What nFADP Compliance Requires From Your Organisation
Every Swiss company and public authority is affected by the nFADP. Unlike its predecessor, the revised act introduces significantly stricter requirements: mandatory data breach notification to the FDPIC as soon as possible for high-risk breaches, enforceable data subject rights including access, portability, and objection, mandatory Data Privacy Impact Assessments for high-risk processing activities, and enhanced requirements for data processing agreements with sub-processors.
Organisations that also process personal data of EU residents carry parallel GDPR obligations. Managing both frameworks simultaneously, without dedicated expertise, represents a material and ongoing compliance risk.
The consequences of non-compliance are concrete: administrative sanctions, reputational damage, loss of customer and partner trust, and operational disruption following a notifiable data breach. These risks apply regardless of organisational size.
Scope of Services
What Our External DPO Service Covers
Annual Maintenance
Annual review and update of all policies, procedures, and the processing register to reflect operational changes, regulatory updates, and new processing activities.
Ad Hoc Support
Responsive advisory for requests from suppliers, customers, supervisory authorities, and data subjects, including access requests, objections, portability requests, and erasure demands, handled within legally required timelines.
Compliance Action Plan
A structured, prioritised roadmap of all obligations applicable to your organisation under nFADP and GDPR, with timelines and assigned accountabilities.
Data Privacy Impact Assessment (DPIA)
Structured DPIA process for all high-risk processing activities, including support for prior consultation with the FDPIC where required under nFADP Article 22.
Data Processing Agreements
Review, negotiation, and management of data processing agreements with all relevant sub-processors, ensuring contractual compliance with both nFADP and GDPR requirements.
Data Protection Awareness
Staff awareness training and internal communication programs to embed data protection responsibilities across the organisation, a requirement directly reviewed during FDPIC and audit assessments.
Policies and Procedures
Development and ongoing maintenance of all data protection policies and internal procedures required to demonstrate compliance to regulators, customers, and auditors.
Register of Processing Activities
Complete documentation and maintenance of the register of processing activities as required under nFADP Article 12 and GDPR Article 30.
Technical and Organizational Measures
Assessment and recommendation of technical and organisational security measures appropriate to the risk level of each processing activity, based on a documented cost-benefit analysis.
Outcomes
What You Receive
- Data Privacy Gap Analysis with prioritised compliance recommendations
- Complete set of data privacy documents: policies, procedures, and internal guidelines
- Register of processing activities, documented and updated annually
- Data subject request treatment process covering access, objection, portability, and erasure
- User awareness campaign materials adapted to your organisational context
- Data privacy incident management process aligned to nFADP and GDPR notification requirements
Technical and Legal Expertise in One Engagement
Our DPO as a Service is delivered by a multidisciplinary team combining certified security professionals and legal specialists, including academic qualifications of Mlaw from the University of Zurich and DAS Compliance Management credentials. This dual expertise ensures that data protection advice is both legally sound and technically implementable from day one. We operate with complete impartiality and without conflicts of interest, meeting the independence requirements defined in both the nFADP and the GDPR for external data protection advisors.
Next Step
Assess Your nFADP and GDPR Compliance Posture
We provide an initial data privacy gap consultation to identify your specific obligations, review current processing activities, and define a prioritised compliance roadmap. Engagements can start within two weeks.