The data protection legislation has been completely revised in order to adapt to new technological and societal conditions and to the requirements of international law. It came into force on 1 September 2023.
1. What has happened so far
The first Federal Act on Data Protection (FADP) came into force on 19 June 1992. With technological and societal developments and increasing data protection threats, the Federal Council considered it necessary to strengthen the data protection legislation.
-
Federal Act of 19 June 1992 on Data Protection (FADP) (status as of 1 March 2019)
(FADP, CC 235.1)
-
Bericht des Bundesrates vom 9. Dezember 2011 über die Evaluation des Bundesgesetzes über den Datenschutz
(BBl 2012 335)
-
Rapport du Conseil fédéral du 9 décembre 2011 sur l'évaluation de la loi fédérale sur la protection des données
(FF 2012 255)
-
Rapporto del Consiglio federale del 9 dicembre 2011 concernente la valutazione della legge federale sulla protezione dei dati
(FF 2012 227)
(This document is not available in English)
An advisory group was set up to prepare a preliminary draft revision of the FADP. On 15 September 2017, the Federal Council adopted the draft new FADP and the related dispatch. The revised text aimed to better protect citizens' rights and to strengthen the economy by harmonising Swiss law with the protection standards of the EU and the Council of Europe, particularly with regard to the cross-border disclosure of personal data.
-
Entwurf zur Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz (siehe insbesondere den Anhang, S. 7206)
(BBl 2017 7193)
-
Projet de loi fédérale sur la révision totale de la loi fédérale sur la protection des données et sur la modification d’autres lois fédérales (voir spécialement l’annexe, p. 6815)
(FF 2017 6803)
-
Disegno della legge federale relativa alla revisione totale della legge federale sulla protezione dei dati e alla modifica di altri atti normativi sulla protezione dei dati (v. in particolare l’allegato, p. 6213)
(FF 2017 6173)
(This document is not available in English) -
Botschaft des Bundesrates vom 15. September 2017 zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz
(BBl 2017 6941)
-
Message du Conseil fédéral du 15 septembre 2017 concernant la loi fédérale sur la révision totale de la loi fédérale sur la protection des données et sur la modification d’autres lois fédérales
(FF 2017 6565)
-
Messaggio del Consiglio federale del 15 settembre 2017 concernente la legge federale relativa alla revisione totale della legge sulla protezione dei dati e alla modifica di altri atti normativi sulla protezione dei dati
(FF 2017 5939)
(This document is not available in English)
Parliament debated the draft and divided it in two. Initially, it decided only to adopt Directive (EU) 2016/680 (Development of the Schengen acquis) approving the Schengen Data Protection Act (SDPA), which came into force on 1 March 2019. However, it was repealed on 1 September 2023 when the major reform of data protection legislation came into force. The SDPA did not apply to private data controllers. It only applied to the processing of personal data carried out by federal bodies in the criminal and judicial fields.
- Parlamentarische Beratungen (17.059) zum Entwurf 1 und 2 (Erste Etappe: Datenschutzbestimmungen für die Schengener Zusammenarbeit in Strafsachen und Genehmigung des Notenaustausches zwischen der Schweiz und der EU)
- Swiss Parliament deliberations concerning Bill 1 (Federal Act implementing Directive (EU) 2016/680) and Bill 2 (Federal Decree approving the Exchange of Notes between Switzerland and the European Union concerning the adoption of Directive (EU) 2016/680)
-
Deliberazioni parlamentari (17.059) sui disegni 1 e 2 (prima tappa: disposizioni sulla protezione dei dati per la collaborazione Schengen in materia penale e approvazione dello scambio di note tra la Svizzera e l’UE)
(This document is not available in English)
-
Bundesgesetz über den Datenschutz im Rahmen der Anwendung des Schengen-Besitzstands in Strafsachen (Schengen-Datenschutzgesetz)
(SDSG, AS 2019 639)
-
Loi fédérale sur la protection des données personnelles dans le cadre de l'application de l'acquis de Schengen dans le domaine pénal (Loi sur la protection des données Schengen)
(LPDS, RO 2019 639)
-
Legge federale sulla protezione dei dati personali nell'ambito dell'applicazione dell'acquis di Schengen in materia penale (Legge sulla protezione dei dati in ambito Schengen)
(LPDS, RU 2019 639)
(This document is not available in English)
In a second phase, Parliament tackled the revision of the Federal Data Protection Act (FADP). The aim of this revision was not only to meet the challenges posed by technological developments, but also to take account of developments at an international level, in particular the reforms carried out by the Council of Europe in this area, i.e. Convention 108+ and EU (Regulation (EU) 2016/679 for data protection (GDPR), which came into force on 25 May 2018 (although the GDPR is not formally binding on Switzerland). The Federal Data Protection Act was adopted by Parliament on 25 September 2020 following intense debate in the two Chambers and after a conciliation meeting had addressed the issue of high-risk profiling. The revised FADP came into force on 1 September 2023.
-
Convention 108+
Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data of 18 May 2018
- Parlamentarische Beratungen (17.059) zum Entwurf 3 (Zweite Etappe: Totalrevision des DSG)
- Délibérations parlementaires (17.059) sur le projet 3 (deuxième étape : révision totale de la LPD)
-
Deliberazioni parlamentari (17.059) sul disegno 3 (seconda tappa: revisione totale della LPD)
(This document is not available in English)
-
Federal Act of 25 September 2022 on Data Protection
(FADP, CC 235.1)
The Federal Council adopted the Data Protection Ordinance (DPO) and the Data Protection Certification Ordinance (DPCO) on 31 August 2022. They supplement the FADP and came into force on 1 September 2023.
-
Ordinance of 31 August 2022 on Data Protection
(DPO, CC 235.11)
- Erläuternder Bericht DSV (PDF, 1 MB, 22.09.2022)
- Rapport explicatif OPDo (PDF, 1 MB, 22.09.2022)
-
Rapporto esplicativo OPDa (PDF, 1 MB, 22.09.2022)
(This document is not available in English)
-
Ordinance of 28 September 2007 on Data Protection Certification
(DPCO, CC 235.13)
- Erläuternder Bericht VDSZ (PDF, 187 kB, 26.09.2022)
- Rapport explicatif OCPD (PDF, 196 kB, 26.09.2022)
-
Rapporto esplicativo OCPD (PDF, 202 kB, 26.09.2022)
(This document is not available in English)
-
Richtlinien des EDÖB über die Zertifizierung von Managementsystemen vom 31. August 2023
(BBl 2023 1999)
-
Directives du PFPDT sur la certification de l’organisation et de la procédure du 31 août 2023
(FF 2023 1999)
-
Direttive del IFPDT sulla certificazione dei sistemi di gestione del 31 agosto 2023
(FF 2023 1999)
(This document is not available in English) -
Richtlinien des EDÖB über die weiteren datenschutzrechtlichen Kriterien für die Prüfung zu den Anforderungen an die Zertifizierung von Produkten, Dienstleistungen und Prozessen vom 31. August 2023
(BBl 2023 2000)
-
Directives du PFPDT sur les autres critères en matière de protection pour l’évaluation des exigences relatives à la certification des produits, des services et des processus du 31 août 2023
(FF 2023 2000)
-
Direttive del IFPDT sugli altri criteri in materia di protezione dei dati per l’esame dei requisiti per la certificazione di prodotti, servizi e processi del 31 agosto 2023
(FF 2023 2000)
(This document is not available in English)
The Federal Council decides that the Data Protection Act and the related ordinances (DPO and DPCO) will come into force on 1 September 2023.
-
Neues Datenschutzrecht ab 1. September 2023
Medienmitteilung des Bundesrates vom 31. August 2022 mit der Ankündigung des Inkrafttretens des neuen Datenschutzrechts
-
Nouveau droit de la protection des données à partir du 1er septembre 2023
Communiqué aux médias du Conseil fédéral annonçant l’entrée en vigueur du nouveau droit de la protection des données
-
Nuovo diritto in materia di protezione dei dati dal 1° settembre 2023
Comunicato per i media del Consiglio federale che annuncia l’entrata in vigore del nuovo diritto sulla protezione dei dati
(This document is not available in English)
2. International framework
Like Swiss law, international law has also had to take account of technological developments. Within the Council of Europe, the first Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was signed in Strasbourg on 28 January 1981. The Federal Council ratified the Convention in 1997; it came into force in Switzerland on 1 February 1998.
-
Übereinkommen zum Schutz des Menschen bei der automatischen Verarbeitung personenbezogener Daten vom 28. Januar 1981
(SR 0.235.1)
-
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981
(RS 0.235.1)
-
Convenzione del 28 gennaio 1981 per la protezione delle persone in relazione all’elaborazione automatica dei dati a carattere personale
(RS 0.235.1)
(This document is not available in English)
In 2018, an Amending Protocol was adopted to meet the challenges posed by new information and communication technologies and to ensure the effective implementation of the Convention. The Protocol was signed on 21 November 2019 and ratified on 7 September 2023 by Switzerland.
The modernised Convention 108, also known as Convention 108+, will come into force once 38 States Parties have ratified the Protocol of Amendment; it is not yet in force.
On the European Union side an initial Directive on data protection was adopted in 1995. Switzerland, however, is not bound by this instrument.
In 2012, the European Commission proposed a comprehensive reform of the Data Protection Directive adopted in 1995, with the aim of improving the privacy rights of data subjects while taking account of the digital economy. On 27 April 2016, the General Data Protection Regulation (GDPR) and Directive (EU) 2016/680 were adopted. Directive (EU) 2016/680 is binding on Switzerland to the extent that it forms part of the development of the Schengen acquis. The GDPR, on the other hand, is not binding on Switzerland.
- Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHI
- Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
Links
The full dossier on improving data protection is available at the following page
The various reports and legal opinions relating to the complete revision of the Data Protection Act are available at the following page
Press releases
These documents don’t exist in English. Please see the German, French or Italian version.
Last modification 21.09.2023