Switzerland — Data Subject Rights

The revised Federal Act on Data Protection of 25 September 2020 (FADP; also known as nFADP or revFADP), which entered into force on 1 September 2023, establishes a comprehensive catalog of individual rights for data subjects in Switzerland. These rights apply to the processing of personal data of natural persons—the 2023 revision removed the prior statute's coverage of legal entities—and are codified primarily in Chapter 4 (Articles 25–29) and Chapter 5 (Article 32) of the FADP. The Federal Data Protection and Information Commissioner (FDPIC) is the supervisory authority responsible for monitoring compliance.

## Right to information (access) — Article 25 FADP

Article 25 FADP grants data subjects the right to request information about whether a controller is processing personal data concerning them. This right is strictly personal and cannot be waived in advance (Art. 25(5) FADP).

When a data subject makes an access request, the controller must provide detailed information under Article 25(2), including:

• The identity and contact details of the controller;
• The personal data being processed;
• The purpose of the processing;
• The retention period or the criteria for determining it;
• The information available to the controller on the source of the personal data (if not collected from the data subject);
• Where applicable, the existence of automated individual decision-making and the logic involved;
• The recipients or categories of recipients to whom personal data is disclosed, including (for cross-border transfers) the country or international organization and any safeguards applied.

The controller must respond within 30 days of the request (Art. 25(7) FADP). If the deadline cannot be met, the controller must inform the data subject and set a new deadline. Information must be provided in writing and free of charge, unless an exception is provided by the Federal Council.

## Limitations on the right to information — Article 26 FADP

Article 26 FADP permits the controller to refuse, restrict, or defer an access request under certain conditions:

• A federal or cantonal statute requires the controller to maintain professional secrecy or another statutory confidentiality obligation (Art. 26(1)(a));
• Providing the information would adversely affect the interests of third parties (Art. 26(1)(b));
• The request is manifestly unfounded, in particular if it serves a purpose contrary to data protection or is manifestly frivolous (Art. 26(1)(c));
• The controller's own overriding interests require refusal, restriction, or deferral, provided the personal data is not disclosed to third parties (Art. 26(2)).

Article 27 FADP provides a separate exemption for periodically published media, which may refuse, restrict, or defer access to protect editorial confidentiality or sources.

## Right to data portability — Article 28 FADP

Article 28 FADP grants data subjects the right to obtain their personal data in a commonly used electronic format and to request its transfer to another controller. This right applies where:

• The data subject provided the personal data to the controller; and
• The processing is based on the data subject's consent or for the performance of a contract (Art. 28(1)).

The format must permit transmission with proportionate effort and enable the data subject to use the data automatically (Art. 21(1) Data Protection Ordinance). Data portability must be provided free of charge unless the Federal Council has provided for an exception (Art. 28(3)). The right is subject to the same limitations as the right to information under Article 26 FADP, as incorporated by Article 29 FADP.

## Right to rectification and erasure — Article 32 FADP

Article 32 FADP grants data subjects the right to request rectification of inaccurate personal data and deletion of unlawfully processed data. The controller may refuse rectification or deletion if prohibited by law or if the processing serves a public purpose. Data subjects may also request that the controller communicate the rectification or deletion to third parties, or mark disputed data as such.

This right is enforceable through civil action under Article 32(2) FADP, which cross-references Articles 28 ff. of the Swiss Civil Code (personality-rights protection), or through complaint to the FDPIC.

## Enforcement mechanisms and penalties

Data subjects who are denied a right may file a complaint with the FDPIC, which has authority under Article 49 FADP to open an investigation. If the FDPIC concludes that the FADP has been violated, it may issue binding orders under Article 51(1) FADP requiring the controller to adjust, suspend, or terminate processing; delete or destroy personal data; or fulfill its obligations under the statute.

The FADP imposes criminal penalties on natural persons (not the organization itself) for intentional violations. Articles 60–66 FADP provide that a person who intentionally provides false or incomplete information in response to an access request under Articles 25–27, or intentionally fails to fulfill disclosure obligations under Articles 19 and 21 FADP, may be fined up to CHF 250,000. These penalties apply to controllers and processors who intentionally violate the statute, not to organizations as entities.

Source: Federal Act on Data Protection of 25 September 2020, SR 235.1 Source: Ordinance on Data Protection of 31 August 2022, SR 235.11

Article 21 FADP establishes specific protections for data subjects when controllers make decisions based exclusively on automated processing that have legal consequences or a considerable adverse effect on the individual. Unlike GDPR Article 22, which creates a general prohibition subject to narrow exceptions, the Swiss approach is notification-based: the controller must inform the data subject about the automated individual decision and grant procedural safeguards, but the decision itself is not automatically forbidden.

## Scope — automated individual decisions under Article 21(1)

Article 21(1) FADP applies when three elements are present:

1. Exclusively automated processing — the decision is made without meaningful human intervention in the decisional logic;
2. Legal consequence or considerable adverse effect — the decision produces a binding legal result (approval or denial of a contract, a benefits determination, termination of a service) or a material impact on the data subject's interests, rights, or access to resources; and
3. Individual determination — the decision concerns a specific data subject, not aggregate or statistical outputs.

Common examples include automated credit-scoring decisions that directly determine loan approval, algorithmic employment-screening tools that reject applicants without human review, and automated insurance underwriting that sets premium rates or denies coverage. By contrast, a recommendation system or a risk score that a human decision-maker considers alongside other factors does not trigger Article 21 if the human retains genuine discretion.

## Information obligation — Article 21(1) FADP

When an automated individual decision is made, the controller must inform the data subject that the decision was based exclusively on automated processing and that it has legal or considerable adverse consequences. This obligation is in addition to the general duty to inform under Article 19 FADP (which requires disclosure at the point of data collection that automated decision-making may occur). Article 21(1) requires notice when the decision is actually taken, enabling the data subject to understand that no human reviewed the outcome and to invoke the procedural rights in Article 21(2) and (3).

The statute does not prescribe a specific timeline for this notification. As a practical matter, notice should be provided simultaneously with or immediately following the communication of the decision itself, so the data subject can exercise review rights while the decision is still actionable.

## Right to be heard and right to human review — Article 21(2) and (3) FADP

Article 21(2) FADP grants the data subject the right, on request, to express their point of view regarding the automated individual decision. Article 21(3) FADP further provides that the data subject may request that the decision be reviewed by a natural person. These are procedural rights, not substantive rights to reversal: the controller must allow the individual to submit additional context, correct factual errors in the input data, or challenge the logic of the automated system, and a human being must then re-evaluate the decision in light of that input. The human review does not require the controller to reach a different outcome, but it does require genuine reconsideration — a purely formal or mechanical confirmation of the automated result would not satisfy Article 21(3).

The right to be heard and the right to human review are not automatic; the data subject must affirmatively request them. Controllers are not required to conduct human review of every automated decision, only those for which a data subject invokes Article 21(3).

## Exceptions — Article 21(4) FADP

Article 21(4) FADP exempts controllers from the information and procedural-review obligations under paragraphs (1) through (3) in two scenarios:

• The automated individual decision is directly connected with the conclusion or processing of a contract between the controller and the data subject, and the data subject's request is satisfied (Art. 21(4)(a) FADP); or
• A federal or cantonal statute expressly permits the automated decision and provides for the data subject's right to request review (Art. 21(4)(b) FADP).

The first exception mirrors GDPR Article 22(2)(a) but adds the requirement that the data subject's request — typically a request to enter into or perform a contract — must be satisfied by the automated decision. For example, an automated instant approval of an online purchase or subscription qualifies if the data subject requested that service and the decision grants it; an automated denial would not qualify for the exemption, because the data subject's request was not satisfied. The second exception defers to sector-specific legislation (such as social-insurance or tax-assessment statutes) that may already prescribe automated-decision procedures and review mechanisms.

## Criminal liability for non-compliance — Article 60 FADP

Intentional failure to inform a data subject about an automated individual decision under Article 21(1) FADP, or intentional refusal to allow the data subject to express their view or to obtain human review under Article 21(2) and (3), is a criminal offense punishable by a fine of up to CHF 250,000 under Article 60(1) FADP. The penalty applies to the natural person (employee, officer, or contractor) who committed the violation, not to the organization itself. Negligent violations are not penalized. As with other Article 60 offenses, prosecution is on complaint only (Art. 60(2) FADP) — the data subject must file a criminal complaint; the FDPIC does not prosecute ex officio.

## Relationship to GDPR Article 22

FADP Article 21 is narrower in scope than GDPR Article 22. The GDPR creates a general right not to be subject to automated decision-making with legal or similarly significant effects, subject to three exceptions (contract necessity, legal authorization, explicit consent). FADP Article 21 does not prohibit automated decisions; it requires transparency and procedural fairness when they occur. A controller processing Swiss personal data under FADP (but not GDPR) may therefore use automated individual decision-making more freely, provided it discloses the practice under Article 19, notifies the data subject when a decision is made under Article 21(1), and honors requests for human review under Article 21(3). Controllers subject to both GDPR and FADP must comply with the stricter GDPR standard.

Source: Federal Act on Data Protection of 25 September 2020, SR 235.1, Art. 21 Source: Federal Act on Data Protection of 25 September 2020, SR 235.1, Art. 60

Article 25(7) of the Federal Act on Data Protection of 25 September 2020 (FADP, SR 235.1) establishes a 30-day statutory deadline for controllers to respond to a data subject's access request under Article 25(1) FADP. This deadline is a core operational requirement under Swiss data protection law. Unlike the GDPR's one-month deadline (which permits a two-month extension in certain circumstances), the Swiss regime provides a fixed initial period with a mandatory notification requirement for extensions.

## The 30-day clock — Article 25(7) first sentence

Article 25(7) FADP provides: "The controller shall provide information within 30 days of the request." The 30 days are calendar days, calculated from the date the controller receives the access request. The deadline applies regardless of the complexity of the request or the volume of personal data being processed.

A controller who fails to respond within 30 days without invoking the extension procedure under Article 25(7) second sentence is in breach of the FADP and may be subject to a complaint to the Federal Data Protection and Information Commissioner (FDPIC) under Article 49 FADP or to civil enforcement under Article 32(2) FADP (personality-rights protection via Art. 28 et seq. of the Swiss Civil Code).

## Extension procedure — Article 25(7) second sentence

Article 25(7) second sentence permits the controller to extend the deadline when the 30-day period cannot be met. The statute provides: "If the controller is unable to do so within that time, it shall inform the data subject accordingly and shall specify a new deadline."

This extension mechanism imposes three requirements on the controller:

1. Timely notification — The controller must inform the data subject of the delay before the expiration of the original 30-day deadline. A notice sent after day 30 does not cure the breach; the extension must be invoked proactively.

2. Specification of a new deadline — The controller must set a definite date by which it will provide the information. The FDPIC's published guidance explains: "If the controller is unable to provide the information within 30 days, it must inform you and let you know how long you may have to wait for the information to be provided."

3. Proportionality (implied from Article 6(2) FADP) — Article 25(7) does not specify permissible grounds for extension. In practice, extensions are appropriate when the data is dispersed across multiple systems, when the volume of data concerning the requester is objectively large (e.g., years of employment records, transaction logs), or when the controller must consult third parties under Article 25(2)(f) FADP (disclosure of recipients). Extensions that result from the controller's failure to maintain adequate records under Article 12 FADP or that appear designed to frustrate the data subject's rights are more vulnerable to challenge.

The statute does not cap the length of the extension. Controllers must be prepared to justify the extension timeline if challenged by the FDPIC or in civil proceedings.

## Form and fee — Article 25(6) FADP

Article 25(6) FADP provides that the controller shall provide the information "in writing and free of charge." The Federal Council is authorized to permit fees under Article 25(6) in cases of disproportionate effort, but the Data Protection Ordinance of 31 August 2022 (SR 235.11) does not currently establish such an exception. Controllers may not charge data subjects for responding to access requests under Article 25, even when the controller invokes an extension or when the data subject makes repeated requests. (Repeated manifestly unfounded requests may be refused entirely under Article 26(1)(c) FADP, but not monetized.)

"In writing" includes electronic formats (email, encrypted portal) if the data subject has submitted the request electronically, or if the controller's ordinary course of communication with the data subject is electronic.

## Relationship to Article 26 limitations and Article 28 portability

The 30-day deadline under Article 25(7) applies equally to portability requests under Article 28 FADP, because Article 29 FADP incorporates the Article 26 limitations regime by reference and Article 28(3) FADP cross-references the free-of-charge rule in Article 25. A controller that receives a portability request (data in commonly used electronic format, Art. 28(1) FADP) must respond within 30 days or invoke the extension procedure in the same manner as for an access request.

Article 26 FADP permits the controller to refuse, restrict, or defer an access request on certain grounds (professional secrecy, third-party interests, manifestly unfounded requests, or the controller's own overriding interests under Art. 26(2)). When a controller invokes Article 26, it should notify the data subject within the 30-day period and explain the legal basis for the refusal or deferral. A controller that defers a request under Article 26(2) (controller's overriding interests) is effectively invoking a form of extension, and the same specification-of-deadline principle applies.

## Criminal liability — Article 60(1)(a) FADP

Article 60(1)(a) FADP provides that a natural person who intentionally provides false or incomplete information in response to an access request under Articles 25–27 FADP is subject to a fine of up to CHF 250,000. This penalty applies to controllers (or their officers, employees, or agents) who deliberately withhold responsive personal data, misrepresent the purposes of processing, or fail to disclose recipients under Article 25(2)(g) FADP. Negligent non-compliance (e.g., missing the 30-day deadline through oversight) is not criminally penalized under Article 60, but may trigger administrative enforcement by the FDPIC under Article 51 FADP (binding orders to adjust processing or disclose data).

Prosecution under Article 60 FADP is on complaint only — the data subject must file a criminal complaint with the cantonal prosecutor; the FDPIC does not prosecute violations.

## Comparison to GDPR Article 15(3)

The Swiss 30-day deadline under Article 25(7) FADP is shorter than the GDPR's default one-month timeline under Article 15(3) GDPR, which permits a two-month extension "where necessary, taking into account the complexity and number of the requests" (Art. 15(3) second sentence GDPR). The GDPR's extension is self-executing if the controller notifies the data subject within one month; the Swiss regime requires the controller to specify a new deadline but does not impose a statutory cap on extension length. Controllers subject to both GDPR and FADP for the same data processing (e.g., a Swiss controller processing EU resident data, or an EU controller with a Swiss representative under Art. 14 FADP) should apply the shorter of the two deadlines to simplify compliance.

Source: Federal Act on Data Protection of 25 September 2020, SR 235.1, Art. 25(6)–(7) Source: Federal Act on Data Protection of 25 September 2020, SR 235.1, Art. 60(1)(a) Source: FDPIC, Knowing and asserting my rights — Right to information under Art. 25 FADP Source: Ordinance on Data Protection of 31 August 2022, SR 235.11

Article 30(2)(b) of the Federal Act on Data Protection of 25 September 2020 (FADP, SR 235.1) grants data subjects a right to object to the processing of their personal data. This right is a procedural safeguard that allows individuals to challenge processing they believe is unlawful or disproportionate. However, unlike GDPR Article 21—which grants a general right to object applicable to all controllers—the Swiss right to object under Article 30(2)(b) applies only to federal bodies (federal agencies, authorities, and administrative units), not to private controllers.

## Scope — federal bodies under Chapter 6 FADP

Article 30 is part of Chapter 6 of the FADP, which establishes special rules for federal bodies processing personal data. Chapter 6 (Articles 33–42) reflects the Swiss constitutional principle that public authorities must act within the limits of law when interfering with fundamental rights, including the right to informational self-determination. Federal bodies are subject to stricter requirements than private controllers: they must always have a legal basis for processing (Art. 34 FADP), and they must grant data subjects additional procedural rights, including the right to object under Article 30(2)(b) and the right to request restriction of processing under Article 30(2)(a).

Article 30(2)(b) provides that when a data subject objects to processing by a federal body, the body must either stop processing the personal data or explain why it is entitled to continue processing despite the objection. This procedural right ensures that federal bodies cannot ignore a data subject's concerns and must provide a reasoned justification when they continue processing over objection.

The FDPIC explains: "You have the right to object to the processing of your personal data by the controller at any time (Art. 30 para. 2 let. b FADP). After receiving your objection, the controller has to either stop processing the data or explain why it is entitled to continue to process the data against your wishes." This statement appears in the FDPIC's general guidance on data subject rights, but the statutory text itself limits the right to federal bodies, not private persons.

## No general right to object against private controllers

Private controllers in Switzerland—companies, organizations, and individuals—are not subject to Article 30(2)(b) FADP. The FADP does not grant data subjects a general right to object to processing by private controllers on grounds comparable to GDPR Article 21(1) (objection based on grounds relating to the data subject's particular situation when processing is based on legitimate interests or public task).

Swiss law instead follows a "permission subject to prohibition" model for private-sector processing. Under Article 31 FADP, private controllers may process personal data if:

• The data subject has consented;
• Processing is directly connected with the conclusion or performance of a contract with the data subject;
• Processing is necessary to protect overriding interests of the controller or a third party and the data subject's interests do not prevail; or
• A federal or cantonal statute permits or mandates the processing.

When processing falls within one of these grounds, the data subject has no statutory right to object under the FADP. The data subject's remedy is instead to challenge the processing as a violation of personality rights under Article 32 FADP and Articles 28 ff. of the Swiss Civil Code. Article 32(1) FADP provides: "Data subjects may request the controller to rectify or delete their personal data or to cease or refrain from unlawful processing or disclosure." This remedy is available when processing is unlawful—that is, when it violates the principles of Article 6 FADP (lawfulness, good faith, proportionality, purpose limitation, data accuracy) or lacks a valid ground under Article 31. But it is not an automatic objection right comparable to GDPR Article 21(1); the data subject must demonstrate that the processing is unlawful, not merely assert their particular situation.

## Comparison to GDPR Article 21

The absence of a general right to object for private controllers is a major divergence from the GDPR. GDPR Article 21(1) grants data subjects the right to object, on grounds relating to their particular situation, to processing based on legitimate interests (Art. 6(1)(f) GDPR) or public task (Art. 6(1)(e) GDPR). Once the data subject objects, the controller must cease processing unless it demonstrates compelling legitimate grounds that override the data subject's interests or the processing is necessary for the establishment, exercise, or defense of legal claims. GDPR Article 21(2) further provides an absolute right to object to direct marketing, with no balancing test.

Controllers subject to both GDPR and FADP—for example, a Swiss company processing EU resident data, or an EU company with a Swiss representative under Article 14 FADP—must honor GDPR Article 21 objections for EU data subjects and comply with the narrower Swiss regime for Swiss data subjects. In practice, many multinational controllers extend GDPR-style objection rights to Swiss data subjects as a matter of policy, even though FADP does not require it.

## Enforcement and remedies

A data subject who believes a federal body has unlawfully continued processing after an objection under Article 30(2)(b) FADP may file a complaint with the FDPIC under Article 49 FADP. The FDPIC has investigative authority under Article 50 and may issue binding orders under Article 51(1) requiring the federal body to adjust, suspend, or terminate processing. The data subject may also seek civil remedies under Article 32(2) FADP, which incorporates the personality-rights protections of Articles 28 ff. of the Swiss Civil Code.

When processing is by a private controller, the data subject's remedy is civil enforcement under Article 32 FADP (request for cessation of unlawful processing or disclosure) or a complaint to the FDPIC under Article 49. The FDPIC may investigate and issue binding orders under Article 51(1) if it concludes that the private controller has violated the FADP. Intentional failure by a private controller to comply with an FDPIC order may trigger criminal liability under Article 60 FADP (fines up to CHF 250,000 for the responsible natural person), but there is no standalone criminal penalty for refusing to honor a data subject's informal objection, because no such objection right exists in the statute.

## Practical implications

Practitioners advising Swiss clients or clients processing Swiss personal data should:

• Distinguish federal-body processing from private-sector processing. The right to object under Article 30(2)(b) applies only to federal bodies. Private controllers are not required to honor objections unless the underlying processing is unlawful under Article 31 or violates Article 6 principles.
• Cross-reference GDPR Article 21 for EU/EEA data subjects. Controllers subject to both GDPR and FADP should implement objection-handling procedures that apply GDPR Article 21 to EU residents and limit objection rights for Swiss residents to the Article 30(2)(b) federal-body context or to Article 32 unlawful-processing claims.
• Document legitimate-interest balancing. Although FADP does not grant an objection right, controllers relying on Article 31(2)(c) overriding interests should document their interest-balancing analysis (nature of data, purpose, data subject's reasonable expectations, safeguards) so they can demonstrate lawfulness if challenged under Article 32.

Source: Federal Act on Data Protection of 25 September 2020, SR 235.1, Art. 30(2)(b) Source: Federal Act on Data Protection of 25 September 2020, SR 235.1, Art. 32 Source: FDPIC, Knowing and asserting my rights

Article 32(2)(b) of the Federal Act on Data Protection of 25 September 2020 (FADP, SR 235.1) grants data subjects the right to request restriction of processing when they dispute the proportionality of the processing or the accuracy of the personal data. This right allows a data subject to suspend ongoing processing activities while a dispute is resolved—for example, while the controller verifies contested facts, investigates a claim of unlawfulness, or litigates an enforcement action. Unlike the right to erasure under Article 32(2)(c) FADP (which requires permanent deletion) or the right to cessation under Article 32(2)(a) (which stops processing entirely), restriction is a temporary safeguard that preserves data and processing capacity while the dispute is pending.

## Statutory text — Article 32(2)(b) FADP

Article 32(2) FADP provides that data subjects may request the controller to:

• (a) cease processing or disclosure that is unlawful or violates the personality of the data subject;
• (b) restrict the processing of personal data;
• (c) have personal data deleted or destroyed.

Article 32(2)(b) itself does not define "restriction" or specify the trigger conditions. The Federal Data Protection and Information Commissioner (FDPIC) has clarified the scope in published guidance: "In similar way to deletion, you can request the restriction of data processing based on Article 32 paragraph 2 letter b FADP if you dispute the proportionality of the data processing or the accuracy of the data." This interpretation establishes that restriction is available when:

1. Disputed proportionality — the data subject challenges the controller's interest-balancing under Article 6(2) FADP (processing must be proportionate; the purpose cannot be achieved by less intrusive means) or the necessity of the processing under Article 31(2)(c) FADP (overriding interests of the controller or third party); or
2. Disputed accuracy — the data subject contests the correctness or completeness of the personal data under Article 6(5) FADP (accuracy principle: personal data must be adequate, relevant, not excessive, and kept up to date).

Restriction is particularly relevant when the data subject has filed a rectification request under Article 32(2) (to correct inaccurate data) and the controller disputes the requested correction, or when the data subject has challenged the lawfulness of processing under Article 32(1) and the controller contests the claim.

## Scope of "restriction" — statutory silence and operational practice

The FADP does not define what "restriction" means operationally. Neither the statute nor the FDPIC has published detailed guidance on the controller's obligations when a restriction request is granted. Controllers managing restriction requests typically implement procedures drawn from GDPR Article 18 practice or general data-governance standards, including:

• Cease active use of the personal data for the contested purpose (e.g., suspend profiling, halt automated decision-making, pause direct marketing, freeze data-analytics processing);
• Retain the data in storage without further processing, so it is available for verification, litigation, or reinstatement if the dispute is resolved in the controller's favor;
• Permit limited exceptions for essential purposes such as storage itself, processing with the data subject's consent, processing necessary to establish or defend legal claims, or processing to protect the rights of another natural or legal person.

These operational steps are best practices informed by GDPR compliance frameworks and by the principle that restriction is a less-disruptive alternative to erasure; they are not statutory requirements under Swiss law as of June 2026. Controllers should document restriction requests, mark restricted data in processing systems (e.g., with a processing-suspension flag or equivalent technical measure), and notify the data subject when restriction is lifted.

## Federal-body parallel — Article 30(2)(a) FADP

Article 30(2)(a) FADP grants a separate right to restriction of processing when the data subject contests processing by a federal body (federal agency, authority, or administrative unit). Article 30 is part of Chapter 6 of the FADP, which establishes special rules for federal-body processing. Federal bodies are subject to stricter requirements than private controllers: they must always have a legal basis for processing (Art. 34 FADP), and they must grant data subjects additional procedural rights, including restriction under Article 30(2)(a) and objection under Article 30(2)(b).

Article 30(2)(a) provides: "The data subject may request the federal body to restrict the processing of personal data." The statute does not elaborate on the trigger conditions; it is a general procedural right allowing the data subject to freeze processing by the federal body while challenging its lawfulness or necessity. The federal body must honor the restriction request unless it demonstrates a compelling legal ground to continue processing (e.g., statutory obligation, overriding public interest).

In contrast, private controllers (companies, organizations, individuals) are not subject to Article 30(2)(a). Their obligation to restrict processing arises under Article 32(2)(b), which the FDPIC has interpreted to require the data subject to dispute proportionality or accuracy, not merely to invoke a general procedural right.

## Relationship to rectification and erasure

Article 32(2) groups restriction alongside rectification and erasure. The statutory structure suggests a spectrum of remedies, though Swiss law does not explicitly prescribe a hierarchy:

• Rectification (implied in Art. 32(2) and Art. 6(5)) — the controller corrects inaccurate or incomplete data and continues processing the corrected data. Least disruptive to the controller's operations.
• Restriction (Art. 32(2)(b)) — the controller suspends processing while a dispute over accuracy or proportionality is resolved. Intermediate remedy; preserves data for potential litigation or verification.
• Erasure (Art. 32(2)(c)) — the controller permanently deletes the data. Most disruptive; appropriate when processing is unlawful and cannot be cured, or when the purpose has lapsed and there is no legal ground for retention.

A data subject who challenges the accuracy of personal data should typically request rectification first, invoking restriction only if the controller refuses to correct the data or if the accuracy dispute cannot be resolved promptly. A data subject who challenges the proportionality of processing (arguing that the controller's legitimate interests do not override the data subject's rights) may request cessation under Article 32(2)(a) (if the processing is unlawful) or restriction under Article 32(2)(b) (if the lawfulness is contested but not yet adjudicated).

## Enforcement and remedies

A data subject whose restriction request is denied may:

1. File a complaint with the FDPIC under Article 49 FADP. The FDPIC has investigative authority under Article 50 and may issue binding orders under Article 51(1) requiring the controller to restrict, suspend, or terminate processing.
2. Seek civil enforcement under Article 32(2) FADP, which incorporates the personality-rights protections of Articles 28 ff. of the Swiss Civil Code. The data subject may petition the competent cantonal court for an injunction requiring the controller to restrict processing, rectify inaccurate data, or cease unlawful processing. Under Article 32(3) FADP, the court applies a simplified procedure, no court fees are charged for disputes relating to the right of access under Articles 25–27 FADP (Art. 32(3) second sentence reads "no court fees shall be charged" for access disputes; this provision is often applied by analogy to other data-subject-rights disputes under Art. 32(2)), and the data subject may appear in person or be represented by a lawyer.

The FADP does not impose direct criminal liability for refusing a restriction request. However, intentional failure to comply with an FDPIC order under Article 51 FADP may trigger criminal penalties under Article 63 FADP: a fine of up to CHF 250,000 for the responsible natural person (Art. 63(1) FADP), prosecuted on complaint (Art. 63(2) FADP). The CHF 250,000 cap is the statutory maximum; actual fines depend on the severity of the violation.

## Comparison to GDPR Article 18

GDPR Article 18 grants EU data subjects a right to restriction of processing under four conditions:

• The data subject contests the accuracy of the personal data, for a period enabling the controller to verify accuracy (Art. 18(1)(a) GDPR);
• The processing is unlawful and the data subject opposes erasure and requests restriction instead (Art. 18(1)(b) GDPR);
• The controller no longer needs the data for the purposes of processing, but the data subject requires it for the establishment, exercise, or defense of legal claims (Art. 18(1)(c) GDPR); or
• The data subject has objected to processing under Article 21(1) GDPR, pending verification of whether the controller's legitimate grounds override those of the data subject (Art. 18(1)(d) GDPR).

Swiss law's right to restriction under Article 32(2)(b) FADP is narrower than GDPR Article 18. FADP restriction is available when the data subject disputes proportionality or accuracy (mirroring GDPR Art. 18(1)(a) and elements of Art. 18(1)(d)), but Swiss law does not grant an automatic restriction right when processing is unlawful (the remedy is cessation or erasure under Art. 32(2)(a) or (c)), nor when the data subject needs the data for legal claims but the controller does not (no FADP equivalent to GDPR Art. 18(1)(c)). The operational procedures many controllers apply to restriction requests (data flagging, suspension workflows, exemption for legal-claims processing) are drawn from GDPR Article 18 practice and are not strictly required by Swiss law, though they align with the principle that restriction is a less-intrusive alternative to erasure.

Controllers subject to both GDPR and FADP—for example, a Swiss company processing EU resident data, or an EU company with a Swiss representative under Article 14 FADP—must honor GDPR Article 18 restriction requests for EU data subjects and apply the narrower FADP Article 32(2)(b) standard for Swiss data subjects. In practice, many multinational controllers extend GDPR-style restriction rights to Swiss data subjects as a matter of policy, even though FADP does not require it.

## Practical implications

Practitioners advising Swiss clients or clients processing Swiss personal data should:

• Distinguish federal-body processing from private-sector processing. The general right to restriction under Article 30(2)(a) applies only to federal bodies. Private controllers are subject to Article 32(2)(b), which the FDPIC interprets to require the data subject to dispute proportionality or accuracy.
• Implement restriction workflows. Controllers should have procedures to (i) receive and log restriction requests, (ii) assess whether the request falls within Article 32(2)(b) (disputed proportionality or accuracy), (iii) suspend processing if the request is valid, (iv) mark restricted data in processing systems, and (v) notify the data subject when restriction is lifted. These steps are best practice (informed by GDPR Article 18 compliance frameworks), not strict statutory requirements.
• Document interest-balancing. Controllers relying on Article 31(2)(c) overriding interests should document their proportionality analysis (nature of data, purpose, data subject's reasonable expectations, safeguards, less-intrusive alternatives considered) so they can defend the processing if challenged under Article 32(2)(b).
• Cross-reference GDPR Article 18 for EU/EEA data subjects. Controllers subject to both GDPR and FADP should implement restriction procedures that apply GDPR Article 18 to EU residents and the narrower FADP Article 32(2)(b) standard to Swiss residents, or extend GDPR-style restriction rights globally to simplify compliance.

Source: Federal Act on Data Protection of 25 September 2020, SR 235.1, Art. 32(2) Source: FDPIC, Knowing and asserting my rights Source: Federal Act on Data Protection of 25 September 2020, SR 235.1, Art. 30(2)(a) Source: Federal Act on Data Protection of 25 September 2020, SR 235.1, Art. 63

Article 32(2) of the Federal Act on Data Protection of 25 September 2020 (FADP, SR 235.1) grants data subjects the right to request rectification of inaccurate personal data held by a controller. This right is the procedural mechanism for enforcing the accuracy principle codified in Article 6(5) FADP, which requires that "personal data must be accurate and, if necessary for the purposes of processing, kept up to date." Rectification is the least disruptive remedy in the data-subject-rights toolkit — the controller corrects the error and continues processing lawfully — but when accuracy disputes cannot be resolved, the data subject may escalate to restriction under Article 32(2)(b) FADP (suspend processing while the dispute is pending) or erasure under Article 32(2)(c) (permanent deletion).

## Statutory right — Article 32(2) FADP

Article 32(2) FADP provides that data subjects may request the controller to:

• (a) cease processing or disclosure that is unlawful or violates the personality of the data subject;
• (b) restrict the processing of personal data;
• (c) have personal data deleted or destroyed.

The statute does not explicitly list "rectification" as a separate paragraph within Article 32(2), but the Federal Data Protection and Information Commissioner (FDPIC) has clarified that rectification is a core data-subject right under the FADP. The FDPIC states: "In accordance with the Federal Act on Data Protection (FADP), any person may request information from the controller of a data file as to whether their personal data is being processed and may, if necessary, have the data corrected or destroyed." The right to correction is grounded in the accuracy principle of Article 6(5) FADP and is enforceable through the civil-enforcement mechanism of Article 32(2) (personality-rights protection under Arts. 28 ff. of the Swiss Civil Code).

## Substantive obligation — Article 6(5) FADP accuracy principle

Article 6(5) FADP provides: "Personal data must be accurate and, if necessary for the purposes of processing, kept up to date." This is one of the six core principles governing all personal-data processing under Swiss law, codified in Article 6 (Principles):

1. Lawfulness (Art. 6(1)) — processing must comply with the statute;
2. Good faith (Art. 6(2)) — processing must be conducted in good faith and be proportionate;
3. Purpose limitation (Art. 6(3)) — data may be processed only for the purpose indicated at the time of collection;
4. Data minimization (Art. 6(2)) — the purpose cannot be achieved by other reasonably available means that interfere less with the personality of the data subject;
5. Accuracy (Art. 6(5)) — data must be correct and current;
6. Retention limitation (Art. 6(4)) — personal data may be retained in a form that permits identification of data subjects for no longer than is required for the purpose of processing.

Article 6(5) is a continuing obligation. The controller must maintain data accuracy not only at the point of collection but throughout the retention period, updating records as necessary when the purpose of processing requires current information. For example:

• Employment records — an employer processing employee addresses for payroll and benefits must update address data when an employee moves, or the payroll deposits and tax forms will go to the wrong location;
• Credit reporting — a credit bureau must correct erroneous default records when a disputed debt is resolved, or the data subject's creditworthiness profile is materially false;
• Medical records — a hospital maintaining allergy or medication records must correct documented allergies when a patient reports an error, because inaccurate data poses a risk to health and safety.

The accuracy principle under Article 6(5) does not require the controller to verify the truth of every data point proactively. Controllers may rely on data provided by the data subject or by authoritative third-party sources (government registries, employers, financial institutions) unless they have reason to know the data is incorrect. The obligation is to maintain accuracy once errors are identified and to update data when the purpose requires currency.

## Scope — what qualifies as "inaccurate"

Data is inaccurate under Article 6(5) FADP when it is factually false, incomplete in a way that materially distorts the truth, or outdated such that it no longer reflects the current reality relevant to the processing purpose. Examples include:

• Factually false — a database records the data subject's date of birth as 1 January 1985 when the correct date is 15 March 1987;
• Incomplete — a credit report lists a loan default but omits the fact that the debt was subsequently paid and the default was withdrawn;
• Outdated — an HR system lists the data subject's job title as "Junior Analyst" when they were promoted to "Senior Analyst" two years ago and the job-title field is used for internal org charts and external employment verifications.

Data is not inaccurate merely because the data subject disputes the controller's interpretation of accurate facts, or because the data subject disagrees with a decision based on the data. For example:

• A performance review states "Employee missed three project deadlines in Q2." If the employee did in fact miss three deadlines, the statement is accurate even if the employee disputes whether the delays were their fault or whether the review is fair.
• An insurance underwriting model scores the data subject as "high risk" based on accurate claim history. The data subject may challenge the proportionality of the processing under Article 6(2) FADP or request restriction under Article 32(2)(b) while disputing the risk assessment, but the underlying data (the claim history) is not inaccurate if the claims actually occurred.

Practitioners should distinguish factual accuracy disputes (which trigger the right to rectification) from legal or evaluative disputes (which may trigger objection under Art. 30(2)(b) FADP for federal bodies, restriction under Art. 32(2)(b), or civil enforcement under Art. 32(2)(a) for unlawful processing).

## Procedure — how data subjects request rectification

The FADP does not prescribe a specific form or procedure for rectification requests. Best practices drawn from FDPIC guidance and operational necessity include:

1. Identification of the inaccurate data — The data subject should specify which data is incorrect and provide the correct information. A general statement that "my file contains errors" without identifying the disputed data points does not allow the controller to comply. For example: "Your database lists my employment start date as 1 June 2020; the correct date is 1 July 2020."

2. Proof or supporting documentation — When the controller reasonably cannot verify the correction from its own records or authoritative sources, it may request that the data subject provide evidence. For example, if the data subject disputes a recorded address, the controller may ask for a utility bill or government ID showing the correct address. However, the burden of proof is context-dependent:

• When the controller collected the data from the data subject (e.g., a web-form submission, an account sign-up), and the data subject now asserts they provided different information, the controller may rely on its contemporaneous records unless the data subject provides persuasive evidence of an error (e.g., a screenshot of the submitted form, a confirmation email).
• When the controller collected the data from a third party (e.g., a credit bureau, an employer reference, a public registry), and the data subject challenges its accuracy, the controller should investigate by re-verifying with the source or examining its records. If the third-party source confirms the data or if the controller's records are ambiguous, the data subject may need to provide documentation.

3. Timeline — The FADP does not set a deadline for controllers to complete rectification, in contrast to the 30-day deadline for access requests under Article 25(7) FADP. The FDPIC has not published specific guidance on rectification timelines as of June 2026. Controllers should apply a reasonable-time standard: rectification of simple factual errors (name spelling, date of birth, address) should be completed within a few business days; rectification requiring investigation or third-party verification may take longer but should be pursued diligently. If the controller cannot complete rectification promptly, it should notify the data subject and, if the data subject requests, restrict processing under Article 32(2)(b) FADP while the accuracy dispute is resolved.

4. Notification to recipients — Article 32(1) FADP provides that data subjects may request the controller to "communicate the rectification or deletion to third parties" to whom the controller has disclosed the personal data. This right ensures that corrections propagate downstream. For example, if a controller rectifies an erroneous employment termination date in its HR system and had previously disclosed that date to a reference-check service or a background-screening vendor, the data subject may request that the controller notify those recipients of the correction. The controller must honor such a request unless disclosure to the third party was anonymous or the effort is disproportionate.

## Disputed accuracy — marking data or restricting processing

When the controller and data subject cannot agree on whether data is inaccurate, Article 32(1) FADP provides that the data subject may request that the controller mark the disputed data as such. This is an intermediate remedy: the controller retains the data (and may continue processing it if lawful under Article 31 FADP), but the data is flagged so that downstream recipients and future processors understand that the accuracy is contested. For example, a credit bureau that cannot verify whether a disputed loan default was valid may mark the entry as "disputed by data subject" so that lenders reviewing the report can weigh the contested item appropriately.

Alternatively, the data subject may invoke the right to restriction under Article 32(2)(b) FADP, which the FDPIC has clarified applies "if you dispute the proportionality of the data processing or the accuracy of the data." Restriction suspends active use of the data while the dispute is pending — for example, the controller stops using the disputed data for automated decision-making, profiling, or disclosure to third parties, but retains it in storage for verification or potential litigation. See the dedicated section on restriction of processing in this guide for operational details.

## Relationship to GDPR Article 16

GDPR Article 16 grants EU data subjects a right to rectification of inaccurate personal data "without undue delay." The GDPR also grants a right to have incomplete personal data completed, "including by means of providing a supplementary statement." Swiss law under FADP Article 6(5) and Article 32(2) is substantively similar but does not explicitly reference "completion" of incomplete data as a separate right. In practice, Swiss controllers should treat materially incomplete data (data that distorts the truth by omission) as inaccurate under Article 6(5) and subject to rectification, aligning with the GDPR standard.

The GDPR imposes a duty on the controller under Article 19 to communicate any rectification to each recipient to whom the personal data has been disclosed, unless this is impossible or involves disproportionate effort. Swiss law grants the data subject a request right under Article 32(1) FADP to have the controller communicate rectification to third parties; it is not an automatic duty. Controllers subject to both GDPR and FADP — for example, a Swiss company processing EU resident data, or an EU company with a Swiss representative under Article 14 FADP — should apply the stricter GDPR Article 19 notification duty for EU data subjects and honor Article 32(1) requests from Swiss data subjects. Many multinational controllers extend automatic rectification notification to all recipients globally to simplify compliance.

## Enforcement and remedies

A data subject whose rectification request is denied may pursue three remedies:

1. Complaint to the FDPIC — Article 49 FADP permits any person to file a complaint with the Federal Data Protection and Information Commissioner if they believe the FADP has been violated. The FDPIC has investigative authority under Article 50 and may issue binding orders under Article 51(1) requiring the controller to rectify inaccurate data, adjust processing, or delete data. FDPIC complaints are free and do not require legal representation.

2. Civil enforcement — Article 32(2) FADP incorporates the personality-rights protections of Articles 28 ff. of the Swiss Civil Code. The data subject may petition the competent cantonal court for an injunction requiring the controller to rectify inaccurate data, cease unlawful processing, or delete data. Under Article 32(3) FADP, the court applies a simplified procedure, and no court fees are charged for disputes relating to the right of access under Articles 25–27 FADP. Courts frequently apply the fee waiver by analogy to other data-subject-rights disputes under Article 32(2), including rectification claims, though the statutory text does not mandate this extension.

3. Criminal liability for intentional false information — Article 60(1)(a) FADP provides that a natural person who intentionally provides false or incomplete information in response to an access request under Articles 25–27 FADP is subject to a fine of up to CHF 250,000. This penalty applies when the controller deliberately provides inaccurate data in response to an Article 25 access request (for example, falsely stating that no data is being processed, or omitting material data from the response). Article 60 does not directly penalize refusal to rectify inaccurate data, because rectification is governed by Article 32(2), not Articles 25–27. However, intentional failure to comply with an FDPIC order under Article 51 FADP (including an order to rectify data) may trigger criminal penalties under Article 63 FADP: a fine of up to CHF 250,000 for the responsible natural person, prosecuted on complaint.

## Practical implications for controllers

Controllers processing Swiss personal data should:

• Implement correction workflows — Establish procedures to receive, log, verify, and process rectification requests. Assign responsibility to a data-protection officer, privacy team, or designated contact for timely response.
• Verify before correcting — When a data subject asserts that data is inaccurate, investigate the claim by checking source records, re-verifying with third-party data providers, or requesting supporting documentation from the data subject. Do not automatically overwrite data without verification, as this may introduce new inaccuracies or create liability if the original data was correct.
• Document disputes — When accuracy cannot be confirmed, use the Article 32(1) disputed-data marking mechanism or invoke restriction under Article 32(2)(b) to preserve the data for potential litigation while signaling the dispute to downstream recipients.
• Notify recipients when requested — Honor Article 32(1) requests to communicate rectification to third parties unless disclosure was anonymous or notification is disproportionately burdensome. For controllers subject to GDPR Article 19, automate recipient notification globally.
• Maintain accuracy proactively — Article 6(5) is a continuing obligation. Implement data-quality controls, periodic reviews of high-risk data (credit records, health data, employment records), and update mechanisms so data remains current for its processing purpose.

Source: Federal Act on Data Protection of 25 September 2020, SR 235.1, Art. 6(5) Source: Federal Act on Data Protection of 25 September 2020, SR 235.1, Art. 32 Source: FDPIC, Right to information