Switzerland — Scope & Applicability

Switzerland's revised Federal Act on Data Protection (Bundesgesetz über den Datenschutz, FADP; SR 235.1) entered into force on September 1, 2023. Adopted by Parliament on September 25, 2020, and brought into effect by Federal Council decision of August 31, 2022, the revised FADP replaces the 1992 Act and implements a comprehensive modernization intended to align Swiss law with the EU General Data Protection Regulation and ratify the Council of Europe's modernized Convention 108+ (CETS 223).

The supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC, Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter, EDÖB), an independent federal body with investigative, enforcement, and advisory powers under Articles 43–59 FADP.

## Territorial scope: the "effects doctrine"

Article 3 FADP codifies an effects-based territorial scope broader than the GDPR's Article 3(2) targeting / monitoring test. The FADP applies to any processing of personal data that affects Switzerland (Auswirkungen auf die Schweiz hat / déploie des effets en Suisse), whether or not the controller or processor is established in Switzerland and whether or not the processing takes place within Swiss territory.

This "effects doctrine" captures:

• Processing by Swiss-established controllers or processors, regardless of where the data or the data subjects are located;
• Processing by foreign controllers or processors if the processing has effects in Switzerland — including processing of data relating to persons outside Switzerland when that processing affects interests, rights, or legal relations in Switzerland.

The Federal Office of Justice's explanatory report (Botschaft BBl 2017 6941) clarifies that "effects in Switzerland" is not limited to processing Swiss residents' data; a non-Swiss person's data may fall within scope if the processing impacts Swiss legal, economic, or social interests. For example, processing employee data of a Swiss national working abroad for a foreign employer, or processing contract data in a cross-border transaction where Swiss law governs performance, may trigger Article 3 even though neither the data subject nor the controller is in Switzerland.

## Material scope: natural persons only

Unlike the 1992 FADP, the revised Act protects only natural persons. Legal entities (companies, foundations, associations) are excluded from the definition of "data subject" (betroffene Person / personne concernée) under Article 5(a) FADP. This aligns the FADP with the GDPR's natural-persons-only scope and narrows Swiss law's former protection of legal-entity data.

## Cross-border application and representative obligation

Foreign controllers not established in Switzerland who process personal data with effects in Switzerland must appoint a representative in Switzerland (Article 14 FADP) if all four conditions are met:

1. The processing is in connection with offering goods or services to persons in Switzerland or monitoring the behavior of persons in Switzerland;
2. The processing is large-scale;
3. The processing is regular (systematic, not ad hoc);
4. The processing is likely to result in a high risk to the personality or fundamental rights of data subjects.

The representative serves as the point of contact for data subjects and the FDPIC (Article 14(2) FADP). The FDPIC may issue a ruling ordering a controller to appoint a representative under Article 51(4) FADP if the statutory criteria are satisfied.

## Relationship to GDPR

Switzerland is not an EU member state. The GDPR does not apply qua EU law. However, Swiss controllers or processors who offer goods or services to, or monitor, persons in the EU remain subject to GDPR Article 3(2) extraterritorial scope. In practice, a multinational operation often faces concurrent FADP and GDPR obligations. The EU Commission's adequacy decision for Switzerland (Decision 2000/518/EC, under review as of May 2026) permits transfers from the EEA to Switzerland under GDPR Article 45, but does not exempt Swiss entities from GDPR when they directly target EU data subjects.

Source: Federal Act on Data Protection (FADP), SR 235.1 Source: Federal Office of Justice — New Data Protection Legislation Source: FDPIC — Obligation to appoint a representative under Article 14 FADP

Article 2 FADP (SR 235.1) carves out several categories of processing from the Act's scope, mirroring the GDPR Article 2(2) exemption structure while adding Swiss-specific public-authority exclusions.

## The household / purely personal exception

Article 2(1) FADP exempts processing "by natural persons for purely personal or household activities" (Verarbeitung durch natürliche Personen für ausschliesslich persönliche Tätigkeiten / traitement de données personnelles par des personnes physiques dans le cadre d'activités exclusivement personnelles). This is Switzerland's analogue to GDPR Article 2(2)(c)'s household exception and Convention 108+ Article 2(2)(a)'s personal / domestic exception.

The "purely personal" threshold is narrow. The processing must have no connection to professional or commercial activity. The FDPIC's guidance and Swiss legal doctrine align with the CJEU's strict interpretation of the GDPR household exception in Bodil Lindqvist (C-101/01) and Ryneš (C-212/13): publishing personal data to an unrestricted internet audience, operating CCTV that captures public space, or processing for any employment-related purpose takes the activity outside the exemption even when conducted by a natural person from their home.

Illustrative applications:

• A personal address book, private diary, or family photo album stored on a home device falls within the exception.
• Publishing names, photographs, or contact details on a publicly accessible website or social-media platform does not qualify — the moment the data becomes accessible beyond a purely personal circle, the controller is subject to FADP.
• An individual running a small business from home (Etsy shop, freelance consulting) processing customer or supplier data is not exempt — the commercial nexus removes the activity from "purely personal" scope.
• A home security camera that records only the interior of one's own dwelling may be exempt; a camera capturing a public sidewalk, neighbor's property, or shared apartment-building corridor is not exempt under Article 2(1), because it affects third parties' personality rights in a manner that is no longer "purely personal."

The FDPIC has not published a consolidated guideline on the Article 2(1) boundary as of May 2026, but the Federal Office of Justice's explanatory report (Botschaft BBl 2017 6941) and the FDPIC's sector-specific guidance (e.g., on clubs, associations, and CCTV) confirm that the exception is construed narrowly and in line with CJEU / EDPB interpretation of equivalent GDPR language.

## Federal-body exclusions under Article 2(2)

Article 2(2) FADP excludes three categories of federal-body processing from FDPIC supervision (though the processing remains governed by the substantive FADP data-protection principles under Chapter 6, Articles 33–42):

a) Processing by the Federal Assembly (Bundesversammlung / Assemblée fédérale) — the Swiss bicameral legislature — and its parliamentary services, when the processing relates to legislative or parliamentary-oversight functions;

b) Processing by federal courts (Bundesgerichte / tribunaux fédéraux) and the Office of the Attorney General of Switzerland (Bundesanwaltschaft / Ministère public de la Confédération) when exercising judicial or prosecutorial functions. This carve-out mirrors GDPR Article 2(2)(d) and reflects the constitutional separation of powers: the FDPIC, an executive-branch supervisory authority, does not oversee judicial data processing in the administration of justice or criminal prosecution;

c) Processing by the Swiss Intelligence Service (Nachrichtendienst des Bundes, NDB / Service de renseignement de la Confédération, SRC) under the Federal Act on the Intelligence Service (Nachrichtendienstgesetz, NDG; SR 121). Intelligence processing is governed by the NDG's sui generis oversight regime (Independent Control Authority for Intelligence Activities, AB-ND) rather than the FADP's general framework.

These exclusions do not exempt the listed bodies from compliance with FADP's substantive rules (lawfulness, proportionality, data minimization, security under Articles 6–8 FADP); they exempt the processing from FDPIC supervisory jurisdiction under Articles 43–59. For example, a federal court processing litigant data must still comply with Article 6 FADP proportionality and Article 8 FADP security, but a data subject cannot lodge a complaint with the FDPIC — remedies lie instead with the court's own administrative oversight or, in case of personality-rights violation, civil courts under Articles 28–28l Swiss Civil Code.

## Cantonal and municipal bodies

Cantonal (state) and municipal (commune) public authorities are not federal bodies under Article 5(j) FADP and thus fall outside FADP's federal-body regime (Chapter 6). Instead, cantons have enacted their own data-protection acts, which generally mirror FADP structure but vary in detail. When a cantonal body processes personal data, the cantonal data-protection act and the cantonal data-protection commissioner have jurisdiction, not the FDPIC. The FADP applies to cantonal / municipal processing only when federal law explicitly extends it (e.g., in domains of federal administrative assistance or where a cantonal body acts as a federal contractor).

## Processing for national-security or criminal-law-enforcement purposes

Processing by private controllers (companies, NGOs, individuals) for their own national-security or law-enforcement purposes is not exempt under Article 2 FADP (contrast GDPR Article 2(2)(d), which exempts competent public authorities). A private security firm, corporate investigations unit, or private individual conducting surveillance remains subject to FADP in full — the exemption under Article 2(2)(b) covers only federal judicial and prosecutorial bodies, not private-sector processing even when cooperating with law enforcement. If a private controller processes data on behalf of a federal law-enforcement agency under a contractual processor relationship, the processing is governed by FADP Chapter 6 (federal-body rules), not exempted.

Source: Federal Act on Data Protection (FADP), SR 235.1, Article 2 Source: Federal Office of Justice — Explanatory Report (Botschaft) BBl 2017 6941 Source: FDPIC — Data protection in clubs and associations

Article 5 FADP (SR 235.1) defines the two principal roles that drive the entire data-protection compliance obligation set under the revised Federal Act on Data Protection, in force since September 1, 2023.

## Controller (Verantwortlicher / responsable du traitement)

Article 5(j) FADP defines a controller as "the private person or federal body that, alone or jointly with others, determines the purpose and means of processing" (die natürliche oder juristische Person oder das Bundesorgan, die bzw. das allein oder gemeinsam mit anderen über den Zweck und die Mittel der Bearbeitung entscheidet / la personne physique ou morale ou l'organe fédéral qui, seul ou conjointement avec d'autres, détermine les finalités et les moyens du traitement).

This is the threshold classification question for FADP compliance. The controller is the entity that decides:

• Why the data is being processed (the purpose — e.g., to fulfill a customer contract, to conduct employee performance evaluations, to train a machine-learning model); and
• How the data is being processed (the means — which data fields are collected, how long data is retained, which security measures are applied, whether the data is disclosed to third parties and under what conditions).

Both private persons (natural persons, companies, foundations, associations) and federal bodies (Bundesorgane / organes fédéraux, defined in Art. 5(k) FADP as federal administrative units and other persons or bodies charged by federal law to perform public-law tasks) can be controllers. The definition is technology-neutral and applies regardless of the processing method — manual file systems, cloud SaaS platforms, on-premise databases, and AI-supported processing all fall within scope if they involve personal data of natural persons (Art. 5(a), (c) FADP).

The controller bears primary responsibility for compliance with FADP's substantive obligations: lawfulness (Art. 6 FADP), data minimization and proportionality (Art. 6(2)–(3)), accuracy (Art. 6(5)), security (Art. 8), transparency and data-subject information (Art. 19), breach notification to the FDPIC when a breach creates high risk (Art. 24), and maintaining a record of processing activities (ROPA, Art. 12 FADP).

## Processor (Auftragsbearbeiter / sous-traitant)

Article 5(l) FADP defines a processor as "the private person or federal body that processes personal data on behalf of the controller" (die natürliche oder juristische Person oder das Bundesorgan, die bzw. das im Auftrag des Verantwortlichen Personendaten bearbeitet / la personne physique ou morale ou l'organe fédéral qui traite des données personnelles pour le compte du responsable du traitement).

The processor is an agent or service provider acting on the controller's instructions. Typical processor relationships under Swiss law include:

• Cloud hosting providers (AWS, Microsoft Azure, Google Cloud) storing controller data;
• Payroll-outsourcing firms processing employee data on behalf of an employer-controller;
• Marketing agencies running email campaigns with customer lists provided by the controller;
• IT support companies maintaining the controller's databases;
• Call centers handling customer-service requests on behalf of the controller.

The processor does not determine the purpose or essential means of processing. If a processor begins to determine why data is being processed (e.g., a marketing agency decides on its own initiative to use the controller's customer list for a separate campaign), the processor becomes a controller for that new purpose and must satisfy an independent lawful basis under Article 6 FADP.

## Controller obligations when engaging processors — Article 9 FADP

Article 9 FADP imposes contractual and supervisory duties on controllers who engage processors. The controller must ensure and satisfy itself (durch vertragliche Vereinbarungen sicherstellen und sich davon überzeugen / veiller contractuellement et s'assurer) that:

1. The processor processes data only in the manner permitted to the controller itself — i.e., the processor acts solely on the controller's instructions, respects the same substantive FADP obligations (legality, proportionality, accuracy, security), and does not process the data for the processor's own purposes;
2. No duties of confidentiality are breached — if the data is subject to statutory or contractual secrecy (e.g., medical data under cantonal health-professional secrecy statutes, attorney-client data, banking secrecy under Art. 47 Banking Act), the outsourcing arrangement must preserve those protections;
3. The controller remains able to meet its obligations toward the FDPIC and data subjects — the controller must retain the ability to respond to data-subject access requests (Art. 25 FADP), rectify or erase data on request (Art. 32 FADP), and notify the FDPIC of breaches under Article 24 FADP. The processor must cooperate with the controller in fulfilling these obligations (e.g., by promptly reporting any data security incidents to the controller so the controller can assess the Article 24 notification trigger).

The Article 9 FADP contract is mandatory. The FDPIC's guidance on outsourcing emphasizes that the controller bears vicarious liability for processor violations by analogy to Article 55 Swiss Code of Obligations (employer liability for employee acts). The controller must select the processor with care, provide clear instructions, and monitor the processor's compliance where necessary. If the processor sub-contracts processing to a sub-processor, the controller must ensure equivalent safeguards apply; processors commonly obtain the controller's prior written consent for any sub-processor appointment and flow down the Article 9 FADP contractual obligations.

## Cross-border outsourcing: processors in non-adequate countries

When a processor is located in a country without an adequate level of data protection (i.e., not listed in Annex 1 to the Data Protection Ordinance, SR 235.11), the outsourcing becomes a cross-border disclosure governed by Article 16 FADP. The controller must implement one of the Article 16(2) transfer mechanisms — most commonly, standard data protection clauses (Art. 16(2)(d) FADP, using the FDPIC-recognized EU SCCs or CoE Model Contractual Clauses with Swiss-law adaptations) or data protection clauses in the specific contract (Art. 16(2)(b) FADP, notified to the FDPIC before the data is disclosed). The Article 9 FADP processor contract and the Article 16 FADP cross-border-transfer clauses are typically combined into a single data-processing agreement (DPA) that governs both the processor's instructions and the adequacy safeguards.

## Joint controllers

The Article 5(j) FADP controller definition explicitly allows for joint determination of purpose and means ("alone or jointly with others"). When two or more entities jointly determine the purpose and essential means of a processing activity, they are joint controllers (gemeinsam Verantwortliche / responsables conjoints du traitement, a concept recognized by analogy to GDPR Article 26 though not separately defined in FADP statute). Joint controllers remain individually and jointly liable for FADP compliance unless they have contractually allocated responsibilities in a manner transparent to data subjects. The FDPIC has not published consolidated guidance on joint-controller arrangements as of June 2026, but Swiss legal commentary applies EDPB Guidelines 07/2020 on the concepts of controller and processor by analogy when FADP's statutory text mirrors GDPR.

## Processors must not process for their own purposes

In principle, processors must not process personal data for their own purposes. The FDPIC's outsourcing guidance (edoeb.admin.ch) states this rule explicitly. If a processor does process the data for its own purpose — for example, a cloud-analytics provider uses the controller's data to improve its own recommendation algorithms, or a payroll vendor uses salary data to benchmark industry compensation — the processor becomes a controller for that secondary purpose and must be able to claim its own lawful basis under Article 6 FADP (e.g., consent from the data subjects, or a legitimate interest if the Article 6(2) proportionality test is met). The processor cannot rely on the original controller's lawful basis; the purposes are distinct and the processor is now determining its own "why."

Source: Federal Act on Data Protection (FADP), SR 235.1, Articles 5, 9 Source: FDPIC — Outsourcing of data processing

Article 5(c) FADP (SR 235.1) defines sensitive personal data (besonders schützenswerte Personendaten / données personnelles sensibles) as a statutory classification that triggers heightened compliance obligations throughout the Federal Act on Data Protection, in force since September 1, 2023. The definition is exhaustive: only the seven enumerated categories qualify as sensitive personal data; controllers and the FDPIC may not expand the list by analogy or by reference to subjective harm.

## The seven categories under Article 5(c) FADP

Article 5(c) FADP lists seven types of personal data as sensitive:

1. Data on religious, philosophical, political, or trade-union beliefs or activities (Daten über religiöse, weltanschauliche, politische oder gewerkschaftliche Ansichten oder Tätigkeiten / données sur les opinions ou les activités religieuses, philosophiques, politiques ou syndicales) This category captures not only a data subject's formal membership in a religious congregation, political party, or labor union, but also expressions of belief (social-media posts endorsing a political candidate, participation in a protest march, attendance at a church service) and activities undertaken in furtherance of those beliefs (volunteer work for a political campaign, union organizing, publication of philosophical essays). A controller processing donor lists for a political party, employee union-membership records, or website analytics showing visitors to a religious organization's pages is processing sensitive personal data under this prong.

2. Data concerning health (Daten über die Gesundheit / données sur la santé) Health data includes any information relating to the physical or mental health of a natural person, whether past, present, or future. Medical diagnoses, prescriptions, therapy notes, hospital admission records, health-insurance claims, sick-leave certificates, and fitness-tracker logs recording heart rate, sleep patterns, or step counts all fall within this category. The FDPIC's guidance on data processing by employers confirms that an employer processing an employee's sick-leave certificate or medical fitness-for-work assessment is handling sensitive personal data and must comply with the heightened obligations under Articles 6(7), 19(4), and 31(2)(h) FADP.

3. Data on the intimate sphere (Daten über die Intimsphäre / données concernant la sphère intime) This category, carried forward from the 1992 FADP, protects data relating to a person's sexual life, intimate relationships, and other aspects of personal life that Swiss personality-rights doctrine (Articles 28–28l Swiss Civil Code) accords the highest degree of protection. Sexual orientation, intimate-partner relationships, sexual-health history, and private communications of a highly personal nature qualify. The "intimate sphere" is construed narrowly—routine personal preferences or hobbies do not qualify unless they touch on sexuality, family relationships of a deeply private character, or other zones that Swiss legal doctrine treats as the core of personality.

4. Data on racial or ethnic origin (Daten über die rassische oder ethnische Herkunft / données sur l'origine raciale ou ethnique) This category encompasses data revealing a data subject's race or ethnicity, whether self-reported (a census form, an equal-opportunity monitoring questionnaire) or inferred from other data (a photograph, a name suggestive of a particular ethnic background, biometric facial-analysis data purporting to classify race). Controllers must take particular care: collecting photographs or names does not automatically make the data "sensitive" under this prong unless the controller actually processes the photograph or name for the purpose of determining or recording racial or ethnic origin. A passport photo in an HR file is not per se sensitive data on racial origin unless the employer uses facial-analysis software to infer ethnicity for workforce-diversity reporting.

5. Genetic data (genetische Daten / données génétiques) Added by the revised FADP, genetic data is defined by analogy to GDPR Article 4(13) and includes personal data relating to the inherited or acquired genetic characteristics of a natural person that give unique information about the physiology or health of that person. DNA sequences, genetic test results (ancestry tests, carrier screening, pharmacogenomic profiles), and whole-genome or exome sequencing data are sensitive personal data under Article 5(c) FADP. The Federal Office of Justice's explanatory report (Botschaft BBl 2017 6941) and the FDPIC's 2023 guidance confirm that the inclusion of genetic data aligns Swiss law with the GDPR and Convention 108+, reflecting the unique and immutable nature of genetic information and the heightened risk of discrimination if such data is misused.

6. Biometric data uniquely identifying a natural person (biometrische Daten, die eine natürliche Person eindeutig identifizieren / données biométriques identifiant une personne physique de manière univoque) Also added by the revised FADP, biometric data qualifying as sensitive must meet two conditions: (a) it must be biometric (derived from specific technical processing of data relating to the physical, physiological, or behavioral characteristics of a natural person), and (b) it must uniquely identify that person. Fingerprints, iris scans, facial-recognition templates (faceprints), voiceprints, vein-pattern scans, and gait-analysis data used for authentication or identification are sensitive personal data. A photograph alone is not biometric data under Article 5(c) unless it has been processed (e.g., converted into a facial-recognition embedding or template) to enable unique identification. The FDPIC's guidance on biometric access-control systems emphasizes that once an employer extracts a fingerprint template or facial embedding from an employee photograph, the template is sensitive biometric data and triggers the Article 31(2)(h) FADP requirement for express consent (or another lawful basis under Article 31) before processing.

7. Data on administrative or criminal proceedings and sanctions (Daten über verwaltungsrechtliche oder strafrechtliche Verfolgungen und Sanktionen / données relatives aux poursuites et sanctions administratives ou pénales) This category captures data revealing that a person is or was the subject of administrative enforcement or criminal proceedings, including arrest records, indictments, court judgments (whether conviction or acquittal), administrative fines, criminal sanctions, and entries in debt-collection (Betreibung) or bankruptcy registers. An employer requesting a criminal-records extract (Strafregisterauszug) or a debt-collection register extract (Betreibungsregisterauszug) from a job applicant is processing sensitive personal data and must satisfy the Article 31(2) lawful-basis test and provide the heightened transparency notice required by Article 19(4) FADP. Swiss legal doctrine and the FDPIC's employer guidance confirm that even spent convictions or acquittals remain sensitive data on criminal proceedings under this prong, because the definition turns on the existence of proceedings or sanctions, not on the outcome or current legal effect.

## Consequences of the "sensitive" classification

Sensitive personal data triggers heightened obligations throughout FADP:

• Express consent requirement for private controllers under Article 31(2)(h) FADP: disclosure of sensitive personal data to another controller (a third party, not a processor) is lawful only if the data subject has given express consent (ausdrückliche Einwilligung / consentement exprès), or one of the other limited bases in Article 31(2) FADP applies (statute, vital interests, data made manifestly public by the data subject and not prohibited from processing, or necessary for the establishment, exercise, or defense of legal claims). Express consent requires an affirmative act—pre-ticked checkboxes, silence, or implied consent do not suffice.

• Heightened proportionality scrutiny under Article 6(7) FADP: processing sensitive personal data or personality profiles creates a rebuttable presumption that the processing involves a high risk of violation of personality rights, shifting the burden to the controller to demonstrate that the processing is proportionate, necessary, and adequately safeguarded.

• Enhanced information duties under Article 19(4) FADP: when collecting sensitive personal data, the controller must provide additional information beyond the baseline Article 19(2) requirements, including the legal basis (consent, statute, vital interests, etc.) relied upon for processing the sensitive data. The FDPIC's guidance specifies that this information must be given at the time of collection and must be precise enough for the data subject to understand which sensitive category is engaged and on what legal footing.

• DPIA triggers under Article 22(2)(a) FADP: large-scale processing of sensitive personal data is one of two statutory examples that presumptively require a data protection impact assessment (Datenschutz-Folgenabschätzung, DSFA / analyse d'impact relative à la protection des données, AIPD). Controllers processing employee health records for a workforce of hundreds, genetic data for a research biobank, or biometric access-control data for a large office building must conduct a DPIA before the processing begins if the processing is likely to result in a high risk to personality or fundamental rights (Article 22(1) FADP).

• Record-of-processing-activities (ROPA) exception narrowed under Article 12(2)(c) FADP: small organizations (fewer than 250 employees) whose processing presents only a low risk to personality rights are generally exempt from the Article 12 ROPA obligation—except if they process a large volume of sensitive personal data or carry out high-risk profiling. A 50-employee medical clinic processing patient health records must maintain a ROPA even though it qualifies for the small-organization exemption; processing health data is sensitive, and even moderate volumes can constitute "large-scale" for purposes of Article 12(2)(c).

## What is not sensitive personal data

The Article 5(c) FADP definition is exhaustive. Personal data that do not fall within one of the seven enumerated categories are not sensitive personal data under FADP, even if the data are highly personal, confidential, or capable of causing harm if disclosed. Examples:

• Financial data (salary, bank-account numbers, credit scores, tax returns) are not sensitive personal data under Article 5(c) unless they also reveal health (a health-insurance claim amount), criminal sanctions (a fine recorded in a debt-collection register), or another enumerated category.
• Location data (GPS tracks, travel history) are not sensitive unless the location itself reveals sensitive information (repeated visits to a cancer clinic, attendance at a political rally).
• Children's data receive heightened protection under Swiss law by virtue of the data subject's age and vulnerability, but there is no separate "children's data" category in Article 5(c). Processing a child's photograph or school records is subject to the general Article 6 FADP proportionality and lawfulness principles and may require parental consent under Swiss civil law, but the data are not automatically "sensitive" unless they fall within one of the seven categories (e.g., health data from a school nurse's file, or a child's religious affiliation).
• Pseudonymized or anonymized data: Once personal data are irreversibly anonymized (Article 5(g) FADP—no longer relating to an identified or identifiable person using reasonable means), they fall outside FADP scope entirely and are not sensitive data. Pseudonymized data (reversibly de-identified) remain personal data and can be sensitive if the underlying category (health, biometric, genetic, etc.) applies.

## Relationship to GDPR Article 9 special categories

The Article 5(c) FADP list closely parallels GDPR Article 9(1) special-category data, with minor differences:

• FADP includes "data on the intimate sphere" as a seventh category; GDPR does not have an equivalent explicit category, though data concerning sex life or sexual orientation are special categories under GDPR Article 9(1).
• FADP's "data on administrative or criminal proceedings and sanctions" is broader than GDPR Article 10 (criminal-conviction data), which is treated separately from Article 9 special categories and subject to a distinct regime under GDPR.
• FADP does not separately enumerate "data concerning sex life or sexual orientation"; such data fall under the "intimate sphere" category in Swiss law.

Controllers subject to both GDPR and FADP should treat the union of GDPR Article 9 special categories and FADP Article 5(c) sensitive categories as requiring heightened safeguards for cross-border compliance.

Source: Federal Act on Data Protection (FADP), SR 235.1, Article 5 Source: Federal Office of Justice — New Data Protection Legislation Source: FDPIC — Data protection in clubs and associations Source: Swiss Federal SME Portal — New Federal Act on Data Protection

Article 5 FADP (SR 235.1) introduces two interconnected definitions central to Swiss data-protection compliance: profiling (Art. 5(f)) and personality profile (formerly a separate statutory category in the 1992 FADP, now embedded within the high-risk profiling concept under Art. 5(g)). These definitions trigger heightened obligations throughout the Federal Act on Data Protection, in force since September 1, 2023, including express-consent requirements, data-protection impact-assessment (DPIA) thresholds, and enhanced transparency duties.

## Profiling — Article 5(f) FADP

Article 5(f) FADP defines profiling (Profiling / profilage) as:

> "Any automated processing of personal data consisting in the use of such data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the performance of work, economic situation, health, personal preferences, interests, reliability, behaviour, whereabouts or movements of that natural person."

This definition mirrors GDPR Article 4(4) and introduces a concept absent from the 1992 FADP. Four elements must be present:

1. Automated processing Profiling requires automated data processing—algorithms, machine-learning models, or rule-based decision engines that operate without continuous human intervention. Manual analysis of data to draw inferences about a person is not profiling under Article 5(f). The FDPIC's guidance on cookies and tracking (October 2025) confirms that profiling assumes automated evaluation; purely human judgment falls outside the statutory definition even when the human analyst processes large volumes of data.

2. Use of personal data The automated processing must use personal data—information relating to an identified or identifiable natural person (Art. 5(a) FADP). Profiling of anonymized data (irreversibly de-identified under Art. 5(g) FADP) falls outside FADP scope entirely. Pseudonymized data (reversibly de-identified) remain personal data and can be the basis for profiling if the controller retains the means to re-identify the data subject.

3. Purpose: evaluation of personal aspects The automated processing must be for the purpose of evaluating (zum Bewerten / d'évaluer) certain personal aspects. Mere data aggregation, statistical analysis of populations without individual-level inferences, or automated sorting by demographic category is not profiling unless the controller uses the output to evaluate or characterize an individual person. The FDPIC's guidance emphasizes that the purpose is decisive—tracking website visits becomes profiling when the controller uses the browsing history to evaluate the user's preferences or interests, not when the controller uses the data solely for aggregate analytics (e.g., total page views, geographic distribution of visitors).

4. Subject matter: work performance, economic situation, health, preferences, reliability, behaviour, location, or movement The statutory list is illustrative (in particular / insbesondere / notamment). Any automated evaluation of a personal aspect falls within profiling if the purpose is to analyse or predict characteristics of the data subject. Examples explicitly named in Article 5(f):

• Work performance (Arbeitsleistung / performance de travail): employee productivity scoring, automated performance reviews, AI-assisted hiring systems that rank candidates by predicted job-performance metrics.
• Economic situation (wirtschaftliche Lage / situation économique): credit scoring, income estimation, wealth profiling, automated lending decisions.
• Health (Gesundheit / santé): fitness-tracker analysis, symptom checkers, AI-based diagnostic tools, genetic-risk prediction.
• Personal preferences (persönliche Vorlieben / préférences personnelles): recommendation engines (Netflix, Spotify, e-commerce product suggestions), targeted advertising based on inferred interests.
• Interests (Interessen / centres d'intérêt): similar to preferences—what topics, products, or activities the person is likely to engage with.
• Reliability (Zuverlässigkeit / fiabilité): creditworthiness, fraud-risk scoring, employment background-check automation, tenant screening.
• Behaviour (Verhalten / comportement): social-media activity analysis, in-app user-engagement scoring, customer churn prediction.
• Whereabouts or movements (Aufenthaltsort oder Ortswechsel / lieu de séjour ou déplacements): GPS tracking, location-based advertising, travel-pattern analysis, geofencing applications.

Swiss legal commentary and the FDPIC's cookies guidance confirm that web tracking and behavioral advertising that personalizes content to individual users is profiling under Article 5(f) when the controller uses browsing data to evaluate the user's preferences, interests, or purchasing propensity.

## Personality profile / high-risk profiling — Article 5(g) FADP

Article 5(g) FADP defines high-risk profiling (Profiling mit hohem Risiko / profilage à risque élevé) as:

> "Profiling that involves a high risk to the personality or fundamental rights of the data subject, by creating a link between data which allows an assessment of substantial aspects of the personality of a natural person."

This is a qualified form of profiling—a subset of Article 5(f) profiling that meets two additional criteria:

1. Linkage of data (Verknüpfung von Daten / liaison de données) The profiling must combine or link data from multiple sources, fields, or processing contexts. Single-purpose profiling using only one narrow data category (e.g., a fitness app scoring daily step counts from a single tracker, with no other data) is less likely to qualify as high-risk profiling. High-risk profiling typically involves cross-context data linkage: combining browsing history with geolocation data and purchase records to infer lifestyle, political views, or health conditions; merging employee performance metrics with biometric access logs and email metadata to assess reliability; linking genetic data, medical claims, and social-media activity to predict future health risks.

The FDPIC's cookies guidance (October 2025) states that geolocation tracking can become high-risk profiling "if the collected data alone or in combination with other data and data sources are used to generate precise profiles of the user's movements that allow inferences to be made about key aspects of the user's personality"—for example, inferring religious beliefs from repeated mosque or church visits, political affiliation from attendance at rallies, or sexual orientation from visits to specific venues.

2. Assessment of substantial / essential aspects of personality (wesentliche Aspekte der Persönlichkeit / aspects essentiels de la personnalité) The profiling must permit an assessment of essential or substantial characteristics of the data subject's personality. The Article 5(g) threshold is deliberately high. Swiss legal commentary and the Federal Office of Justice's explanatory report (Botschaft BBl 2017 6941) confirm that high-risk profiling is the successor concept to the 1992 FADP's personality profile (Persönlichkeitsprofil / profil de la personnalité), which the revised Act does not separately define but embeds within Article 5(g).

Essential aspects of personality include:

• A person's core values, beliefs, or convictions (religious faith, political ideology, philosophical worldview).
• A person's intimate sphere (sexual orientation, intimate relationships, deeply personal life choices).
• A person's overall health status or life expectancy, particularly when combining medical, genetic, and lifestyle data.
• A person's character or psychological profile (trustworthiness, emotional stability, propensity for specific behaviors across life domains).

The FDPIC's guidance on clubs and associations (edoeb.admin.ch) states that high-risk profiling "links data in such a way that key aspects of a person can be assessed"—providing a complete or comprehensive picture rather than a narrow, single-purpose evaluation. Profiling that remains limited to a specific transactional context (a one-off credit check for a loan application using only income and debt data, a targeted ad based on a single product search) does not automatically constitute high-risk profiling unless the data linkage is broad enough to reveal essential personality traits.

## Consequences of profiling vs. high-risk profiling

Swiss law distinguishes the compliance obligations triggered by ordinary profiling (Art. 5(f)) and high-risk profiling (Art. 5(g)):

For any profiling (Art. 5(f)):

• Federal bodies (not private controllers) conducting profiling must obtain express consent under Article 34(2)(e) FADP unless another lawful basis under Article 34(2) applies (statute, vital interests, data made manifestly public by the data subject, or necessary for legal claims). This requirement applies to all profiling by federal bodies, regardless of risk level.

• Automated individual decision-making (Art. 21 FADP): when profiling is used to make an automated individual decision (a decision generated by automated processing without human intervention that produces legal effects or similarly significantly affects the data subject), the controller must inform the data subject, allow them to express their point of view, and permit them to request human review—unless the decision directly implements a contract the data subject requested and their request is granted, or the data subject gave explicit consent to automation.

• Record of processing activities (ROPA) and processing regulations (Art. 12 FADP, Art. 5–6 Data Protection Ordinance): profiling must be documented in the ROPA and, for federal bodies conducting profiling, requires written processing regulations under Art. 6 DPO.

For high-risk profiling (Art. 5(g)):

All the above obligations apply, plus:

• Express consent requirement for private controllers in disclosure/credit contexts under Article 31(2)(c) FADP: when a private controller (e.g., a credit agency) processes personal data to verify creditworthiness and discloses the data to a third party, the disclosure is lawful only if the third party needs the data to conclude or perform a contract and the data do not include high-risk profiling—unless the data subject has given express consent (ausdrückliche Einwilligung / consentement exprès). In other words, credit agencies and debt-collection agencies may not disclose high-risk profiling data to third parties without express consent from the data subject, even when the disclosure is otherwise justified by the third party's legitimate interest in assessing creditworthiness.

• ROPA obligation despite small-organization exemption under Article 12(2)(c) FADP: organizations with fewer than 250 employees whose processing presents only a low risk to personality rights are generally exempt from maintaining a ROPA—except when they carry out high-risk profiling. A 50-person marketing agency that builds comprehensive behavioral profiles linking social-media activity, location data, and purchase history to infer political views or health conditions must maintain a ROPA even though it qualifies for the small-organization exemption by employee count.

• Data protection impact assessment (DPIA) trigger under Article 22(2) FADP: large-scale processing of sensitive personal data and systematic large-scale surveillance of public areas are the two explicit statutory examples of processing likely to result in a high risk requiring a DPIA. The FDPIC's DPIA factsheet (edoeb.admin.ch) confirms that high-risk profiling within the meaning of Article 5(g)—whether large-scale or not—is a well-known risk factor under the Article 22(2) multi-factor assessment (nature, extent, circumstances, purpose). Controllers conducting high-risk profiling should carry out a DPIA "in case of doubt."

• Processing regulations requirement under Article 5 Data Protection Ordinance: private controllers and processors must draw up written processing regulations (Bearbeitungsreglement / règlement relatif au traitement) for automated processing operations if they process sensitive personal data on a large scale or carry out high-risk profiling. The regulations must document the processing purpose, data categories, recipients, retention periods, security measures, and compliance with FADP principles.

## What is not high-risk profiling

The Article 5(g) threshold is narrow. Many common profiling activities remain ordinary profiling under Article 5(f) and do not trigger the heightened obligations:

• Single-purpose recommendation engines that personalize content based on browsing or purchase history within a single platform (Netflix movie recommendations, Amazon product suggestions) typically do not cross the Article 5(g) threshold unless the controller links data across unrelated contexts (browsing history + geolocation + health data) to infer essential personality traits.

• Credit scoring using only income, debt, and payment-history data for a specific lending decision is profiling under Article 5(f) and must be disclosed under Article 19 FADP, but it is not high-risk profiling under Article 5(g) unless the controller links additional data sources (social-media activity, biometric data, detailed location tracking) to create a comprehensive personality assessment.

• Employee performance metrics limited to objective work output (sales figures, project completion rates, attendance records) are profiling under Article 5(f) but do not automatically become high-risk profiling unless the employer links the data with biometric monitoring, email content analysis, or off-duty behavior tracking to assess essential aspects of the employee's character or personality.

• Non-automated profiling: human analysts drawing conclusions about individuals by manually reviewing data do not engage in profiling under Article 5(f) or Article 5(g), because the statutory definition requires automated processing. If a human underwriter manually reviews a loan application and forms a judgment about the applicant's reliability, that judgment is not profiling under FADP (though it remains subject to the general Article 6 FADP principles of lawfulness, proportionality, and transparency).

## Relationship to GDPR

The Article 5(f) FADP profiling definition is identical to GDPR Article 4(4). The Article 5(g) high-risk profiling concept, however, is a Swiss peculiarity without a direct GDPR equivalent. The GDPR does not separately define "high-risk profiling"; instead, GDPR Article 22 restricts automated individual decision-making (including profiling-based decisions) that produce legal or similarly significant effects, and GDPR Article 35 DPIA triggers include "systematic and extensive evaluation of personal aspects … based on automated processing, including profiling."

Swiss legal commentary notes that high-risk profiling under Article 5(g) FADP corresponds functionally to the former personality profile concept in the 1992 FADP (Persönlichkeitsprofil), which had no GDPR parallel. Controllers subject to both GDPR and FADP must assess profiling activities under both regimes: GDPR focuses on whether profiling supports an automated decision with legal or similarly significant effect (Art. 22 GDPR) or involves special-category data (Art. 9 GDPR); FADP focuses on whether the data linkage permits assessment of essential personality aspects (Art. 5(g) FADP).

## Practical application: when does tracking become high-risk profiling?

The FDPIC's cookies guidance (October 2025) provides the clearest published application of the Article 5(g) threshold:

• Geolocation tracking can be high-risk profiling if the controller collects location data over an extended period and uses it—alone or combined with other data—to generate precise movement profiles that allow inferences about key aspects of the user's personality: repeated visits to medical facilities suggesting chronic illness, mosque attendance suggesting religious belief, political-rally attendance suggesting political affiliation, visits to LGBTQ+ venues suggesting sexual orientation. The guidance notes that "practice shows that this result can also be achieved by combining imprecise location data"—even coarse-grained location (cell-tower triangulation, Wi-Fi SSID proximity) can reveal essential personality aspects when aggregated over time and linked with other data.

• Behavioral advertising and tracking cookies: controllers must assume high-risk profiling if a large volume of diverse data is collected and linked across contexts. Publishing a user profile for targeted advertising becomes high-risk profiling when the profile combines browsing history, search queries, social-media activity, purchase records, and location data to infer political views, health conditions, sexual orientation, or other essential personality traits.

The FDPIC emphasizes that the volume, diversity, and linkage of data are decisive, not merely the sensitivity of individual data points. Even non-sensitive data (website visits, product searches, app-usage times) can support high-risk profiling when linked comprehensively enough to reveal a complete picture of the person's values, beliefs, health, or intimate life.

Source: Federal Act on Data Protection (FADP), SR 235.1, Article 5 Source: FDPIC — Cookies and similar technologies (October 2025 guidance) Source: FDPIC — Data protection in clubs and associations Source: FDPIC — Data protection impact assessment factsheet

Article 14 FADP (SR 235.1) imposes a mandatory representative appointment obligation on private controllers whose registered office or domicile is abroad when four cumulative statutory criteria are satisfied. This requirement mirrors GDPR Article 27's representative obligation but applies a narrower trigger: the FADP representative obligation captures only a subset of foreign controllers subject to FADP territorial scope under Article 3, filtering by processing characteristics (offering goods/services or monitoring behavior in Switzerland), scale (large-scale), regularity (systematic, not ad hoc), and risk (high risk to personality or fundamental rights).

The representative serves as the point of contact for data subjects and the domicile for service for FDPIC enforcement proceedings. Non-compliance exposes the foreign controller to an FDPIC ruling ordering appointment under Article 51(4) FADP and, if the controller intentionally fails to publish the representative's identity as required by Article 14(3) FADP, potential criminal liability under Article 60 FADP for breach of the duty to provide information.

## The four cumulative criteria under Article 14(1) FADP

A private controller (natural person, company, foundation, association) not established in Switzerland must appoint a representative in Switzerland if all four of the following conditions are met:

1. Processing connected with offering goods or services to persons in Switzerland, or monitoring their behavior

The processing must be in connection with (im Zusammenhang mit / en lien avec) either:

• Offering goods or services (Angebot von Waren oder Dienstleistungen / offre de biens ou de services) to persons in Switzerland, regardless of whether payment is required. This limb covers e-commerce platforms shipping to Swiss addresses, SaaS providers with Swiss customers, mobile apps marketed to Swiss users, and free services (social media, search engines, news aggregators) that target Swiss data subjects. The FDPIC's guidance confirms that the offering need not be physically performed in Switzerland—a foreign controller operating entirely from abroad triggers this prong if it targets persons in Switzerland, using factors analogous to GDPR Article 3(2) targeting analysis (Swiss-franc pricing, .ch domain, German/French/Italian/Romansh language, Swiss contact details, advertising directed at Swiss audiences); or

• Monitoring the behavior of persons in Switzerland (Überwachung des Verhaltens von Personen in der Schweiz / surveillance du comportement de personnes en Suisse). This captures tracking, profiling, behavioral advertising, geolocation monitoring, and other processing that observes, analyzes, or predicts the actions, preferences, or movements of persons in Switzerland. The FDPIC's October 2025 cookies guidance confirms that web-tracking technologies (cookies, device fingerprinting, pixel tags) and location-tracking apps constitute "monitoring" when used to evaluate user behavior over time.

The "offering" or "monitoring" limb is disjunctive—satisfaction of either suffices for criterion 1. If a foreign controller offers services to Swiss persons and monitors their behavior, both prongs apply, but only one is legally necessary.

Processing that is merely incidental to Swiss persons—e.g., a foreign controller whose primary market is outside Switzerland but who occasionally receives an unsolicited inquiry from a Swiss person—does not satisfy the "in connection with" threshold unless the controller affirmatively targets or monitors Swiss data subjects.

2. Large-scale processing

The processing must be large-scale (umfangreich / à grande échelle). The FADP does not define "large-scale" numerically, and the FDPIC has not published bright-line thresholds as of June 2026. Swiss legal commentary and the FDPIC's DPIA factsheet (which uses the same "large-scale" threshold in Article 22(2)(a) FADP) apply a multi-factor assessment considering:

• Volume of data subjects: processing affecting thousands or tens of thousands of Swiss persons is presumptively large-scale; processing fewer than 100 Swiss persons is presumptively not large-scale (though context matters).
• Volume of data records: comprehensive datasets (browsing histories, location tracks over months or years, detailed purchase records) weigh toward large-scale even if the number of data subjects is moderate.
• Geographic reach: a foreign controller processing data of persons across multiple Swiss cantons or nationwide is more likely to satisfy the large-scale threshold than one processing data of a single locality.
• Duration and persistence: one-off or short-term processing (a single marketing campaign, a time-limited event) is less likely to be large-scale than ongoing, continuous processing.

The FDPIC's representative guidance emphasizes that "large-scale" is assessed in aggregate across the controller's Swiss-related processing, not per processing activity. A foreign SaaS provider with 5,000 Swiss user accounts processes "large-scale" data even if each individual account holds only modest data.

3. Regular (systematic) processing

The processing must be regular (regelmässig / régulier), meaning systematic and not ad hoc. Occasional, sporadic, or one-off processing does not trigger Article 14. The FDPIC has not published detailed guidance on the regular/ad-hoc boundary, but Swiss legal commentary and the Federal Office of Justice's explanatory report (Botschaft BBl 2017 6941) align "regular" with GDPR Article 4(2) "systematic monitoring": processing that is planned, organized, and carried out as part of the controller's ongoing business model or operational routine.

Examples of regular processing:

• A foreign e-commerce platform that continuously accepts orders from Swiss customers and processes delivery, payment, and customer-service data.
• A foreign advertising-technology company that persistently tracks Swiss users across websites using cookies or device fingerprinting.
• A foreign cloud-software provider that hosts ongoing Swiss-customer data under SaaS contracts.

Examples of non-regular (ad hoc) processing that do not trigger Article 14:

• A foreign conference organizer who collects registration data from Swiss attendees for a single annual event and deletes the data afterward.
• A foreign law firm engaged by a Swiss client for a discrete matter, processing the client's data solely for that engagement with no ongoing relationship.
• A foreign market-research firm conducting a one-time survey of Swiss respondents with no plan for repeat data collection.

The "regular" criterion ensures that the representative obligation applies only to foreign controllers with sustained Swiss-market presence or ongoing Swiss data-subject relationships, not to transient or episodic processing.

4. High risk to personality or fundamental rights of data subjects

The processing must be likely to result in a high risk (voraussichtlich mit einem hohen Risiko für die Persönlichkeit oder die Grundrechte der betroffenen Personen verbunden ist / susceptible d'engendrer un risque élevé pour la personnalité ou les droits fondamentaux des personnes concernées) to the personality or fundamental rights of data subjects.

The FDPIC's representative guidance (edoeb.admin.ch, published 2023 and current as of June 2026) provides the most detailed published interpretation of this threshold and explicitly distinguishes the Article 14 "high risk" concept from the Article 22 DPIA "high risk" trigger:

• Article 14 high risk is assessed as "gross risk": the FDPIC considers the potential risk from all the controller's ongoing or planned data processing operations that affect Swiss data subjects, without taking into account mitigation measures the controller has implemented or intends to implement (e.g., encryption, pseudonymization, access controls, data minimization). This is an inherent-risk or worst-case assessment—what is the risk if the processing goes wrong, the data is misused, or security fails?—not a residual-risk assessment that credits the controller's safeguards.

• Aggregation across processing activities: the high-risk determination looks at the totality of the controller's Swiss-related processing, not each processing activity in isolation. A foreign social-media platform or advertising network processing millions of Swiss user profiles for behavioral targeting and profiling presumptively creates high gross risk even if individual user data points are not sensitive, because the linkage and scale of the processing permit comprehensive personality assessment (Article 5(g) FADP high-risk profiling).

Factors indicating high risk (FDPIC guidance and Swiss legal commentary):

• Processing sensitive personal data under Article 5(c) FADP (health data, biometric data uniquely identifying a person, genetic data, data on religious/political/trade-union beliefs, data on the intimate sphere, data on racial or ethnic origin, data on administrative or criminal proceedings) on a large scale.
• High-risk profiling under Article 5(g) FADP—linking data from multiple sources to assess substantial aspects of personality (political views, health status, sexual orientation, reliability, creditworthiness in a comprehensive sense).
• Large-scale behavioral monitoring or tracking that builds detailed user profiles (web-tracking across sites, persistent geolocation tracking, social-media activity analysis, connected-device data collection).
• Processing that could lead to discrimination, identity theft, financial loss, reputational damage, or loss of confidentiality for Swiss data subjects if the data is disclosed, misused, or breached.
• Processing involving vulnerable populations (children, patients, employees in subordinate relationships) where the imbalance of power or vulnerability magnifies the risk.

Contrast with Article 22 DPIA high risk: the Article 22 DPIA "high risk" is assessed after considering the controller's planned mitigation measures (the "residual risk" after implementing privacy-by-design, encryption, access controls, etc.). The Article 14 representative-obligation "high risk" is assessed before mitigation—the FDPIC asks "what is the inherent risk profile of this processing?" not "what is the residual risk after safeguards?"

If the four Article 14(1) criteria are all satisfied, the foreign controller must appoint a representative in Switzerland. The appointment is mandatory—there is no discretion, and consent of data subjects does not waive the obligation.

## The representative's role under Article 14(2) FADP

Article 14(2) FADP specifies that the representative serves as a point of contact (Anlaufstelle / point de contact) for:

1. Data subjects: Swiss data subjects exercising their rights under FADP (right of access under Article 25, right to rectification or erasure under Article 32, objection to processing, complaints about unlawful processing) may contact the representative. The representative does not replace the foreign controller's own obligations—data subjects may still contact the controller directly—but the representative must be reachable in Switzerland (Swiss postal address, Swiss phone number or email, office hours that permit timely response) and must facilitate communication between the data subject and the foreign controller.

2. The FDPIC: the representative's address is the domicile for service (Zustellungsdomizil / domicile de notification) for documents in FDPIC enforcement proceedings under Articles 49–59 FADP. If the FDPIC opens an investigation, issues a recommendation, or files a ruling request with the Federal Administrative Court concerning the foreign controller's Swiss-related processing, the FDPIC serves process on the representative. The representative must forward such communications to the foreign controller and ensure the controller responds within statutory deadlines.

Exception for legal representation: Article 14(2) FADP and the FDPIC's guidance (edoeb.admin.ch, citing BGE 143 III 28, E. 2.2.1) clarify that if the foreign controller is also represented by a lawyer in Switzerland in FDPIC proceedings, the lawyer's place of business is the domicile for service, not the Article 14 representative's address. In practice, many foreign controllers appoint a Swiss law firm to serve both roles—Article 14 representative and legal counsel—to streamline compliance.

The representative need not be the controller's data protection officer (DPO) under Article 10 FADP, though the same entity or person may hold both roles if they satisfy the respective statutory requirements.

## Publication requirement under Article 14(3) FADP

Article 14(3) FADP requires the foreign controller to publish the representative's name and address (Name und Adresse / nom et adresse). The FDPIC's representative guidance (edoeb.admin.ch) confirms that publication means:

• Including the representative's contact details in the privacy policy (Datenschutzerklärung / déclaration de protection des données) or privacy notice that the controller provides to Swiss data subjects under Article 19 FADP (duty to inform at the time of data collection).
• Making the information readily accessible on the controller's website, app, or other customer-facing materials—typically in the footer of the website or within a dedicated "Legal" / "Privacy" / "Imprint" section.

The publication must be sufficiently specific for a data subject to contact the representative: a full postal address in Switzerland, an email address, and/or a Swiss telephone number. A generic "contact us" web form with no Swiss address does not satisfy Article 14(3).

The foreign controller is not required to notify the FDPIC of the representative appointment (unlike the Article 10(3)–(4) FADP DPO notification, which is mandatory for certain controllers and optional for others). However, the FDPIC's representative guidance notes that foreign controllers may voluntarily notify the FDPIC via the FDPIC's online portal (for controllers who have already appointed a data protection advisor and wish to add a "Representative" designation) or via the FDPIC contact form. Voluntary notification creates a record and may facilitate FDPIC communication, but it is not a statutory obligation.

## FDPIC enforcement: ruling ordering appointment under Article 51(4) FADP

Article 51(4) FADP empowers the FDPIC to issue a ruling (eine Verfügung erlassen / rendre une décision) ordering a foreign controller to appoint a representative if the four Article 14(1) criteria are met and the controller has not complied. The FDPIC's representative guidance (edoeb.admin.ch) confirms that this enforcement mechanism is available within the framework of Article 51(4), which generally authorizes the FDPIC to issue rulings to enforce FADP obligations when recommendations under Article 51(1) FADP are not followed or when immediate action is necessary to protect data subjects.

The Article 51(4) ruling is a formal administrative act subject to appeal to the Federal Administrative Court under Article 53 FADP. If the foreign controller fails to comply with the ruling (does not appoint a representative within the deadline set by the FDPIC), the FDPIC may refer the matter to the Federal Administrative Court for a judicial order. Non-compliance with a final court order can result in enforcement measures under Swiss administrative law, including administrative fines or, in egregious cases, blocking orders or referral to cantonal criminal authorities if the controller's conduct also violates Article 60–63 FADP criminal provisions.

## Criminal liability for failure to publish the representative under Article 60 FADP

Article 60 FADP criminalizes intentional violation of the duty to provide information to data subjects (Article 19 FADP), the duty to inform data subjects exercising access rights (Articles 25–27 FADP), and the duty to cooperate with the FDPIC (Article 49 FADP). If a foreign controller intentionally fails to publish the representative's name and address as required by Article 14(3) FADP—thereby depriving data subjects of the Article 19 FADP-mandated transparency—the controller (or, more precisely, the natural person acting on behalf of the controller in a managerial capacity, per Article 64 FADP) commits an offense punishable by fine under Article 60 FADP.

Swiss criminal-law doctrine and the FDPIC's enforcement guidance note that Article 60 FADP prosecutions are complaint-based and relatively rare, but the statutory exposure exists. In practice, the FDPIC's primary enforcement tool is the Article 51(4) administrative ruling ordering appointment, not criminal referral.

## Voluntary appointment and precautionary compliance

The FDPIC's representative guidance (edoeb.admin.ch) explicitly recognizes that foreign controllers who are not (yet) legally required to appoint a representative under the four-part Article 14(1) test may still appoint a representative voluntarily or as a precautionary measure. Voluntary appointment is advisable when:

• The controller's Swiss-related processing is near the thresholds for large-scale, regular, or high-risk (e.g., a growing SaaS startup with several hundred Swiss users who may soon cross into "large-scale" territory);
• The controller wishes to demonstrate good-faith compliance and facilitate data-subject access requests even when not strictly obligated;
• The controller operates in a sector under heightened FDPIC scrutiny (health technology, consumer tracking, social media, financial services) and prefers to appoint a representative proactively to avoid enforcement risk.

Voluntary representatives have the same Article 14(2) role (point of contact for data subjects and FDPIC domicile for service) as mandatory representatives. The foreign controller may use the FDPIC's online portal or contact form to notify the FDPIC of the voluntary appointment, though again, notification is optional, not required.

## Relationship to GDPR Article 27 representative obligation

The Article 14 FADP representative requirement closely parallels GDPR Article 27, with three notable differences:

1. Narrower trigger: GDPR Article 27 applies to all non-EU controllers or processors who offer goods/services to or monitor EU data subjects, except for occasional processing unlikely to result in a risk, or processing by public authorities/bodies. FADP Article 14 applies only when all four criteria (offering/monitoring, large-scale, regular, high-risk) are met—thus FADP captures a smaller subset of foreign controllers than GDPR Article 27.

1. "High risk" threshold: GDPR Article 27 has no high-risk threshold—it applies to all non-occasional processing regardless of risk level. FADP Article 14 requires high gross risk, filtering out lower-risk foreign processing from the representative obligation.

1. Scope—processors vs. controllers: GDPR Article 27 applies to both controllers and processors not established in the EU. FADP Article 14 applies only to private controllers (Article 14(1) FADP: "private persons … whose registered office or domicile is abroad"); processors are not subject to the representative obligation. A foreign processor (e.g., a cloud-hosting provider in the US processing Swiss customer data on behalf of a Swiss controller) has no Article 14 FADP obligation—the Swiss controller remains responsible for ensuring compliance, but the foreign processor need not appoint a Swiss representative.

Controllers subject to both GDPR and FADP (e.g., a US company targeting both EU and Swiss data subjects) commonly appoint separate representatives—an EU-established GDPR Article 27 representative and a Switzerland-established FADP Article 14 representative—because the statutory mandates and enforcement authorities differ. Some multinational representative-service providers offer bundled EU + Swiss representative appointments to streamline cross-border compliance.

## Who may serve as representative?

Article 14 FADP does not specify qualifications for the representative beyond being in Switzerland (domiciled or with a registered office in Switzerland). The FDPIC's guidance and Swiss legal commentary confirm that the representative may be:

• A natural person resident in Switzerland;
• A legal person (company, foundation, association) with registered office in Switzerland;
• A Swiss law firm acting in a representative capacity (as noted above, if the law firm also represents the controller as legal counsel in FDPIC proceedings, the lawyer's place of business becomes the domicile for service);
• A specialized representative-service provider (commercial services offering GDPR Article 27 + FADP Article 14 representative appointments have emerged to serve foreign controllers with limited Swiss presence).

The representative need not be an employee of the foreign controller and need not have decision-making authority over the controller's data processing. The representative's role is facilitation and contact, not control—data-subject requests and FDPIC correspondence are forwarded to the foreign controller, who retains full responsibility for substantive compliance.

## Practical compliance steps for foreign controllers

Foreign controllers processing personal data of Swiss data subjects should:

1. Assess Article 3 FADP territorial applicability first: does the processing have effects in Switzerland under the effects doctrine? If yes, FADP applies in principle.

1. Apply the four-part Article 14(1) test: (a) Is the processing connected with offering goods/services to or monitoring Swiss persons? (b) Is the processing large-scale? (c) Is the processing regular (systematic, ongoing)? (d) Does the processing create high gross risk to personality or fundamental rights, assessed without crediting mitigation measures?

1. If all four criteria are satisfied: (a) Appoint a representative with a registered office or domicile in Switzerland; (b) Execute a representative agreement specifying the representative's duties (forwarding data-subject requests, serving as FDPIC domicile for service, maintaining contact details); (c) Publish the representative's name and full Swiss address in the privacy policy and on the website/app; (d) Optionally notify the FDPIC via the online portal or contact form.

1. If fewer than four criteria are satisfied but the controller wishes to appoint a representative voluntarily: follow steps 3(a)–(c) and notify the FDPIC that the appointment is precautionary.

1. Monitor for threshold changes: as the foreign controller's Swiss user base grows or processing activities expand, reassess the Article 14(1) criteria periodically (annually or upon material changes in processing). A controller who initially fell below the large-scale or high-risk thresholds may later trigger the obligation.

Source: Federal Act on Data Protection (FADP), SR 235.1, Article 14 Source: FDPIC — Obligation to appoint a representative under Article 14 FADP