nLPD (nFADP) comes into force : obligations and opportunities

Picture of Manon Garcia

Manon Garcia

The revised Data Protection Act (DPA) has been in force since September 1, 2023, with no transition phase. Its main objective is to protect the personality and fundamental rights of individuals, whose data is processed by private players or the authorities. The law demands maximum transparency, giving individuals greater control over their own information. It also encourages prevention and responsibility on the part of data processors, strengthening the supervision of data protection authorities and increasing legal sanctions.


What you need to know

  • Universal: All companies and private entities (e.g. associations), regardless of their size or activity, are covered.

  • Extraterritorial scope: Although primarily applicable in Switzerland, the DPA also covers activities abroad that influence Swiss territory.

  • Inspired by but distinct from the RGPD: While the DPA is largely inspired by the European RGPD, it retains certain singularities, sometimes less restrictive and sometimes stricter in other respects.

  • Direct sanctions: (Intentional) violations can result in fines of up to CHF 250,000, targeting the individuals responsible rather than the companies.

Compliance actions to take

  • Documentary environment: Formalize your data protection strategy and communicate it to your teams.
  • Appointment of a data protection advisor (not compulsory): Appoint a reference person responsible for ensuring the ongoing protection of personal data.

  • Register of processing operations (conditional): Draw up an inventory of the personal data you process as part of your business activities.

  • Ensure legal compliance of your processing operations: Carry out impact analyses for high-risk processing operations, ensure the security of your processors and keep data subjects informed.

  • Raising awareness: Involve your teams in data protection.

  • Individual rights: Inform data subjects of their individual rights, and put in place the tools and processes to respond to them.

  • Security: Ensure data confidentiality, integrity, availability and traceability through technical and organizational security measures.

  • Security breaches: Determine roles and responsibilities for managing and communicating security breaches.


Like its European neighbor, the revised Data Protection Act is designed to make companies more accountable for the personal data they process.

Although mandatory, compliance should be seen as an opportunity to gain maturity in your data governance by gaining an overview of the data you handle in your activities.

Transparency through information about your practices also represents an opportunity to consolidate the trust your customers and service providers place in you. Effective communication of the measures taken will undoubtedly give you a significant commercial advantage.

Where to start?

Depending on the size of your company and your business, the various actions to be taken are part of a more or less long-term plan.

The starting point, and the key to successful compliance, lies in identifying the processing of personal data: what data is the company responsible for? To whom have we entrusted it (processors, partners, etc.)? With a complete overview, the compliance actions mentioned above will be greatly facilitated.

Once you’ve identified your data processing needs, make sure you protect it effectively: both the data you possess/store yourself, and that is located outside your company (e.g. SaaS solutions).

Our partner Datago has a team combining legal, technical and corporate governance skills to help you achieve compliance.

Datago’s approach to compliance and the technical expertise of our Kyos teams form a proven partnership for your company’s successful compliance process.

More information on this subject?

We are at your disposal!