← View All Articles

  • July 15, 2025

Swiss FADP 2025: Navigating New Rules on International Data Transfers

New Transfer Tools, New Expectations: How the Swiss FADP 2025 Tightens Cross-Border Data Flows

Switzerland’s revised Federal Act on Data Protection (FADP), which became effective in September 2023, introduced stronger privacy standards, but 2025 marks a significant step forward in guidance and enforcement. The FDPIC, the Swiss Data Protection Authority, has issued Swiss-specific versions of the EU Standard Contractual Clauses (SCCs), known unofficially as “Swiss Add-ons”. These clauses add tailored language to ensure compliance with both Swiss and EU requirements — a response to the dual compliance burden faced by organizations operating across both regions.

At the same time, the launch of the Swiss–US Data Privacy Framework (DPF) in September 2024 established that U.S. companies certified under the DPF can be considered “adequate” for data transfers under Swiss law. This means that businesses can rely on streamlined frameworks for transferring data to these certified companies without conducting extensive assessments.

Why This Matters

The updated SCCs offer companies a familiar and legally robust mechanism to transfer personal data to countries that would otherwise require intricate Transfer Impact Assessments due to lack of adequacy. The DPF designation complements this by enabling easier, safer transfers to U.S-based vendors that hold certification. For any organization — Swiss, EU, or global — these developments simplify data flow while reinforcing legal certainty and accountability.

Moreover, failure to adopt the updated clauses or rely on DPF-certified vendors may leave your organization exposed to enforcement actions, as the FDPIC continues to ramp up oversight and investigations. Being proactive now minimizes risk and ensures smoother operations in a cross-border context.

 

What You Should Do

  1. Update contracts: Replace generic SCCs with the official Swiss Add-ons for transfers outside the DPF or EU adequacy list.
  2. Perform Transfer Impact Assessments (TIAs) when transferring data to jurisdictions not covered by adequacy or the DPF.
  3. Document thoroughly: Keep records of decisions, clauses used, and certification status of vendors.
  4. Verify vendor compliance: Ensure any U.S.-based processors are DPF-certified before initiating transfers.
  5. Monitor updates: Swiss and EU authorities may further clarify or evolve advisory notes — keep policies responsive.

  • We can help you become FADP compliant!

Expert Guidance, Affordable Solutions, and a Seamless Path to Compliance

Get in contact

What do you think?

Related Insights

  • Related Articles
The DPO’s Central Role in DSAR Handling: A Guide to Data Access Compliance
A strong DPO is a strategic asset, safeguarding your organization from fines and building trust
The Indispensable Role of an EU Representative: Why Non-EU Companies Need This Service for GDPR Compliance
Is your non-EU company engaging with the European market? Understanding GDPR is crucial, and for
Understanding Your Data Rights: What is a DSAR, Why It Matters, and How to File a Data Subject Access Request (DSAR)
The DSAR is a powerful tool under GDPR that allows you to gain transparency and