GDPR, both EDÖB and lead EU DPA
• Cookie banner — GDPR prior opt-in CMP; covers Swiss by definition
• DSAR workflow — 30-day Swiss deadline (matches GDPR Art. 12) + broader Swiss content
• Breach response — GDPR 72-hour deadline; satisfies Swiss "as soon as possible"
• Records of processing — maintain regardless of SME relief
• Cross-border — EU SCCs with Swiss annex covers both jurisdictions
• DPO / Datenschutzberater — register with the EDÖB to unlock DPIA self-clearance

How to Operationalise nFADP Compliance — 2026 Step-by-Step

1. Map Your Personal Data Flows (Decision Tree)

• Customer accounts + order history → identification + contact + behavioural data
• Payment processing → sensitive financial data, special care under Art. 5
• Marketing + remarketing → profiling, cross-device tracking, often consent-based
• Support + CS → free-text fields may include sensitive information
• Logistics + delivery → contact data shared with InPost / Swiss Post / DPD / DHL
• Analytics → IP, device, behavioural; check for IP-anonymisation

2. Decide on a Swiss Representative (Foreign Controllers Only)

If your company is not established in Switzerland but processes Swiss residents' personal data at scale or with high risk, Art. 14 nFADP requires the appointment of a Swiss representative. Three legal options:

• Swiss subsidiary or branch — fastest if you already have a Swiss legal entity
• External law firm or compliance specialist as representative — common SME setup
• Specialised representative-as-a-service provider — recurring monthly fee, includes EDÖB liaison

3. Appoint and Register a Datenschutzberater

Whether internal or external, registering the advisor with the EDÖB unlocks DPIA self-clearance and is the single highest-leverage compliance step. The registration is free and takes a few days.

4. Build the Privacy Policy + Cookie CMP

• Generate a Swiss-compliant privacy policy in DE/FR/IT/EN
• Implement a CMP with GDPR-style prior opt-in for marketing cookies, granular per vendor
• Document the cookie registry — vendor, purpose, retention, legal basis
• Link from every page footer, cookie banner and registration form

5. Set Up the DSAR Workflow

• Publish a DSAR contact channel (email + form), identity verification, 30-day SLA
• Automate data export across orders + cart + browsing + marketing + support
• Use EDÖB-aligned response templates in DE/FR/IT/EN

6. Document Records of Processing + DPIAs

Even when records are voluntary (under 250 employees, no high-risk), maintaining them is the single best evidence of due diligence in a criminal proceeding. Same for DPIAs: document residual risk, mitigation, advisor's opinion.

7. Build the Breach Incident Runbook

• Define detection triggers (security alerts, customer complaints, processor notifications)
• Set 24-hour triage and 5-working-day EDÖB notification deadlines
• Pre-fill EDÖB form fields you can in advance (controller identity, contact)

8. Configure Cross-Border Transfer Registry

List every processor and country of establishment. Attach Swiss SCCs + transfer impact assessment for non-adequate destinations. Auto-re-evaluate when the Federal Council updates the adequacy list.

9. Connect via Zunapro (10-Minute Compliance Setup)

1. Sign in to Zunapro and open the Switzerland module
2. Enable the nFADP compliance pack — privacy policy generator, CMP, DSAR portal, breach runbook, records of processing, cross-border registry
3. Register your Datenschutzberater — Zunapro can pre-fill the EDÖB registration form
4. Connect your Swiss marketplaces — Galaxus, Digitec, Brack, Ricardo — and route customer data through the compliance pack
5. Go live — first compliance baseline completes in roughly 10 minutes; ongoing monitoring runs in the background

Swiss nFADP / DSG FAQ 2026