Switzerland — DPO, ROPA & DPIAs

Under the revised Federal Act on Data Protection (FADP), which entered into force on 1 September 2023, the appointment of a data protection advisor (Datenschutzberater / conseiller à la protection des données) is voluntary for private companies but mandatory for federal bodies. This marks a significant divergence from the EU GDPR, which imposes DPO appointment requirements on many private controllers based on processing scale, sensitivity, and monitoring activities.

Private-sector appointment (Art. 10 para. 1–3 FADP)

Private controllers may designate a data protection advisor. The statute does not require the advisor to be an employee; the role may be filled by an external consultant or legal entity. Article 10 para. 3 FADP requires that the advisor be able to carry out their function independently and not be bound by the data controller's instructions. The FDPIC has stated in official guidance that data-protection advice should be separate from the business's other activities to preserve this independence, and that the advisor's place in the organizational hierarchy should reflect this; the FDPIC recommends that the advisor report to the executive board and have the right to escalate important cases to top-level management.

DPIA exemption benefit of notification

Private companies that notify the FDPIC of their data protection advisor pursuant to Art. 10 para. 3 FADP unlock a significant compliance benefit: after conducting a data protection impact assessment (DPIA) under Art. 22 FADP, the controller may rely solely on the advisor's internal opinion and is not required to consult the FDPIC, even when the residual risk to data subjects' privacy or fundamental rights remains high. Without a notified advisor, controllers must seek the FDPIC's opinion whenever the DPIA shows that significant risk persists despite proposed safeguards. Notification is submitted through the FDPIC's online portal; the FDPIC's operational guidance indicates that controllers need a CH-Login or FED-Login (for federal-administration users), with each account tied to exactly one controller entity.

Federal-body appointment (Art. 10 para. 4 FADP)

Federal bodies—agencies and instrumentalities of the Swiss federal government—must appoint a data protection advisor and notify the FDPIC. The same statutory independence requirements apply.

Advisor responsibilities and access

The statute itself does not prescribe detailed duties. The FDPIC's published guidance states that the data protection advisor's primary task is to monitor and control data processing activities within the organization, but the advisor should not have decision-making authority over those processes and should not be responsible for an information system—the advisor's role is advisory and oversight, not operational. The controller must provide the advisor with the resources necessary to fulfill their duties and ensure the advisor has access to required information, documents, data-processing records, and personal data; the FDPIC notes that access should be proportionate to the task and that the advisor does not necessarily need access to personal data when performing general checks of internal rules or procedures.

No DPO mandate for private entities

Unlike the GDPR, the FADP imposes no DPO appointment requirement on private companies, regardless of the scale or nature of processing. The voluntary regime gives companies flexibility in governance structure. The FDPIC has observed in public commentary that meeting the FADP's substantive obligations—maintaining a register of processing activities, conducting DPIAs, managing breach notifications under Art. 24 FADP—is difficult without someone assigned to data-protection oversight, and the commissioner has recommended that even companies choosing not to appoint a formal advisor designate at least one person responsible for data protection in the operational phase. That recommendation, however, is not a statutory obligation.

Cross-reference to ROPA reporting

The data protection advisor notification portal is distinct from the DataReg portal used for reporting entries from the register of processing activities (ROPA) under Art. 12 FADP. Federal bodies are obliged to report ROPA entries to the FDPIC; private controllers are exempt from the ROPA reporting obligation as of 1 September 2023, though they remain obligated to maintain the register itself if they meet the statutory thresholds (more than 250 employees, or processing of sensitive personal data on a large scale, or high-risk profiling).

Source: Art. 10 FADP — FDPIC official page on data protection advisors Source: FDPIC FAQ on voluntary appointment for private controllers Source: FDPIC explanation of Art. 12 FADP ROPA reporting exemption for private controllers

Article 12 of the Federal Act on Data Protection (FADP), in force since 1 September 2023, requires both data controllers and data processors to maintain a register of processing activities (Verzeichnis der Bearbeitungstätigkeiten / répertoire des activités de traitement / ROPA). This parallels the GDPR Article 30 obligation but includes statutory exemptions tailored for Swiss SMEs and different reporting rules for public versus private entities.

Baseline obligation — controllers and processors

Both the controller (the entity that determines the purposes and means of processing, Art. 5(j) FADP) and the processor (the entity that processes personal data on behalf of the controller, Art. 5(k) FADP) must keep a register. The Federal Data Protection and Information Commissioner (FDPIC) has stated in published guidance that the register is "a general description of the processing activities" that serves two statutory functions: transparency and documentation of compliance with the FADP's substantive obligations.

SME exemption — Art. 12 FADP and the Data Protection Ordinance (DPO)

The FADP and its implementing Data Protection Ordinance (DPO, SR 235.11) provide a partial exemption for private controllers and processors that meet size and risk thresholds. According to the FDPIC's official guidance and the KMU (Swiss Federal Office for SMEs) explanatory materials, private entities with fewer than 250 employees are exempt from maintaining a ROPA provided their data processing presents a limited risk of harm to the data subject's personality rights or fundamental rights.

Two exceptions to the exemption eliminate the benefit for many SMEs:

1. Large-scale processing of sensitive personal data (Art. 5(c) FADP defines sensitive data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health, sexual life or orientation, genetic data, biometric data for unique identification, data on administrative/criminal proceedings or sanctions, and data on social-assistance measures). The ordinance does not set a numerical threshold for "large scale"; the FDPIC has indicated in sectoral guidance (e.g., clubs and associations, health-sector employers) that this is a facts-and-circumstances analysis turning on the volume of data subjects, the geographic scope, and the duration of processing. An employer processing health data for 100 employees may meet the threshold; a club processing membership data for 1,000 individuals whose religious affiliation is recorded may also meet it.

1. High-risk profiling (Art. 5(f) FADP defines profiling as "any automated processing of personal data that consists of using such data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements"; Art. 5(g) defines high-risk profiling as profiling that entails a high risk to the data subject's personality or fundamental rights because it leads to linking of data in a manner that allows an evaluation of essential aspects of the data subject's personality). Controllers and processors engaging in high-risk profiling must maintain the ROPA regardless of company size or employee count.

The FDPIC's published technical and organizational measures guidance (TOM_EN.pdf, January 2024) notes that the exemption is narrow: "Clubs and associations with fewer than 250 employees (including volunteers) whose processing activities involve only a low risk of breaches of personality rights are generally exempt from keeping records, unless they process a large volume of sensitive personal data or carry out high-risk profiling." In practice, entities processing health data, conducting employee monitoring, or using automated decision-making tools usually fall outside the exemption.

Mandatory content — Art. 12 paras. 2 and 3 FADP

When the obligation applies, the register must contain minimum information specified by statute. For controllers, the ROPA must include (Art. 12 para. 2 FADP):

• Identity and contact details of the controller;
• Purposes of the processing;
• Categories of data subjects and categories of personal data processed;
• Categories of recipients to whom personal data are disclosed, including processors;
• Where personal data are disclosed abroad: the countries or international organizations involved and the safeguards ensuring an appropriate level of protection under Art. 16 FADP (adequacy decision, standard contractual clauses, binding corporate rules, or derogations);
• The time limits for erasure of the different categories of data (or criteria for determining those limits);
• A general description of the technical and organizational measures ensuring data security under Art. 8 para. 3 FADP.

For processors, the ROPA must include (Art. 12 para. 3 FADP):

• Identity and contact details of the processor and, where applicable, of the controller on whose behalf the processor is acting;
• Categories of processing carried out on behalf of the controller;
• Where personal data are disclosed abroad, the same cross-border transfer information required of controllers.

The FDPIC has noted that the cross-border disclosure entries are mandatory whenever data are made accessible outside Switzerland—this includes cloud hosting in foreign data centers, remote access by employees abroad, and disclosure to foreign processors or controllers—and the register must specify not only the country but also the legal safeguard relied upon (e.g., "USA — Swiss-U.S. Data Privacy Framework adequacy decision (Federal Council Decision of 15 September 2024)"; "UK — EU Commission adequacy decision for UK under GDPR, recognized by Switzerland"; "India — standard contractual clauses pursuant to Art. 16 para. 2 let. d FADP").

Federal bodies: reporting obligation vs. private entities: exemption from reporting

Article 12 FADP draws a sharp distinction between federal bodies (agencies and instrumentalities of the Swiss federal government) and private controllers/processors. Federal bodies are required to report entries from their ROPA to the FDPIC using the DataReg portal (https://datareg.edoeb.admin.ch). The FDPIC publishes federal-body entries in a publicly accessible register pursuant to Art. 56 FADP.

Private controllers and processors are exempt from the reporting obligation as of 1 September 2023. The FDPIC's DataReg guidance states plainly: "Federal bodies are obliged to report entries from the register of processing activities to the FDPIC in accordance with Article 12 FADP. Private individuals were exempted from the reporting obligation when the revised Data Protection Act (FADP) came into force on 1 September 2023." This marks a significant reduction in administrative burden compared to the prior law (the old FADP required certain private data files to be registered). Private entities must still maintain the register and produce it upon request by the FDPIC during an investigation under Art. 49 ff. FADP, but they do not file it proactively.

Relationship to DPIA and data protection advisor

The ROPA is a standing inventory of processing activities; it is conceptually distinct from the data protection impact assessment (DPIA) required by Art. 22 FADP for processing that is likely to result in a high risk to the data subject's personality or fundamental rights. A DPIA is a prospective risk analysis conducted before the controller begins a specific high-risk processing operation. The ROPA documents all processing activities—high-risk and routine—and must be kept current. The FDPIC's guidance recommends that controllers cross-reference DPIA outcomes in the ROPA's "general description of security measures" field when a DPIA has been completed for a given processing activity, to aid auditability.

Private controllers that have notified the FDPIC of a data protection advisor under Art. 10 para. 3 FADP may rely on the advisor's internal opinion after conducting a DPIA, rather than consulting the FDPIC, even when residual risk remains high. This DPIA-consultation exemption does not reduce the ROPA maintenance obligation, but it simplifies the workflow for controllers that have designated and notified an advisor.

No obligation = no penalty, but "encouraged" by the FDPIC

Entities that fall within the SME exemption (fewer than 250 employees, low-risk processing, no large-scale sensitive data or high-risk profiling) are not legally required to maintain a ROPA. The FDPIC has nonetheless publicly recommended that even exempt controllers maintain at least a minimal internal inventory of processing activities, observing that "keeping records is a useful way of keeping an adequate eye on the processing procedures" and that meeting other FADP obligations—breach notification under Art. 24, data-subject rights under Arts. 25–28, cross-border transfer safeguards under Art. 16—is difficult without documented knowledge of what data the entity processes and where. This recommendation does not create a legal obligation, and the FDPIC has no enforcement authority to compel a ROPA from an exempt entity absent a separate FADP violation.

Source: FDPIC — DataReg: Report of processing activities Source: FDPIC — Cross-border transfer of personal data (Art. 12 FADP ROPA requirements) Source: FDPIC — Data protection in clubs and associations (Art. 12 exemption criteria) Source: FDPIC — Technical and Organizational Measures (TOM) guidance, January 2024 Source: Swiss Federal Office for SMEs (KMU) — New Federal Act on Data Protection

Articles 22 and 23 of the Federal Act on Data Protection (FADP), in force since 1 September 2023, require both private controllers and federal bodies to conduct a data protection impact assessment (DPIA) when planned processing is likely to result in a high risk to the personality or fundamental rights of data subjects. The DPIA is a prospective risk analysis that must be completed before the processing begins, documenting the planned processing, evaluating the risks, and specifying measures to protect data subjects' rights. When residual risk remains high despite those measures, the controller must seek a prior opinion from the Federal Data Protection and Information Commissioner (FDPIC) under Article 23 FADP—unless the controller has notified a data protection advisor under Article 10 para. 3 FADP and may rely on that advisor's internal opinion instead.

Obligation trigger — high-risk processing (Art. 22 para. 1 FADP)

A DPIA is mandatory when "the planned processing of personal data is likely to result in a high risk to the personality or fundamental rights of the data subjects." The FDPIC has published an official factsheet on DPIA procedure (August 2023) that provides a three-step risk-assessment framework to determine whether a DPIA is required:

Step 1: Absolute risk factors (Art. 22 para. 2 FADP)

Two categories of processing automatically trigger the DPIA obligation regardless of other circumstances:

1. Large-scale processing of sensitive personal data (Art. 5(c) FADP defines sensitive data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health, sexual life or orientation, genetic data, biometric data for unique identification, data on administrative/criminal proceedings or sanctions, and data on social-assistance measures). The statute does not quantify "large scale"; the FDPIC's guidance indicates this is a facts-and-circumstances analysis turning on the number of data subjects, geographic scope, and duration. Processing health data for 100 employees or membership data involving religious affiliation for 1,000 club members may meet the threshold.

1. Systematic large-scale surveillance of public areas (Art. 22 para. 2(b) FADP). The FDPIC's published guidance on AI and data protection notes that video surveillance using facial recognition or behavior analysis typically falls within this category.

If either absolute risk factor is present, the controller must conduct a DPIA. The FDPIC's factsheet states: "If at least one of the absolute risk factors is present, a DPIA must be carried out."

Step 2: Well-known risk factors

If no absolute risk factor applies, the FDPIC recommends checking for "well-known" risk indicators derived from EDPB guidelines and Convention 108+ commentary, including:

• Systematic and extensive evaluation or scoring (including profiling and predicting behavior, especially where that influences legal or similarly significant effects);
• Automated decision-making with legal or similarly significant effects;
• Large-scale monitoring;
• Processing of data concerning vulnerable data subjects (children, employees, patients, asylum seekers);
• Innovative use or application of technological or organizational solutions (e.g., facial recognition, geolocation tracking, internet-of-things devices);
• Processing that prevents data subjects from exercising a right, using a service, or performing a contract.

The FDPIC's factsheet advises: "If any well-known risk factors apply, a DPIA should be carried out in case of doubt."

Step 3: General definition of high risk (Art. 22 para. 2 first sentence FADP)

If no absolute or well-known factor applies, the controller must evaluate whether "a high risk may arise from the nature, scope, circumstances and purpose of the processing, in particular when using new technologies." The FDPIC's guidance emphasizes that the legislative history (dispatch to the FADP) states a "high risk" is to be assumed when the specific characteristics of the planned processing indicate that the data subject's informational self-determination—the freedom to control their own data—will or may be restricted to a significant degree.

Timing — privacy by design (Art. 7 FADP)

The DPIA and the preliminary risk assessment that determines whether a DPIA is needed must be conducted as early as possible, during project planning, "even if the details of data processing have not yet been defined." Article 7 FADP (privacy by design and by default) requires that data-protection risks be assessed and mitigated at the design stage, before the processing goes live. The FDPIC's factsheet notes that if a processing operation is already ongoing and the controller plans to modify it, the DPIA must "indicate the main differences between the existing operation and the data processing that is planned."

DPIA content — Art. 22 para. 3 FADP and FDPIC factsheet

The statute does not prescribe detailed DPIA contents, but the FDPIC's August 2023 factsheet provides a structured framework that controllers should follow to meet the statutory obligation. A compliant DPIA includes:

1. Description of the planned processing: purpose, categories of data subjects, categories of personal data, recipients (including processors and cross-border disclosures), retention periods, and a general description of technical and organizational measures ensuring data security.

1. Description and assessment of potentially high initial risks: identification of specific risks to data subjects' personality or fundamental rights arising from the nature, scope, circumstances, and purpose of the processing, evaluated by likelihood and severity.

1. Planned measures to reduce the potentially high initial risks: technical and organizational safeguards (encryption, access controls, pseudonymization, training, contractual commitments from processors) designed to bring the risk down.

1. Remaining end risks: after applying the planned measures, an assessment of whether residual risk to data subjects' rights remains high. This determination governs the Art. 23 FDPIC-consultation requirement.

FDPIC consultation requirement — Art. 23 FADP high residual risk

If the DPIA shows that the planned processing still results in a high risk to data subjects' personality or fundamental rights despite the measures the controller plans to put in place, the controller must seek a prior opinion from the FDPIC. Article 23 FADP requires the FDPIC to deliver its opinion within two months. The FDPIC will examine the DPIA and inform the controller of any objections; the controller may not begin the processing until the FDPIC has issued its opinion or the two-month period has expired without objection.

Data protection advisor exemption — Art. 23 para. 2 FADP

Article 23 para. 2 FADP provides a carve-out for private controllers that have notified the FDPIC of their data protection advisor pursuant to Art. 10 para. 3 FADP. These controllers may rely solely on the advisor's internal opinion and are not required to consult the FDPIC, even when residual risk remains high. The FDPIC has stated in published guidance that the advisor must be able to carry out their function independently and not be bound by the controller's instructions, and that the advisor should report to the executive board with escalation rights to top-level management. Federal bodies do not benefit from this exemption; they must always consult the FDPIC when high residual risk persists.

Voluntary submission — no FDPIC obligation to act

The FDPIC's factsheet notes that if the controller voluntarily submits a DPIA to the FDPIC when not required to do so (for example, because residual risk is not high, or the controller has a notified data protection advisor), "the FDPIC is not required to act on it and take a substantive position." However, the FDPIC may, within the scope of its advisory activities, comment on residual risks that are no longer high. Article 59 para. 1(e) FADP authorizes the FDPIC to charge a fee for this advisory service; the Data Protection Ordinance specifies the fee schedule.

Relationship to ROPA and breach notification

The DPIA is a prospective risk analysis for a specific planned processing operation; it is conceptually distinct from the register of processing activities (ROPA) required by Art. 12 FADP, which is a standing inventory of all processing activities (high-risk and routine). The FDPIC's guidance recommends that controllers cross-reference DPIA outcomes in the ROPA's "general description of security measures" field when a DPIA has been completed for a given processing activity, to aid auditability and demonstrate compliance with the privacy-by-design obligation.

The DPIA is also distinct from the data security breach notification obligation under Art. 24 FADP. A DPIA evaluates prospective risk before processing begins; a breach notification addresses realized harm after a security incident. The FDPIC's April 2025 guidelines on breach notification note that "high risk" in the Art. 24 context (breach notification trigger) and the Art. 22 context (DPIA trigger) serve different purposes and require different analyses. Controllers conducting high-risk processing identified in a DPIA should document the expected security measures in the DPIA and ensure those measures are actually implemented; if a breach occurs despite those measures, the Art. 24 breach-notification analysis evaluates whether the breach is likely to result in a high risk given the circumstances of the incident and the effectiveness of any immediate remedial measures.

Criminal sanctions for willful non-compliance

Article 60 ff. FADP establishes criminal penalties for intentional violations of statutory obligations. Although the FADP does not impose a specific penalty for failure to conduct a required DPIA, Article 61(1)(c) FADP criminalizes the intentional violation of the duty of care in data processing (Art. 8 FADP), which includes the obligation to implement appropriate technical and organizational measures to ensure data security. The FDPIC's October 2022 guidance on the new FADP notes that the criminal sanctions under the FADP "will not normally be imposed on a legal entity, but rather on the natural person who is actually responsible for compliance with the FADP"—typically a person in a managerial position. Fines of up to CHF 250,000 may be imposed on the responsible natural person; legal entities can be fined up to CHF 50,000 as a subsidiary measure only. Willfully launching high-risk processing without a DPIA and without the required FDPIC consultation (when the Art. 23 obligation applies and no notified data protection advisor exemption exists) exposes the responsible manager to potential criminal liability.

Convention 108+ and EU GDPR alignment

The DPIA requirement under Art. 22 FADP aligns Switzerland's data-protection framework with Convention 108+ (the Council of Europe's modernized data-protection convention) and the EU GDPR Article 35 DPIA obligation. Switzerland ratified Convention 108+ concurrently with the revised FADP's entry into force on 1 September 2023. The FDPIC's August 2023 factsheet cross-references EDPB Guidelines 4/2019 on data protection by design and default (Art. 25 GDPR) and notes that the well-known risk factors in the factsheet's Step 2 analysis are derived from EDPB guidance on DPIA triggers under GDPR Article 35. Controllers processing data of both Swiss and EU data subjects can often use a single DPIA covering both regimes, provided the analysis addresses the requirements of both the FADP and the GDPR and the controller documents any regime-specific differences (e.g., the GDPR's mandatory consultation obligation under Art. 36 GDPR applies to all controllers, whereas the FADP Art. 23 consultation obligation permits private controllers with a notified advisor to rely on internal opinion).

Source: FDPIC — Factsheet on the data protection impact assessment (DPIA) in accordance with Articles 22 and 23 FADP (PDF, August 2023) Source: FDPIC — Data protection impact assessment Source: FDPIC — New FDPIC's role (Art. 23 FDPIC consultation requirement) Source: FDPIC — Research and data protection (Art. 22 DPIA triggers in research context) Source: FDPIC — AI and data protection (DPIA requirement for high-risk AI processing)

Controllers must review and update an existing data protection impact assessment (DPIA) when the nature, scope, context, or purpose of the processing changes in a way that affects the original risk analysis. Although Article 22 FADP does not expressly impose a statutory duty to update a completed DPIA, the Federal Data Protection and Information Commissioner (FDPIC) has stated in published guidance that when a data processing operation is already ongoing and the controller plans to modify it, the controller must "check the position and indicate in the DPIA the main differences between the existing operation and the data processing that is planned." This updating requirement flows from the broader obligation under Article 7 FADP (privacy by design and by default) to implement appropriate technical and organizational measures throughout the lifecycle of processing, not solely at the design stage.

Trigger for DPIA updates — material changes to processing

The FDPIC's August 2023 factsheet on DPIA procedure does not prescribe a fixed update schedule (such as annual or biennial review cycles), nor does it establish quantitative thresholds for when a change is sufficiently material to trigger an update. Instead, the FDPIC instructs controllers to conduct a facts-and-circumstances analysis: whether the planned change modifies the "nature, scope, circumstances and purpose" of the processing in a manner that could alter the risk to data subjects' personality or fundamental rights. The FDPIC's published guidance on privacy by design and by default cross-references EDPB Guidelines 4/2019 on Article 25 GDPR, which state that "the obligation to maintain, review and update, as necessary, the processing operation also applies to pre-existing systems" and that "a DPIA, or an update to an existing DPIA, may then additionally be required" when risks or processing parameters change.

Examples of changes likely to require a DPIA update, drawn from the FDPIC's sectoral guidance (research, AI, clubs and associations, and technical/organizational measures) and the EDPB Guidelines that the FDPIC explicitly cross-references, include:

• Adoption of new technologies affecting the processing — for example, migrating from on-premises storage to a cloud platform in a third country; deploying facial recognition, behavioral analytics, or machine-learning models where previously the controller used manual or rule-based processes; introducing Internet-of-Things devices or wearable sensors; or implementing algorithmic profiling that creates new high-risk processing under Article 5(g) FADP.

• Expansion of processing purposes — using personal data collected for one purpose (employee contact details for payroll) for a new purpose (targeted marketing or performance monitoring) that was not contemplated in the original DPIA and that may entail higher risk to data subjects' rights.

• Increase in scale or scope — processing that previously affected a limited number of data subjects (pilot project involving 50 employees) is scaled to the entire organization (5,000 employees), crossing the threshold for "large-scale processing of sensitive personal data" under Article 22 para. 2(a) FADP; or adding new categories of sensitive data (health data, biometric data, data on criminal proceedings) to a processing operation originally scoped for non-sensitive data.

• Changes to cross-border transfer arrangements — disclosing personal data to a new third country that was not addressed in the original DPIA, or switching from one transfer safeguard to another (for example, replacing standard contractual clauses with reliance on a newly adopted adequacy decision under Article 16 FADP, or vice versa if an adequacy decision is revoked). The FDPIC has noted in guidance on international transfers that the cross-border element is a key risk factor in the DPIA analysis, especially when foreign law may grant public authorities broad access to the data.

• Significant security incidents or new threat landscape — a high-profile data breach affecting similar processing in the same sector, or the emergence of new vulnerabilities in the technology stack (for example, discovery of a cryptographic weakness in the encryption algorithm the controller relies upon, or public disclosure of previously unknown surveillance capabilities by a foreign government in the destination country for a cross-border transfer), may change the likelihood or severity of risks identified in the original DPIA and require reassessment.

• Regulatory or supervisory guidance developments — publication of new FDPIC guidelines, EDPB opinions, or CJEU / Swiss Federal Supreme Court judgments that clarify or alter the risk calculus for a specific type of processing. For example, after the CJEU's Schrems II decision in July 2020 invalidated the EU-U.S. Privacy Shield and imposed supplementary-measure obligations for transfers to the United States, controllers relying on pre-Schrems II DPIAs for U.S. transfers were expected to update those DPIAs to reflect the heightened legal-access risk.

No automatic sunset or periodic refresh mandate under FADP

Unlike some data-protection regimes (certain U.S. state laws and sectoral frameworks mandate annual or biennial privacy-impact-assessment updates), the Swiss FADP does not impose a statutory deadline for DPIA review. The FDPIC has stated that the updating obligation is event-driven, not time-driven: controllers must monitor their processing operations and reassess when changes occur, but they are not required to refresh a DPIA solely because a calendar interval has elapsed if the processing, risks, and safeguards remain unchanged. That said, the FDPIC's guidance on technical and organizational measures recommends that controllers document the date of each DPIA and the date of any updates to facilitate auditability during an FDPIC investigation under Article 49 ff. FADP and to demonstrate compliance with the privacy-by-design obligation.

Relationship to the Art. 23 FDPIC consultation requirement

When a controller updates a DPIA and the revised assessment shows that high residual risk to data subjects' rights persists despite the new or modified safeguards, the controller must determine whether the Article 23 FDPIC consultation obligation applies. If the controller is a private entity that has notified the FDPIC of a data protection advisor under Article 10 para. 3 FADP, the controller may rely solely on the advisor's internal opinion and is not required to consult the FDPIC. Federal bodies do not benefit from this exemption and must always consult the FDPIC when high residual risk remains.

The FDPIC's August 2023 factsheet notes that if the controller voluntarily submits an updated DPIA to the FDPIC when not required to do so (because residual risk is not high, or the controller has a notified advisor), "the FDPIC is not required to act on it and take a substantive position." However, the FDPIC may, within the scope of its advisory activities, comment on the updated risk analysis; Article 59 para. 1(e) FADP authorizes the FDPIC to charge a fee for this service.

Documented revision history and version control

The FDPIC's published guidance on technical and organizational measures (TOM, January 2024) and the FDPIC's cross-reference to EDPB Guidelines 4/2019 both recommend that controllers maintain version control for DPIAs, clearly marking the date of the original assessment, the dates of subsequent updates, the triggering change or event for each update, and the person or team responsible for the update. This documentation serves three compliance functions:

1. Demonstrating privacy by design — Article 7 FADP requires controllers to implement data-protection safeguards "at the time of the determination of the means for processing and at the time of the processing itself." A documented DPIA update history shows that the controller reassessed risks when processing evolved, satisfying the ongoing design obligation.

1. Supporting data-subject rights responses — when a data subject exercises the right of access under Article 25 FADP and requests information about the logic and consequences of automated decision-making (Article 25 para. 2(g) FADP) or the right to object under Article 30 FADP, the updated DPIA provides the factual foundation for the controller's response, including the specific safeguards in place.

1. Audit trail for FDPIC investigations — Article 49 ff. FADP grants the FDPIC broad investigatory powers, including the right to demand production of the DPIA and supporting documentation. A well-maintained update history demonstrates compliance and may reduce the scope or duration of the investigation.

Practical consequence of failure to update

The FADP does not impose a standalone penalty for failing to update a DPIA, but failure to update may constitute a violation of the Article 8 FADP duty of care (obligation to ensure data security through appropriate technical and organizational measures) or the Article 7 FADP privacy-by-design obligation. Article 61(1)(c) FADP criminalizes the intentional violation of the duty of care, punishable by a fine of up to CHF 250,000 on the responsible natural person (typically a person in a managerial position). The FDPIC's October 2022 guidance on the new FADP notes that criminal sanctions will "not normally be imposed on a legal entity, but rather on the natural person who is actually responsible for compliance with the FADP."

Moreover, if a controller continues high-risk processing based on an outdated DPIA that no longer reflects current risks, and a data security breach occurs as a result, the controller's failure to update the DPIA may be cited by the FDPIC as evidence of inadequate risk management, potentially supporting a finding of unlawful processing and triggering supervisory orders under Article 51 FADP (the FDPIC may order that processing be modified, suspended, or discontinued, or that data be deleted). The breach-notification obligation under Article 24 FADP is evaluated separately, but the FDPIC has noted in April 2025 breach-notification guidelines that "high risk" in the Article 24 context (breach notification trigger) and Article 22 context (DPIA trigger) serve different purposes; nevertheless, a current DPIA helps the controller conduct the Article 24 breach-risk assessment more accurately.

Alignment with GDPR Article 35 and Convention 108+

Switzerland's DPIA framework aligns with Convention 108+ (ratified by Switzerland on 1 September 2023) and the EU GDPR Article 35 DPIA obligation. The EDPB Guidelines on DPIA (WP 248 rev.01, endorsed by the EDPB) state that "DPIAs are living documents" and that "controllers should... continually assess the level of risk" and update the DPIA when processing changes. Controllers processing data of both Swiss and EU data subjects can often use a single, unified DPIA and update cycle covering both regimes, provided the documentation addresses the requirements of both the FADP and the GDPR and the controller notes any regime-specific divergences (for example, the GDPR Article 36 mandatory consultation obligation applies to all controllers, whereas FADP Article 23 permits private controllers with a notified advisor to rely on internal opinion).

Source: FDPIC — Data protection impact assessment Source: FDPIC — Factsheet on the data protection impact assessment (DPIA) in accordance with Articles 22 and 23 FADP (PDF, August 2023) Source: FDPIC — Technical and Organizational Measures (TOM) guidance (PDF, January 2024)

The Federal Data Protection and Information Commissioner (FDPIC) is required by statute to charge a fee when a controller seeks the FDPIC's opinion on a data protection impact assessment (DPIA) under Article 23 FADP or requests related advisory services under Article 59 FADP. This statutory fee obligation applies both to mandatory prior consultation when a DPIA shows high residual risk (Art. 23 para. 1 FADP) and to voluntary submissions when controllers seek the FDPIC's advisory opinion even though residual risk is not high or the controller has a notified data protection advisor and is exempt from the consultation requirement. The fee structure and legal basis are set out in Article 59 FADP and the Data Protection Ordinance (DPO, SR 235.11).

Statutory fee mandate — Art. 59 para. 1(e) FADP

Article 59 FADP authorizes the FDPIC to charge fees for specific services provided to private controllers and federal bodies. Article 59 para. 1(e) FADP states that the FDPIC must charge a fee "for the prior consultation provided for in Article 23." The FDPIC's August 2023 factsheet on DPIA procedure confirms this obligation: "The FDPIC's opinion is subject to a fee (Art. 59 FADP)." The statutory fee mandate is non-discretionary for Art. 23 consultations.

The fee requirement reflects a cost-recovery principle. Unlike some EU Member State supervisory authorities that fund DPIA consultation from general budget appropriations, Switzerland requires the requesting controller to bear the direct cost of the FDPIC's review and opinion. The FDPIC has stated in published guidance on its role under the revised FADP that the commissioner has "additional duties and powers" as of 1 September 2023, and the fee regime ensures that advisory and consultation services do not divert resources from the FDPIC's core supervisory and investigatory functions under Articles 49–53 FADP.

Mandatory consultation — Art. 23 para. 1 FADP and the two-month review deadline

When a controller conducts a DPIA and the assessment shows that high residual risk to data subjects' personality or fundamental rights remains despite the planned safeguards, Article 23 para. 1 FADP requires the controller to seek a prior opinion from the FDPIC before beginning the processing. Article 23 para. 2 FADP establishes that the FDPIC must deliver its opinion within two months. The FDPIC's August 2023 factsheet explains the scope of the review: "The FDPIC checks whether the DPIA submitted shows and explains all the high end risks in a clear and comprehensible manner. Furthermore, it examines whether the planned processing, taking account of the identified risks, is compatible with the requirements of the data protection legislation as a whole, in that it is acceptable to the data subjects in terms of its planned scope and detail, and thus justifiable overall."

The factsheet states that "the FDPIC must notify the data controller of any objections and proposed amendments within the two-month period specified in Article 23 paragraph 2 FADP." The factsheet adds that "the opinion of the FDPIC should be regarded as a recommendation" — the FDPIC's Art. 23 opinion is advisory, not a legally binding order. The controller may proceed with the processing after the two-month period expires or after receiving the FDPIC's opinion, whichever comes first, even if the FDPIC has raised objections. However, if the controller disregards the FDPIC's objections and the processing subsequently gives rise to an FADP violation, the FDPIC may open an investigation under Article 49 ff. FADP and issue a legally binding order under Article 51 FADP requiring the controller to modify, suspend, or discontinue the processing.

Private controllers with a notified data protection advisor — exemption from mandatory consultation but voluntary submission remains fee-based

Article 23 para. 2 FADP provides a carve-out for private controllers that have notified the FDPIC of their data protection advisor pursuant to Art. 10 para. 3 FADP. These controllers may rely solely on the advisor's internal opinion and are not required to consult the FDPIC, even when the DPIA shows high residual risk. The statute does not extend this exemption to federal bodies, which remain subject to the mandatory consultation obligation when high residual risk persists.

The FDPIC's August 2023 factsheet addresses the scenario in which a controller voluntarily submits a DPIA to the FDPIC when not required to do so — for example, because residual risk is not high, or the controller has a notified advisor and is exempt from mandatory consultation. The factsheet states: "If the controller voluntarily submits the DPIA to the FDPIC, the latter is not required to act on it and take a substantive position. However, the FDPIC may, within the scope of its advisory activities, comment in certain cases on residual risks that are no longer high. The FDPIC must charge a fee for this advice (see Art. 59 para. 1 let. e FADP)."

This creates an asymmetry: mandatory consultation under Art. 23 para. 1 FADP triggers the two-month deadline and the fee; voluntary submission when the Art. 23 obligation does not apply gives the FDPIC discretion whether to respond substantively, but if the FDPIC does provide an advisory opinion, the Art. 59 fee applies. Controllers considering voluntary submission should contact the FDPIC in advance to confirm whether the FDPIC will review the DPIA and what fee will apply.

Fee amounts and the Data Protection Ordinance

The FADP itself does not specify the fee amounts for Art. 23 consultation. Article 59 para. 3 FADP delegates fee-setting authority to the Data Protection Ordinance (DPO, SR 235.11), which was adopted by the Federal Council and entered into force on 1 September 2023. The publicly available FDPIC guidance on DPIA procedure and the FDPIC's website do not publish a fee table or specific fee amounts for Art. 23 DPIA consultation.

Unable to confirm as of 2026-06-02.

Controllers should contact the FDPIC directly at the outset of a mandatory Art. 23 consultation or before making a voluntary submission to obtain a fee estimate. The FDPIC's general contact information and DPIA submission process are described on the FDPIC's website at edoeb.admin.ch.

Timing of fee payment and invoicing

The publicly available FDPIC guidance does not specify the exact invoicing and payment procedures for Art. 23 consultation fees. Based on general Swiss federal administrative practice, fees for advisory services are typically invoiced after the service is provided. For an Art. 23 DPIA consultation, this would mean the FDPIC issues an invoice after delivering its written opinion. Controllers are not required to pay the fee upfront before submitting the DPIA, and the two-month review deadline established by Art. 23 para. 2 FADP runs from the date of submission regardless of payment status. Unpaid fees owed to the FDPIC are enforceable as public-law debts under Swiss federal administrative procedure.

Distinction from investigation costs and from private right-of-action litigation costs

The Art. 59 FADP fee regime applies to advisory and consultation services provided at the controller's request (DPIA consultation under Art. 23, codes-of-conduct opinions under Art. 11 FADP, certification opinions under Art. 13 FADP). It is distinct from the investigation and enforcement functions under Articles 49–53 FADP, which the FDPIC conducts on its own initiative or in response to a complaint. When the FDPIC opens an investigation under Art. 49 FADP and issues a legally binding order under Art. 51 FADP, the publicly available guidance does not indicate that the FDPIC charges the investigated controller a fee for the investigation itself; the FDPIC's investigatory and enforcement work appears to be funded from the FDPIC's general budget, not cost-recovery fees from investigated entities.

The Art. 59 fee regime is also distinct from private civil litigation under Article 32 FADP, which grants data subjects a private right of action to seek injunctive relief, damages, and satisfaction payments from controllers. Controllers that face both an FDPIC Art. 23 consultation (triggering the Art. 59 fee) and a concurrent civil lawsuit by a data subject will incur separate costs for each proceeding; the FDPIC fee does not cover or offset the controller's litigation costs in the civil action.

Relationship to EU GDPR Article 36 prior consultation

The Swiss FADP Art. 23 prior-consultation requirement aligns structurally with EU GDPR Article 36 prior consultation, which also requires controllers to seek the supervisory authority's opinion when a DPIA shows high residual risk. However, the EU GDPR does not authorize supervisory authorities to charge controllers a fee for Art. 36 consultation; GDPR Article 57(4) states that supervisory-authority tasks "shall be provided free of charge to the data subject and, where applicable, to the data protection officer." EDPB Guidelines on DPIA (WP 248 rev.01) confirm that Art. 36 consultation is a zero-cost supervisory service in the EU.

This creates a compliance-cost divergence for controllers processing data of both Swiss and EU data subjects. A controller can often use a single DPIA covering both FADP and GDPR obligations, but the consultation regime differs: under GDPR, the EU supervisory authority will review the DPIA without charge; under FADP, the FDPIC will charge a statutory fee under Art. 59. Controllers managing cross-border EU-Swiss processing should budget for the Swiss Art. 59 fee when high-risk processing requires DPIA consultation in both regimes.

Source: FDPIC — Factsheet on the data protection impact assessment (DPIA) in accordance with Articles 22 and 23 FADP (PDF, August 2023) Source: FDPIC — New FDPIC's role (Art. 59 fee authority for advisory services) Source: FDPIC — Data protection impact assessment (Art. 23 consultation requirement)