Switzerland — Enforcement & Penalties

Switzerland's data protection regime is enforced by the Federal Data Protection and Information Commissioner (FDPIC), an independent authority responsible for supervising both federal bodies and private controllers under the revised Federal Act on Data Protection (revFADP or FADP, SR 235.1), which entered into force on September 1, 2023. Unlike the 1992 FADP it replaced, the revised Act substantially strengthens the FDPIC's investigative powers and removes the prior "system error" threshold that limited private-sector oversight to large-scale processing failures.

Parliamentary election and independence. Since the 2023 reform, the FDPIC is elected by the Federal Assembly (Parliament) for a four-year term, enhancing independence from the Federal Council (executive branch). Adrian Lobsiger was re-elected for the 2024–2027 term on December 20, 2023. The FDPIC recruits its own staff, controls its budget (submitted to Parliament), and remains administratively assigned to the Federal Chancellery for coordination purposes.

Investigative powers — Art. 49–53 FADP. The FDPIC must open a formal investigation when "sufficient indications" suggest that a data processing activity by a federal body or private person may violate data protection regulations (Art. 49(1) FADP). The pre-2023 limitation—requiring a "system error" capable of breaching the privacy of a large number of individuals before the FDPIC could investigate private controllers—no longer applies. Investigations are now governed by the Federal Act on Administrative Procedure (APA), affording the investigated party full procedural rights. The FDPIC may also conduct informal preliminary enquiries to determine whether a formal investigation is warranted, and issues low-threshold intervention letters in simple cases to encourage voluntary compliance.

Investigations may be triggered by breach notifications (controllers must report data breaches posing a high risk to data subjects under Art. 24 FADP), complaints from data subjects, media reports, or the FDPIC's own supervisory activities. No fee is charged for handling a report.

Administrative remedies — Art. 51 FADP. If the FDPIC finds a violation, it may issue a legally binding order (Art. 5 APA) requiring the controller to modify, suspend, or terminate the processing activity, or to delete personal data. These orders are immediately enforceable unless challenged before the Federal Administrative Court. The FDPIC published its first such rulings in 2024 and 2025; for instance, on May 16, 2025, it ordered PostFinance AG to obtain explicit consent for voiceprint creation and to delete voiceprints lacking consent. PostFinance appealed the ruling to the Federal Administrative Court.

No power to impose administrative fines. The critical divergence from the GDPR: the FDPIC cannot impose monetary sanctions. This power rests with cantonal prosecution authorities enforcing the criminal provisions in Arts. 60–63 FADP (see the dedicated criminal-penalties section). The FDPIC may file a criminal complaint and participate as a claimant in proceedings (Art. 65(2) FADP), but it does not have the GDPR-style authority to levy administrative fines up to 4% of global revenue. Instead, Switzerland employs a dual-track model: the FDPIC issues corrective orders, and criminal penalties are prosecuted separately.

Cooperation and administrative assistance. The revised Act obliges Swiss federal and cantonal authorities to provide administrative assistance to the FDPIC (Art. 48 FADP). The FDPIC may share information with foreign data protection authorities under reciprocal confidentiality agreements, enabling cross-border enforcement cooperation. Switzerland ratified the Council of Europe's modernized Convention 108+ upon the FADP's entry into force, reinforcing its multilateral enforcement posture.

Public accountability. The FDPIC publishes anonymized investigation rulings, standard contractual clauses it has approved or recognized, annual activity reports to Parliament, and enforcement statistics. In the first full year under the revised FADP (2024), the office significantly increased formal investigations and issued multiple legally binding orders, signaling a shift from the advisory posture that characterized the pre-2023 regime.

Source: Federal Act on Data Protection (FADP), SR 235.1 Source: FDPIC, New FDPIC's role Source: FDPIC, Factsheet: Investigation of violations of data protection regulations (October 2024) Source: FDPIC, 2024/2025 Annual Report

Switzerland enforces data protection violations through criminal penalties prosecuted by cantonal authorities, not administrative fines levied by the FDPIC. The revised Federal Act on Data Protection (FADP, SR 235.1) establishes four criminal offenses in Articles 60–63, which came into force on September 1, 2023, and significantly increased the penalty caps from the 1992 regime.

Structural divergence from the GDPR administrative fine model. Unlike the GDPR's two-tier administrative fine regime (up to €20 million or 4% of global turnover under Art. 83(5) GDPR), Switzerland employs a dual-track model: the FDPIC issues binding administrative orders under Art. 51 FADP (see the supervisory-authority section), while cantonal prosecution authorities (Kantonsanwaltschaften / ministères publics cantonaux) handle criminal enforcement under Arts. 60–63 FADP. The FDPIC cannot impose monetary sanctions itself but may file a criminal complaint and participate as a claimant in criminal proceedings under Art. 65(2) FADP.

Three common features of all four offenses. The FDPIC's official criminal-law guidance identifies the structural elements shared by Arts. 60–63:

1. Intentional offenses only. There are no criminal penalties for negligent breaches of data protection obligations. Swiss law requires Vorsatz (intent), meaning the offender must have acted knowingly; reckless or careless conduct does not suffice.

1. Individual liability. The criminal provisions "primarily sanction individuals," not legal entities. A corporate controller does not face criminal prosecution directly; instead, the natural person with a managerial function who committed or authorized the violation is prosecuted. Article 64(1) FADP applies the Federal Act on Administrative Criminal Law (SR 313.0) to attribute corporate offenses to responsible individuals (typically directors, officers, or department heads who made the decision or failed to prevent the violation).

1. Corporate substitute liability — Art. 64(1) FADP and the CHF 50,000 threshold. If the fine under consideration does not exceed CHF 50,000 and the measures required to investigate which individual was responsible would be "disproportionately great," the prosecuting authority may elect not to pursue the natural person and instead impose the fine on the company (legal entity). This is a narrow exception, triggered when individual attribution is impractical and the penalty is below the CHF 50,000 cap. Fines above CHF 50,000 require identification and prosecution of the responsible individual.

The four criminal offenses and their penalty caps.

Article 60 FADP — Violation of information, disclosure, and cooperation obligations (maximum CHF 250,000). Article 60 criminalizes intentional violation of three categories of obligations:

• The obligation to inform data subjects at the time personal data is collected (Art. 19 FADP) or when it is processed by automated decision-making (Art. 21 FADP), ensuring data subjects can understand what will be done with their data and make an informed decision;
• The right of access (Arts. 25–27 FADP), allowing data subjects to demand transparency about processing and to correct inaccurate data or object to unlawful processing;
• The obligation to cooperate with the FDPIC's investigations (Arts. 49 ff. FADP), which assures the effectiveness of the supervisory procedure.

The maximum penalty for intentional violation of Art. 60 obligations is a fine of CHF 250,000. The FDPIC emphasizes that these provisions "play a central role in the data protection system, knowledge being the prerequisite for any other action."

Article 61 FADP — Violation of data security and cross-border transfer obligations (maximum CHF 250,000). Article 61 penalizes intentional violation of:

• The data security obligation under Art. 8(3) FADP, requiring controllers to ensure data are held securely by technical and organizational means designed to protect against unauthorized access and data loss;
• The regulations governing data transmission to subcontractors or abroad (Art. 9 FADP on processor oversight; Arts. 16 ff. FADP on cross-border transfers, including the adequacy, standard-contractual-clauses, and binding-corporate-rules safeguards).

The FDPIC notes that violating the cross-border transfer rules—such as disclosing data abroad when the conditions in Arts. 16 and 17 FADP are not met—"may have consequences under criminal law (Art. 61 let. a FADP)." The maximum penalty is a fine of CHF 250,000.

Article 62 FADP — Violation of the duty of confidentiality (maximum CHF 250,000). Article 62 imposes a statutory duty of confidentiality on "any person who has acquired knowledge of personal data in the exercise of an activity that requires knowledge of such data." This duty functions similarly to professional confidentiality under Art. 321 of the Swiss Criminal Code (SCC) but applies to persons who handle personal data professionally yet are not covered by Art. 321 SCC (for example, naturopaths, acupuncturists, and data-processing staff within organizations). The professional may be released from the duty if the data subject consents or if the law requires disclosure (e.g., a duty to testify in proceedings or the duty to notify under Art. 314d Swiss Civil Code). Maximum penalty: CHF 250,000.

Article 63 FADP — Failure to comply with an FDPIC order (maximum CHF 250,000). Article 63 is a general enforcement provision that criminalizes intentional failure to comply with a legally binding order issued by the FDPIC under Art. 51 FADP. For example, if the FDPIC orders the termination of unlawful processing or deletion of personal data, and the controller or responsible individual knowingly fails to comply, they may be prosecuted under Art. 63. Maximum penalty: CHF 250,000. This provision reinforces the effectiveness of the FDPIC's administrative remedies, ensuring that binding rulings carry enforceable consequences.

Prosecution and adjudication — cantonal criminal procedure. Articles 60–63 offenses are prosecuted and adjudicated in accordance with cantonal criminal procedure (Art. 65(1) FADP). Each of Switzerland's 26 cantons operates its own prosecution authority (Staatsanwaltschaft / ministère public) responsible for investigating and bringing charges. The FDPIC may file a criminal complaint (Strafanzeige / plainte pénale) with the competent cantonal prosecutor and participate as a claimant (Art. 65(2) FADP), but the decision to prosecute and the sentencing determination rest with the cantonal authorities and courts. Penalties are imposed by cantonal criminal courts applying the Swiss Criminal Code's general sentencing principles.

Practical enforcement posture. The new criminal provisions entered into force on September 1, 2023, and significantly increase the penalties compared to the 1992 FADP, which capped fines at CHF 10,000 for most violations. The CHF 250,000 maximum applies uniformly to all four offenses and represents a substantial escalation intended to enhance deterrence. However, as of mid-2025, public reporting of criminal convictions under Arts. 60–63 remains limited; the FDPIC publishes administrative rulings and investigation outcomes but does not control cantonal prosecution statistics. The office's first full year of activity under the revised FADP (2024) saw increased formal investigations and multiple binding orders, some of which (such as the May 2025 PostFinance voiceprint ruling) were challenged before the Federal Administrative Court. Whether those orders ultimately trigger Art. 63 criminal prosecutions for non-compliance will depend on cantonal prosecutorial discretion.

Comparison to GDPR jurisdictions. Practitioners accustomed to the EU and UK administrative fine regimes must recognize that Switzerland's criminal enforcement model imposes individual criminal liability on natural persons, not turnover-based administrative sanctions on companies. The CHF 250,000 cap is materially lower than the GDPR's €20 million / 4% global revenue ceiling for serious infringements under Art. 83(5) GDPR, but the reputational and liberty consequences of a criminal conviction—including potential entry into a criminal record—may carry significant weight for responsible individuals. Cross-border controllers subject to both GDPR and FADP must align compliance with both regimes, as the FDPIC's administrative remedies under Art. 51 FADP can coexist with cantonal criminal prosecution under Arts. 60–63.

Source: Federal Act on Data Protection (FADP), SR 235.1 Source: FDPIC, Criminal law

Switzerland's data protection regime grants data subjects direct civil remedies against controllers, independent of the FDPIC's administrative enforcement powers and the criminal penalties prosecuted by cantonal authorities. These civil remedies are anchored in Article 32 of the revised Federal Act on Data Protection (FADP, SR 235.1), which came into force on September 1, 2023, and in the Swiss Civil Code's general personality-rights provisions (Art. 28 et seq. CC, SR 210), which predate the FADP and apply broadly to invasions of personality. The civil-litigation pathway is particularly significant because it allows data subjects to obtain injunctive relief, damages for pecuniary and non-pecuniary harm, and declaratory judgments directly from civil courts, and because—unlike the FADP's criminal provisions in Arts. 60–63—civil liability may attach to negligent conduct and to corporate defendants, not only to individual natural persons acting intentionally.

## Two-track civil enforcement: Art. 32 FADP and Art. 28 Swiss Civil Code

Article 32 FADP establishes three categories of remedies for data subjects whose rights under the FADP are violated by a private controller (a company, association, political party, or other non-federal entity):

1. Correction of inaccurate or incomplete personal data (Art. 32(1) FADP), derived from the controller's obligation to ensure accuracy under Art. 6(5) FADP;
2. Prohibition of unlawful processing or unlawful disclosure to third parties (Art. 32(2)(a) FADP);
3. Restriction (blocking) of data processing (Art. 32(2)(b) FADP), available when the data subject disputes the proportionality of the processing or the accuracy of the data, and deletion or correction is not feasible because there is an overriding public or private interest in retaining the data (for example, archived records or published material that remains subject to historical or journalistic privilege);
4. Deletion or destruction of personal data (Art. 32(2)(c) FADP), the most comprehensive remedy when the processing lacks a lawful basis or the purpose has been fulfilled.

Article 32(2) FADP refers explicitly to the Swiss Civil Code's general provisions on the protection of personality (Arts. 28 et seq. CC), which provide the procedural and substantive framework for these claims. Article 28 CC protects every person against unlawful infringement of their personality and grants the right to seek declaratory relief, injunctive relief, and damages or satisfaction payments (moral damages) when the infringement is sufficiently severe. This dual statutory structure means that a data subject asserting a claim under Art. 32 FADP simultaneously invokes the broader personality-rights protections of Art. 28 CC, and the civil court applies both regimes together.

Article 28 Swiss Civil Code provides:

> Any person whose personality rights are unlawfully infringed may petition the court for protection against all those causing the infringement. An infringement is unlawful unless it is justified by the consent of the person whose rights are infringed or by an overriding private or public interest or by law.

The Civil Code remedies under Arts. 28–28l CC include:

• Declaratory judgment that the processing is unlawful;
• Injunction to prohibit or restrict the processing or disclosure;
• Rectification or destruction of the data;
• Monetary compensation (damages for pecuniary loss under Art. 28a(3) CC, or satisfaction payments for non-pecuniary harm—moral damages—under Art. 28a(3) CC in cases of particularly severe infringement, assessed according to general tort law under Arts. 41 ff. of the Swiss Code of Obligations).

The FDPIC's official guidance emphasizes that civil remedies operate independently of criminal prosecution. A company (or other controller) may be sued in civil court for a negligent breach of FADP obligations and held liable for damages exceeding CHF 250,000, whereas the criminal penalties under Arts. 60–63 FADP apply only to intentional violations by natural persons and carry a maximum fine of CHF 250,000 per offense. In other words, the CHF 250,000 criminal-fine cap and the intentionality requirement do not apply to civil damages claims; a data subject alleging serious harm from a negligent data breach or unlawful cross-border transfer may recover higher sums in civil court if the harm is proven.

## Jurisdiction, procedure, and costs: Arts. 20, 113, and 114 Swiss Civil Procedure Code

Data subjects may file claims under Art. 32 FADP in the competent cantonal civil court under the Swiss Civil Procedure Code (CPC, SR 272). Article 20 CPC grants general jurisdiction to the court where the defendant has its domicile or registered office; for data-protection claims against foreign controllers that process data in Switzerland, Art. 14 FADP may require the controller to appoint a Swiss representative whose address serves as the domicile for service of process.

A critical procedural advantage for data subjects: Articles 113 and 114 CPC exempt data-protection disputes from court costs. Since September 1, 2023, when the revised FADP entered into force, no court fees are charged for FADP-related civil proceedings. The FDPIC's FAQ confirms: "According to Art. 113 and 114 of the Civil Procedure Code, no court costs are charged for disputes under the Data Protection Act." This significantly lowers the financial barrier to bringing a claim and encourages individual enforcement of data-protection rights. Attorney's fees remain the responsibility of the parties unless the court awards costs to the prevailing party, but the exemption from court fees itself removes a major disincentive.

## Scope of civil liability: controller obligations, negligence, and corporate liability

Controllers—both Swiss and foreign entities processing data in Switzerland—are subject to civil liability for violations of FADP obligations. The liability is strict in the sense that the controller must ensure compliance with FADP principles (lawfulness, transparency, proportionality, accuracy, data security, lawful cross-border transfers); failure to do so constitutes an unlawful infringement of personality under Art. 28 CC and triggers the remedies under Art. 32 FADP.

Negligent conduct suffices. Unlike the FADP criminal provisions (Arts. 60–63), which penalize only intentional violations, civil claims under Art. 32 FADP and Art. 28 CC reach negligent breaches. The FDPIC's criminal-law guidance expressly states that "a company could be sued under private law for a negligent breach of the law and for an amount in excess of CHF 250,000." This extends civil exposure significantly beyond the criminal-enforcement perimeter and aligns Swiss data-protection law with the broader European approach to civil damages (cf. Art. 82 GDPR, which also allows damages for negligent processing).

Corporate liability. Civil claims are brought against the controller as a legal entity, not against individual employees or managers. This contrasts sharply with the criminal regime, where Arts. 60–63 FADP primarily sanction natural persons with managerial functions, and corporate substitute liability under Art. 64(1) FADP applies only when the fine does not exceed CHF 50,000 and individual attribution is impractical. In civil proceedings, the data subject sues the company (or association or other controller) directly, and the controller may be held liable for its employees' acts under general agency principles (cf. Art. 55 Swiss Code of Obligations, which imposes vicarious liability on employers for the torts of employees acting within the scope of their employment).

Processors (data processors acting on behalf of a controller) are not directly liable to data subjects under Art. 32 FADP. The FDPIC's guidance on outsourcing confirms that the controller retains primary responsibility for compliance, including when it engages a processor. The data subject's remedies lie against the controller; the controller in turn may have recourse against the processor under their contract if the processor's breach caused the harm.

## Common civil-litigation scenarios in practice

Data subjects most frequently invoke Art. 32 FADP and Art. 28 CC in the following contexts:

• Employer data processing. Employees alleging that their employer violated Art. 328b of the Swiss Code of Obligations (which restricts employee-data processing to information relevant to the employment relationship) may bring a civil action for injunctive relief or damages. The FDPIC's guidance on video surveillance in the workplace explicitly states that "employees who feel that their privacy has been violated can bring a civil action against their employer under Article 32 FADP and based on Articles 28, 28a and 28g to l of the Civil Code." Courts may order the employer to cease surveillance, delete footage, or pay compensation for harm to personality rights.

• Denial of access or correction rights. When a controller (such as a social network, credit-reporting agency, or healthcare provider) refuses to comply with a data subject's request for access (Art. 25 FADP) or correction (Art. 32(1) FADP), the data subject may petition the civil court to enforce the right. The FDPIC FAQ advises: "If a private controller does not respond to your request after a reasonable period of time or if you believe that the controller's decision not to comply with your request is incorrect, you have the option of taking court action to enforce your rights (Art. 32 para. 2 FADP in conjunction with Art. 28 ff. Swiss Civil Code)."

• Unlawful cross-border transfers. If a controller discloses personal data to a recipient in a jurisdiction that lacks adequate protection under Arts. 16 and 17 FADP—for example, transferring data to a non-adequate country without standard contractual clauses, binding corporate rules, or another recognized safeguard—the data subject may seek an injunction prohibiting further transfers and deletion of the unlawfully transferred data. The FDPIC's guidance on cross-border transfers confirms that violations "may have consequences under … private law, in particular claims for damages."

• Data breaches and security failures. Data subjects whose personal data were lost or accessed by unauthorized third parties due to inadequate technical and organizational security measures (Art. 8(3) FADP) may claim damages for pecuniary loss (identity theft, fraud) and, in severe cases, satisfaction payments for non-pecuniary harm (anxiety, reputational damage). The controller's liability is assessed under general tort principles; the data subject must prove the breach of duty (failure to secure the data), causation, and harm. Unlike GDPR Art. 82, which shifts the burden to the controller to prove it is "not in any way responsible," Swiss civil procedure follows the traditional burden of proof: the claimant must establish the elements of the tort (Art. 8 CC).

## Interaction with FDPIC enforcement and criminal prosecution

The civil-remedy pathway operates in parallel with the FDPIC's administrative remedies under Art. 51 FADP and cantonal criminal prosecution under Arts. 60–63 FADP. A data subject may simultaneously:

1. File a complaint with the FDPIC requesting an investigation and a binding administrative order requiring the controller to modify, suspend, or terminate the processing (Art. 51 FADP). The FDPIC does not award damages but may order corrective measures.
2. Initiate a civil action in cantonal court under Art. 32 FADP and Art. 28 CC to obtain damages, an injunction, or deletion of data. The civil court's judgment is independent of the FDPIC's administrative ruling, though courts often give deference to the FDPIC's interpretation of FADP obligations.
3. File a criminal complaint with the competent cantonal prosecutor if the controller's conduct appears to constitute an intentional violation of Arts. 60–63 FADP. The FDPIC itself may file a criminal complaint and participate as a claimant (Art. 65(2) FADP), but the decision to prosecute rests with the cantonal authorities.

These three pathways do not conflict; each serves a distinct function. The FDPIC enforces regulatory compliance and protects the public interest; civil litigation compensates individual harm and vindicates personal rights; criminal prosecution punishes intentional misconduct and deters future violations.

## Cross-border enforcement and representative actions

Foreign controllers subject to FADP (i.e., controllers domiciled abroad that process personal data in Switzerland in connection with the offer of goods or services or the monitoring of behavior in Switzerland, under Art. 3 FADP) are equally subject to civil remedies under Art. 32 FADP. When a foreign controller triggers the obligation to appoint a representative in Switzerland under Art. 14 FADP, the representative's address serves as the domicile for service of process for civil claims (unless the controller is represented by a Swiss lawyer, in which case the lawyer's address is the domicile for service). Data subjects may thus sue foreign controllers in Swiss courts even when the controller has no physical presence in Switzerland.

Representative or class-action mechanisms comparable to GDPR Art. 80 (right to mandate a not-for-profit body to lodge a complaint with a supervisory authority or bring a judicial remedy) do not exist under the FADP or Swiss civil procedure. Each data subject must bring an individual claim. However, the no-court-costs rule under Arts. 113 and 114 CPC mitigates the financial barrier to individual enforcement, and Swiss courts may consolidate multiple related claims under general procedural rules when common questions of law or fact predominate.

## Comparison to GDPR civil damages (Art. 82)

Practitioners accustomed to the GDPR civil-damages regime (Art. 82 GDPR) will recognize structural parallels and key differences:

Parallels:

• Both FADP Art. 32 and GDPR Art. 82 allow data subjects to claim material and non-material damages for violations of data-protection law.
• Both permit claims for negligent breaches, not only intentional misconduct.
• Both impose liability on the controller (and, under GDPR, the processor) as a legal entity, not solely on natural persons.

Differences:

• Burden of proof. GDPR Art. 82(3) places the burden on the controller (or processor) to prove it is "not in any way responsible for the event giving rise to the damage." Swiss civil procedure follows the traditional rule: the data subject must prove the controller's breach of duty, causation, and harm.
• Processor liability. Under GDPR Art. 82, both controllers and processors may be sued directly by data subjects. Under FADP Art. 32, only controllers face direct liability to data subjects; processors are liable to the controller under their processing agreement but not to the data subject.
• Court costs. Swiss Civil Procedure Code Arts. 113 and 114 waive court fees for FADP disputes (since September 1, 2023). GDPR jurisdictions have no uniform rule; some member states charge court fees, others exempt data-protection claims from fees on a case-by-case basis or under specific national legislation.
• Quantum of damages. FADP does not prescribe a damages calculation methodology. Swiss courts apply general tort principles from the Code of Obligations and the Civil Code, requiring proof of actual pecuniary loss for material damages and a showing of "particularly severe" infringement for non-pecuniary satisfaction payments. GDPR case law (e.g., Austrian Österreichische Post decision, CJEU C-300/21) has established that "any damage" caused by a GDPR infringement may give rise to compensation, including relatively modest non-material harm; whether Swiss courts will adopt a similarly broad posture remains to be seen as the 2023 FADP is applied in civil litigation.

Cross-border controllers subject to both GDPR and FADP must align their compliance and litigation strategies across both regimes, recognizing that data subjects in Switzerland may elect to pursue civil remedies in Swiss courts under FADP Art. 32 and Art. 28 CC, independently of any GDPR-based claims or supervisory-authority enforcement in EU or EEA jurisdictions.

Source: Federal Act on Data Protection (FADP), SR 235.1 Source: Swiss Civil Code, SR 210 (Art. 28 et seq.) Source: FDPIC, Frequently asked questions on data protection concerns Source: FDPIC, Knowing and asserting my rights Source: FDPIC, Criminal law Source: FDPIC, Video surveillance in the workplace

Swiss courts imposing fines for data protection offenses under Articles 60–63 of the Federal Act on Data Protection (FADP) apply the general sentencing principles of the Swiss Criminal Code (SCC), not a distinct administrative-penalty regime. The CHF 250,000 maximum fine cap for each of the four criminal offenses is a ceiling, not a default; the actual fine amount is determined by the cantonal criminal court according to Article 47 SCC, which mandates a culpability-based assessment of the offender's conduct and personal circumstances. This individualized sentencing methodology diverges fundamentally from the GDPR's two-tier administrative fine framework under Article 83 GDPR, which sets penalties according to the controller's global annual turnover (up to €20 million or 4% of worldwide revenue, whichever is higher) and applies a structured typology of aggravating and mitigating factors tied to the seriousness of the infringement.

## Art. 47 SCC — culpability as the foundational principle

Article 47(1) of the Swiss Criminal Code provides:

> The court shall determine the sentence according to the culpability of the offender. It shall take account of the previous conduct and the personal circumstances of the offender as well as the effect that the sentence will have on his life.

Culpability (Verschulden / culpabilité) is assessed according to Article 47(2) SCC, which requires the court to consider:

1. The severity of the harm or endangerment to the protected legal interest (in data-protection cases, the personality rights of data subjects and the integrity of the supervisory regime);
2. The reprehensibility of the conduct — how wrongful the act was in light of the offender's awareness of the legal obligation and the circumstances of the violation;
3. The offender's motives and objectives — whether the violation was driven by financial gain, competitive advantage, negligence, or another motive;
4. The offender's capacity to avoid the harm, considering both internal factors (knowledge, experience, position within the organization) and external circumstances (time pressure, resource constraints, reliance on third-party advice).

The court must also weigh the offender's prior conduct (criminal record, compliance history) and personal circumstances (financial situation, family obligations, health), as well as the effect that the sentence will have on the offender's life — the principle of Tatschuld (offense-based culpability) tempered by considerations of proportionality and the offender's prospects for reintegration. Swiss criminal law does not permit purely deterrent or revenue-based fines divorced from the individual offender's culpability.

## Application to FADP criminal offenses — natural persons, not corporate turnover

Because Articles 60–63 FADP impose criminal liability on natural persons (directors, officers, department heads, and other individuals with decision-making authority), not on corporate entities, the sentencing analysis under Article 47 SCC focuses on the individual's culpability, not the employer's global revenue or the scale of the data processing. The CHF 250,000 maximum fine applies uniformly to violations of any of the four offenses, regardless of whether the controller is a multinational corporation processing billions of records or a small business processing a few thousand. The fine amount is calibrated to the individual offender's degree of fault, the harm caused or risked, and the offender's personal and financial circumstances.

Corporate substitute liability under Article 64(1) FADP allows the cantonal prosecutor to impose a fine on the legal entity (the company itself) when the fine does not exceed CHF 50,000 and individual attribution would require disproportionate investigative effort. Even in this narrow scenario, the CHF 50,000 cap on corporate fines is materially lower than the CHF 250,000 individual maximum, and the sentencing determination remains subject to Article 47 SCC's culpability-based principles, not a turnover-based calculation.

## Mitigating and aggravating circumstances — Art. 48 SCC and concurrent sentencing

Swiss criminal courts may reduce the sentence below the statutory minimum (which does not apply to fines under Arts. 60–63 FADP, as they carry no statutory minimum, only a maximum) or change the type of penalty when mitigating circumstances under Article 48 SCC are present. Mitigating factors include:

• The offender acted from honorable motives (e.g., to protect a whistleblower or in reliance on erroneous legal advice in good faith);
• The offender was in serious distress or acted under severe threat;
• The offender was provoked by the conduct of the injured party or acted on the instruction of a person to whom the offender owed obedience or on whom the offender was dependent;
• The offender has made genuine efforts at reparation or has reconciled with the data subjects;
• A significant period has elapsed since the offense, and the offender has led an irreproachable life in the interim.

Article 49 SCC governs concurrent sentencing when the offender has committed multiple offenses. If an individual violates multiple FADP provisions (for example, failing to provide information under Art. 19 FADP in violation of Art. 60, and simultaneously failing to implement adequate data security under Art. 8(3) FADP in violation of Art. 61), the court imposes the penalty for the most serious offense and increases it appropriately. However, the increase may not exceed one-half of the maximum penalty for the most serious offense, and the court is bound by the statutory maximum for that category of penalty. Because all four FADP criminal offenses carry the same CHF 250,000 maximum, the practical effect is that concurrent violations may result in a fine up to CHF 375,000 (CHF 250,000 + 50% increase), but the court must still assess culpability cumulatively and justify the increase.

## Conditional fines and probation — Art. 42 SCC

Swiss criminal procedure permits conditional suspension of fines under Article 42 SCC when the court believes that the offender will not reoffend without the need to execute the penalty. If the court suspends the fine and imposes a probationary period (typically two to five years under Art. 44 SCC), the offender is not required to pay the fine unless the probation is breached. Conditional fines are common in Swiss criminal practice for first-time offenders and minor violations where the offender has cooperated with authorities, made restitution, and demonstrated a genuine commitment to future compliance. Whether cantonal prosecutors and courts will extend this leniency to data-protection offenses under Arts. 60–63 FADP remains to be seen, as the revised FADP entered into force only on September 1, 2023, and public reporting of criminal convictions is limited as of mid-2025.

## Enforcement posture — limited public data and the FDPIC's criminal complaint practice

As of June 2026, public reporting of actual fines imposed by cantonal courts for violations of Articles 60–63 FADP is sparse. The FDPIC's published enforcement activity focuses on administrative remedies under Article 51 FADP — binding orders to modify, suspend, or terminate processing, or to delete personal data — and the office publishes anonymized investigation rulings and annual reports to Parliament. However, the FDPIC does not control cantonal criminal prosecution statistics, and cantonal prosecutors do not uniformly publish decisions on data-protection cases.

The FDPIC may file a criminal complaint with the competent cantonal prosecutor and participate as a claimant in criminal proceedings under Article 65(2) FADP. The office has publicly confirmed at least one such action: in 2025, the FDPIC filed a criminal complaint against Add Conti GmbH for failure to cooperate with an investigation, a violation of Article 60 FADP (violation of the cooperation obligation under Arts. 49 ff. FADP). This demonstrates the FDPIC's willingness to escalate non-compliance to criminal enforcement, but the outcome of that prosecution has not been publicly reported as of the current record date.

The FDPIC's Annual Report 2024/2025 (covering April 2024 to March 2025) notes that the office "significantly increased formal investigations and issued multiple legally binding orders" in the first full year under the revised FADP, signaling a shift from the advisory posture that characterized the pre-2023 regime. The report does not, however, provide statistics on criminal complaints filed or cantonal convictions obtained. Practitioners should therefore assume that the enforcement posture is developing and that the quantum of fines actually imposed will become clearer as case law accumulates over the next several years.

## Comparison to GDPR Art. 83 administrative fines — structural and quantum divergences

The Swiss criminal-fine model differs from the GDPR administrative fine regime in five critical respects:

1. Individual vs. corporate liability. GDPR administrative fines under Article 83 are imposed on the controller or processor as a legal entity. Swiss FADP criminal fines under Articles 60–63 are imposed on natural persons (with narrow corporate substitute liability under Art. 64(1) FADP capped at CHF 50,000). A GDPR-compliant multinational may face a €20 million administrative fine from an EU supervisory authority for the same data breach that triggers a CHF 250,000 criminal fine against its Swiss-based Chief Privacy Officer individually.

2. Turnover-based vs. culpability-based quantum. GDPR Article 83(5) sets the maximum fine at €20 million or 4% of total worldwide annual turnover, whichever is higher, and supervisory authorities apply the Article 83(2) factors (nature, gravity, duration, intentional or negligent character, categories of data affected, number of data subjects, technical and organizational measures, cooperation with the authority, previous infringements, financial benefit obtained). Swiss Article 47 SCC sets fines according to the individual offender's culpability, prior conduct, and personal circumstances, within the CHF 250,000 statutory ceiling, without reference to the employer's turnover or the number of data subjects affected globally.

3. Intentional vs. negligent violations. GDPR administrative fines apply to both intentional and negligent infringements (Art. 83(2)(b) GDPR). Swiss FADP criminal penalties apply only to intentional violations (Arts. 60–63 FADP require Vorsatz); negligent breaches may trigger civil liability under Art. 32 FADP and Art. 28 Swiss Civil Code for damages exceeding CHF 250,000, but they do not expose the individual to criminal prosecution.

4. Suspended (conditional) fines. Swiss criminal courts may impose conditional fines under Art. 42 SCC that the offender need not pay if probation is successfully completed. GDPR administrative fines are unconditional monetary sanctions payable immediately (subject to appeal and possible suspension pending judicial review, but not subject to probationary non-execution as a matter of initial sentencing).

5. Transparency of enforcement data. EU and EEA supervisory authorities publish enforcement decisions and fine amounts in searchable public databases (e.g., the EDPB's register of Art. 83 fines, national SA websites). Swiss cantonal criminal courts do not maintain a centralized public register of FADP convictions, and the FDPIC publishes only administrative rulings under Art. 51 FADP, not the outcomes of criminal prosecutions it has initiated. This opacity complicates benchmarking and compliance planning for cross-border controllers.

## Practical implications for cross-border controllers

Controllers subject to both GDPR and FADP must recognize that the same data-processing violation may trigger parallel enforcement proceedings in EU/EEA jurisdictions (administrative fines against the corporate entity) and in Switzerland (criminal prosecution of responsible individuals). The fact that Swiss fines are capped at CHF 250,000 per offense (or CHF 375,000 for concurrent offenses under Art. 49 SCC) does not mean Swiss exposure is immaterial; the reputational and liberty consequences of a criminal conviction—including potential entry into a criminal record, restrictions on future business activities, and personal liability uninsured by the employer—may carry greater long-term weight than a GDPR administrative fine absorbed by the corporate budget.

Conversely, the lack of public enforcement data and the individualized sentencing discretion under Art. 47 SCC create uncertainty for compliance planning. Unlike the GDPR, where supervisory authorities have published detailed methodologies for calculating fines (e.g., the CNIL's sanction-calculation methodology, the ICO's statutory guidance under UK GDPR), Swiss cantonal courts apply the general Criminal Code sentencing framework without sector-specific guidance tailored to data protection. Practitioners should therefore monitor FDPIC annual reports, published administrative rulings, and any future criminal-court decisions for emerging patterns in sentencing practice.

Source: Swiss Criminal Code (SR 311.0), Art. 47 Source: Federal Act on Data Protection (FADP), SR 235.1 Source: FDPIC, Criminal law Source: FDPIC, 2024/2025 Annual Report Source: FDPIC, Press releases (2025 — Add Conti criminal complaint)

Controllers subject to FDPIC investigation or who receive a legally binding order under Art. 51 FADP enjoy full procedural rights under the Federal Act on Administrative Procedure (APA, SR 172.021) and may challenge FDPIC rulings before the Federal Administrative Court (Bundesverwaltungsgericht / Tribunal administratif fédéral). This appeal pathway, which entered into force with the revised FADP on September 1, 2023, represents a significant procedural upgrade from the pre-2023 regime, when the FDPIC issued only non-binding recommendations that controllers could disregard without risking judicial enforcement.

## Investigation procedure under the APA — Art. 52 FADP

Under the revised FADP, investigations are governed by the Federal Act on Administrative Procedure (APA) (Art. 52(1) FADP). This means the controller under investigation is a party to formal administrative proceedings and enjoys all APA procedural safeguards, including:

• Right to be heard (Art. 29 et seq. APA): The controller must be notified of the investigation, given an opportunity to review the evidence, and permitted to submit written statements and supporting documents before the FDPIC issues a ruling.
• Right to inspect files (Art. 26–28 APA): The controller may request access to all documents in the FDPIC's investigative file, subject to narrow exceptions for classified information or third-party confidential business records.
• Right to representation: The controller may be represented by legal counsel or another authorized agent throughout the investigation.
• Duty of the authority to establish the facts (Art. 12 APA): The FDPIC bears the burden of establishing the factual basis for any finding of violation; the controller need not prove compliance unless the FDPIC has presented sufficient prima facie evidence of a breach.

The APA's written procedure (schriftliches Verfahren / procédure écrite) applies by default; oral hearings are held only if the FDPIC deems them necessary to clarify the facts (Art. 33 APA). In practice, the FDPIC conducts most investigations through written correspondence: the opening notification, requests for documents and explanations, the controller's submissions, and the final ruling are exchanged in writing. The FDPIC's October 2024 factsheet on investigation procedure confirms that investigations remain document-intensive, with the controller submitting evidence, contracts, privacy policies, data-processing records, and technical documentation to demonstrate compliance or to contest the FDPIC's preliminary findings.

Preliminary enquiries remain informal. The FDPIC distinguishes between informal preliminary enquiries (Vorabklärungen / enquêtes préliminaires informelles), which are non-binding fact-gathering exercises to determine whether sufficient indications of a violation exist, and formal investigations (Untersuchungen / enquêtes formelles) governed by the APA. During preliminary enquiries, the APA does not yet apply, the entity is not formally a party, and the FDPIC is not obliged to afford full procedural rights. However, once the FDPIC opens a formal investigation under Art. 49 FADP—triggered by "sufficient indications" that data processing may violate FADP regulations—the full APA framework governs, and the controller becomes a party with appeal rights.

## Legally binding orders under Art. 51 FADP and Art. 5 APA

If the FDPIC's investigation establishes that a violation of data protection regulations has occurred, the FDPIC is authorized to issue a legally binding order (rechtlich verbindliche Verfügung / décision juridiquement contraignante) under Art. 5 APA (Art. 51 FADP). Article 5 APA defines a Verfügung (ruling / décision) as "decisions of authorities in individual cases that are based on public law of the Confederation and have as their subject the establishment, modification or annulment of rights or obligations, the determination of the existence, non-existence or extent of rights or obligations, or the dismissal of applications for the establishment, modification, annulment or determination of rights or obligations." In the FDPIC context, Art. 51 orders typically:

• Require the controller to modify, suspend, or terminate the unlawful data processing activity;
• Require deletion or destruction of personal data processed unlawfully or retained beyond the lawful purpose;
• Prohibit cross-border transfers to jurisdictions lacking adequate protection when the safeguards under Arts. 16–17 FADP are not met;
• Require implementation of technical and organizational security measures to comply with Art. 8(3) FADP.

The FDPIC's first published rulings under the revised FADP illustrate the scope of Art. 51 orders. On May 16, 2025, the FDPIC concluded its investigation into PostFinance AG's voice recognition system and issued a legally binding order requiring PostFinance to obtain explicit consent from data subjects when creating voiceprints for biometric authentication, and to delete voiceprints for which no explicit consent had been obtained. PostFinance appealed the ruling to the Federal Administrative Court on the grounds that the consent requirement was disproportionate and that the existing terms of service provided adequate legal basis for the processing. As of early 2026, the appeal remains pending.

On January 29, 2025, the FDPIC concluded its investigation into Cembra Money Bank AG and issued a ruling addressing the statutory time limits for responding to data subject access requests and the level of detail required in access-request responses under Arts. 25–27 FADP. The FDPIC ordered Cembra to enhance its information practices and to respond to future access requests within the 30-day statutory deadline (Art. 25(4) FADP) unless an extension is justified and communicated to the data subject. Cembra did not appeal the ruling and implemented the required changes.

## Appeal to the Federal Administrative Court — 30-day deadline

Controllers who disagree with an FDPIC ruling under Art. 51 FADP may challenge the order before the Federal Administrative Court within 30 days of receiving written notification of the ruling (Art. 50(1) of the Federal Act on Administrative Court Procedure, VGG / LTAF, SR 173.32). The 30-day deadline is strict; appeals filed after expiry are dismissed as inadmissible unless the controller establishes exceptional circumstances justifying late filing (Art. 50(2) VGG permits extensions only when the party was prevented from filing by circumstances beyond its control, such as serious illness or natural disaster).

The appeal is filed in writing with the Federal Administrative Court, Zurich (Bundesverwaltungsgericht, Postfach, 9023 St. Gallen; or Avenue du Tribunal-fédéral 34, 1005 Lausanne for French-language proceedings). The appeal brief must contain (Art. 52 VGG):

1. The petitions (specific remedies requested, such as annulment of the FDPIC order or modification of its terms);
2. A statement of facts and grounds explaining why the FDPIC ruling is factually or legally incorrect;
3. Evidence supporting the controller's position (contracts, technical documentation, privacy policies, expert opinions, or affidavits);
4. The impugned ruling (a copy of the FDPIC order being appealed);
5. The controller's signature or that of its legal representative.

Advance payment of costs. The Federal Administrative Court typically requires the appellant to pay an advance on court costs (Kostenvorschuss / avance de frais) within a set deadline, usually 30 days from the court's demand. The FDPIC's guidance confirms that "an advance payment of costs is usually required for the appeal procedure, but this will be refunded to you if your appeal is successful." If the controller prevails, the court refunds the advance and may award costs against the FDPIC (which, as the losing party, bears the court fees and may be ordered to compensate the controller's legal fees under Art. 64 VGG). If the appeal is dismissed, the controller forfeits the advance, which is applied toward the court's costs, and the controller may also be ordered to pay a portion of the FDPIC's legal fees.

The amount of the advance varies with the complexity of the case and the court's estimate of the work involved; typical advances for data-protection appeals range from CHF 2,000 to CHF 10,000. Failure to pay the advance within the court's deadline results in dismissal of the appeal (non-entry, Nichteintreten / non-entrée en matière), unless the controller demonstrates financial hardship and applies for exemption from court costs under Art. 65 VGG (legal aid for indigent parties, rarely granted to commercial entities).

## Standard of review and scope of appellate jurisdiction

The Federal Administrative Court conducts a full review on the merits (Überprüfung in der Sache selbst / révision au fond) of FDPIC rulings. The court reviews both questions of fact (did the controller process personal data in the manner alleged? did it implement adequate security measures?) and questions of law (does the processing violate Art. 6 FADP's proportionality principle? does the cross-border transfer comply with Arts. 16–17 FADP?). The court is not bound by the FDPIC's legal interpretation of FADP provisions, though in practice it accords significant deference to the FDPIC's expertise on data-protection questions.

The court may:

• Dismiss the appeal and uphold the FDPIC ruling in full;
• Annul the FDPIC ruling and remand the case to the FDPIC for further investigation or a new ruling consistent with the court's legal interpretation;
• Modify the FDPIC ruling, narrowing or broadening the scope of the corrective measures ordered (for example, ordering deletion of a subset of unlawfully processed data rather than the entire dataset the FDPIC targeted).

Suspensive effect. An appeal to the Federal Administrative Court does not automatically suspend the FDPIC order; the ruling remains immediately enforceable unless the court grants a stay of execution (aufschiebende Wirkung / effet suspensif) upon application by the controller (Art. 55 VGG). To obtain a stay, the controller must demonstrate that (1) compliance with the FDPIC order would cause serious and irreparable harm to the controller's interests, and (2) the public interest in immediate enforcement does not outweigh the controller's private interest in delaying compliance pending the appeal. In practice, the Federal Administrative Court grants stays sparingly; the court is more likely to stay an order requiring immediate deletion of data than an order requiring the controller to modify its privacy notice or obtain explicit consent going forward.

PostFinance's appeal of the May 2025 voiceprint ruling illustrates the dynamics. PostFinance filed an appeal with the Federal Administrative Court challenging the FDPIC's conclusion that explicit consent is required under Art. 6(6) and (7) FADP for biometric voiceprint processing, arguing that the company's existing terms of service and its Art. 6(1)(b) contract-performance lawful basis suffice. PostFinance simultaneously requested a stay of the deletion order, contending that deleting millions of existing voiceprints would disrupt customer authentication and impose disproportionate technical and operational costs. As of early 2026, the Federal Administrative Court had not published its decision on the stay application or the merits; if the court denies the stay, PostFinance must comply with the deletion order while the appeal proceeds, and if PostFinance ultimately prevails on appeal, it would need to re-collect voiceprints under whatever revised procedure the court approves.

On October 6, 2025, the Federal Administrative Court issued its first published judgment upholding an FDPIC enforcement action under the revised FADP. The court dismissed the appeal lodged by the Swiss citizens' association Bürgerforum Schweiz against a processing ban imposed by the FDPIC, confirming the FDPIC's interpretation of FADP obligations and its authority to issue binding corrective orders under Art. 51. The judgment demonstrates the court's willingness to defer to the FDPIC's supervisory determinations when supported by adequate factual findings and a sound legal basis.

## Appeals for federal body decisions and data subject access denials

The 30-day appeal deadline and Federal Administrative Court jurisdiction also apply in two other procedural contexts:

1. Data subjects appealing federal body access denials. When a federal body (Bundesorgan / organe fédéral)—such as a federal ministry, agency, or public institution—denies or restricts a data subject's access request under Arts. 25–27 FADP, the data subject may file an appeal with the Federal Administrative Court within 30 days of receiving the federal body's decision (Art. 25(5) FADP; Art. 50 VGG). The FDPIC's FAQ confirms: "If the controller is a federal body, you can file an appeal against the decision with the Federal Administrative Court within 30 days." This pathway applies only to federal bodies; denials by private controllers (companies, associations, NGOs) cannot be appealed to the Federal Administrative Court and must instead be challenged in civil court under Art. 32 FADP and Art. 28 Swiss Civil Code (see the private-rights-civil-remedies section).

2. Data subjects appealing federal body processing decisions. When a federal body refuses a data subject's request to restrict cross-border disclosure of their personal data to a foreign authority (for example, in the context of administrative assistance in tax or criminal matters), the data subject may appeal to the Federal Administrative Court under Art. 41 FADP. The FDPIC guidance notes that "a data subject can prevent the transfer of information to a foreign authority, for example in the context of administrative assistance in tax matters, if they believe that the legal requirements are not met" by filing an appeal with the Federal Administrative Court within 30 days.

The same 30-day deadline and advance-on-costs requirement apply to these data-subject appeals as to controller appeals of FDPIC enforcement rulings. However, data subjects challenging private controller denials face a different procedural pathway: they bring a civil action in cantonal court under Art. 32 FADP, with no court fees charged under Arts. 113–114 of the Swiss Civil Procedure Code (see the private-rights-civil-remedies section for details).

## Interaction with cantonal criminal prosecution

The Federal Administrative Court appeal pathway operates independently of cantonal criminal prosecution under Arts. 60–63 FADP. A controller may simultaneously:

1. Appeal an FDPIC Art. 51 order to the Federal Administrative Court, contesting the FDPIC's factual findings or legal interpretation; and
2. Face criminal prosecution by a cantonal prosecutor for intentional violation of FADP obligations (for example, intentional failure to comply with the FDPIC order, triggering Art. 63 FADP criminal liability).

The Federal Administrative Court's judgment on the appeal does not bind the cantonal criminal court, though the criminal court will typically give weight to the administrative court's factual findings and legal reasoning. If the Federal Administrative Court annuls the FDPIC order on the grounds that no FADP violation occurred, the cantonal prosecutor is unlikely to secure a conviction under Art. 63 (failure to comply with an FDPIC order) because the predicate order has been invalidated. Conversely, if the Federal Administrative Court upholds the FDPIC order and the controller still refuses to comply, the FDPIC may file a criminal complaint under Art. 65(2) FADP, and the cantonal prosecutor may bring charges under Art. 63 FADP for intentional non-compliance.

## Comparison to GDPR administrative appeal mechanisms

Practitioners accustomed to GDPR administrative enforcement will recognize structural parallels and key differences:

Parallels:

• Both FADP and GDPR provide for judicial review of supervisory authority decisions (GDPR Art. 78 grants the right to an effective judicial remedy against a supervisory authority's legally binding decision; Art. 79 grants the right to judicial remedy against a controller or processor).
• Both impose strict deadlines for filing appeals (Switzerland's 30-day FADP deadline mirrors typical member-state administrative-court deadlines, such as Germany's one-month Widerspruchsfrist or France's two-month délai de recours).
• Both allow full merits review of the supervisory authority's factual findings and legal conclusions, not merely procedural review.

Differences:

• Centralized appellate forum. Switzerland routes all FDPIC-order appeals to the single Federal Administrative Court, providing nationwide consistency in FADP interpretation. EU member states exhibit greater variation: some vest first-instance jurisdiction in specialized data-protection chambers (Ireland's High Court for DPC appeals; Germany's administrative courts for Land DPA appeals), others in general administrative courts, and appellate pathways often extend through multiple tiers (administrative court → higher administrative court → supreme court).
• Advance on costs. Switzerland's mandatory advance-on-costs requirement (refunded if the controller prevails) has no direct GDPR analog in many member states; some EU jurisdictions (Germany, Austria) impose court fees only after judgment, and others (UK, Ireland for judicial review) frontload costs but with different refund rules.
• No FDPIC administrative fines to appeal. Because the FDPIC cannot impose monetary sanctions (see the supervisory-authority-and-powers and criminal-penalties sections), Swiss appeals concern corrective orders (modify processing, delete data, cease transfers), not fine amounts. GDPR appeals in EU member states frequently center on the quantum of the administrative fine under Art. 83 GDPR, with controllers arguing the supervisory authority miscalculated the penalty or failed to apply mitigating factors; this issue category does not arise in Swiss FDPIC appeals.

Cross-border controllers subject to both GDPR and FADP enforcement must navigate parallel appellate pathways: a DPC or CNIL administrative fine may be appealed to Irish or French courts under GDPR Art. 78, while an FDPIC Art. 51 corrective order (covering the same processing activity) is appealed to the Swiss Federal Administrative Court under the VGG. The two proceedings are independent; a Swiss Federal Administrative Court judgment does not bind EU supervisory authorities or courts, and vice versa, though both may inform each other's interpretation of functionally equivalent data-protection principles.

Source: Federal Act on Data Protection (FADP), SR 235.1 Source: Federal Act on Administrative Procedure (APA), SR 172.021 Source: Federal Act on the Federal Administrative Court (VGG / LTAF), SR 173.32 Source: FDPIC, Factsheet: Investigation of violations of data protection regulations (October 2024) Source: FDPIC, Knowing and asserting my rights Source: FDPIC, Frequently asked questions on data protection concerns Source: FDPIC, New FDPIC's role Source: FDPIC, Latest news