Frameworks Index
Switzerlandregulation

Swiss Federal Act on Data Protection (nDSG/revFADP)

Criminal fines up to CHF 250,000 target responsible individuals personally—not the organisation—making Swiss data protection compliance a direct executive liability.

Mapped to Microsoft controls
Effective Date1 September 2023
Enforcement BodyFederal Data Protection and Information Commissioner (FDPIC)
Penalty FrameworkCriminal penalties: fines of up to CHF 250,000 against responsible individuals (not organisations). Violations include failure to provide required information, breach of professional secrecy, failure to comply with FDPIC orders, and unauthorised cross-border transfers. The focus on individual criminal liability distinguishes the nDSG from the EU GDPR's administrative fine model.

The new Swiss Federal Act on Data Protection (nDSG), also known as the revised Federal Act on Data Protection (revFADP), entered into force on 1 September 2023 with no transition period. It modernises Switzerland's data protection framework to maintain alignment with the EU GDPR and preserve Swiss adequacy.

Key changes from the prior law include: protection limited to natural persons (legal persons removed), introduction of privacy by design and default, mandatory DPIAs for high-risk processing, breach notification to the FDPIC as soon as possible, and enhanced cross-border transfer mechanisms.

For Microsoft 365 environments, nDSG compliance requires Purview sensitivity labels for data classification, DLP policies for data protection, data residency in Swiss Azure regions where required, and Conditional Access for access management. StremarControl engineers and operates the Microsoft-native controls required for nDSG mandates, translating obligations into enforceable Microsoft-native controls, structured evidence, and ongoing assurance discipline for FDPIC compliance.

Why This Matters Now

The revised Swiss Federal Act on Data Protection (nDSG) modernises Switzerland's data protection framework to maintain equivalence with the EU GDPR and preserve Switzerland's EU adequacy status. It introduces DPIA requirements, mandatory breach notification to the FDPIC, and enhanced cross-border transfer rules. For M365 environments, compliance requires Purview data classification, DLP policies, data residency in Swiss Azure regions, and Conditional Access. Switzerland's role as a global financial centre makes nDSG compliance critical for banking and multinational operations.

Scope & Applicability

Applies to private persons and federal bodies processing personal data of natural persons (legal persons are no longer covered under the revised law). Extraterritorial application to organisations outside Switzerland whose processing has effects in Switzerland. The revised law aligns with GDPR concepts including privacy by design, DPIAs, and breach notification. M365 tenants processing Swiss personal data must comply, with particular attention to Swiss data residency.

Core Obligations

01
Article 7

Privacy by Design and Default

Design data processing systems to comply with data protection requirements from the outset. Apply default settings that are privacy-friendly.

02
Article 22

Data Protection Impact Assessment

Conduct a DPIA when processing is likely to result in high risk to the personality or fundamental rights of data subjects.

03
Article 24

Breach Notification

Notify the FDPIC as soon as possible of data security breaches likely to pose a high risk to the personality or fundamental rights of data subjects.

04
Article 16

Cross-Border Transfers

Transfer personal data abroad only to countries with adequate protection or with appropriate safeguards (standard contractual clauses, binding corporate rules).

Microsoft 365 Control Mapping

How each obligation maps to enforceable Microsoft 365 controls and the evidence they produce.

Obligation

Privacy by Design and Default

M365 Control

Purview sensitivity labels with default classification. DLP policies enforcing data minimisation. Retention labels with privacy-aligned defaults.

Evidence

Default label configuration exports, DLP policy summaries, retention policy documentation.

Obligation

Breach Notification to FDPIC

M365 Control

Defender XDR incident detection with Sentinel playbooks for FDPIC notification. Automated risk assessment against nDSG breach thresholds.

Evidence

Incident timeline reports, breach risk assessment logs, FDPIC notification records.

Obligation

Cross-Border Transfers

M365 Control

Data residency in Swiss Azure regions. Purview DLP with geo-fencing. Conditional Access named locations for geographical access restrictions.

Evidence

Swiss region data residency reports, DLP cross-border logs, geo-restriction configuration exports.

Implementation Timeline

September 2020
Revised Federal Act on Data Protection adopted by parliament
September 2023
New Federal Act on Data Protection (nDSG) enters into force - no transition period
January 2024
EU confirms continued Swiss adequacy under the new law
Ongoing
FDPIC issuing guidance on interpretation and enforcement priorities

Related Frameworks

European Union
EU GDPR

With fines exceeding EUR 1.2 billion for major infractions, GDPR non-compliance is a material financial risk that demands board-level ownership.

United Kingdom
UK GDPR

Post-Brexit divergence means UK organisations must now navigate two parallel GDPR regimes, with the ICO imposing fines up to GBP 17.5 million or 4% of global turnover.

International
ISO 27001

ISO 27001 certification is increasingly a procurement prerequisite. Without it, organisations face exclusion from enterprise supply chain shortlists and heightened scrutiny from insurers and regulators.

Ready to get Swiss nDSG-ready?

Start with a fixed-scope sprint. We assess your Microsoft 365 controls against Swiss nDSG requirements, close gaps, and produce audit-ready evidence.

Start a readiness sprint Book a readiness call